What does the Google public key endpoint return?

Asked 2/7, 2015 at 11:27 Answered 1/6, 2022 at 5:26

I am working with OpenID Connect in my application, i got the JWT token correctly from Google and I need to validate it using Signature. To achieve this i need the public key, Google provide an URL which contains all its public certificate.

https://www.googleapis.com/oauth2/v3/certs

but it returns this :

{
 "keys": [
  {
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "f86c80f329b3ac69232463382fc1644167211d23",
   "n": "wItpB2JpNKNgBM-xjgFbMGLYySu0SvaSA8Ag_MpqWrlWOvWvd3JQFrNKdw1nCGrGSczP6FdCRptogSEO51UB3n1h2quH-YW3NPGt0JGqXdRARJ1I1cOVq3dvrPaZhtDcEQCBAdqEmix_ngQM5vD1t8J22JO_v_JzJlTkzfYu5dPeSoXZymtgGeofdu38L1y-FlFqD09p6IP6Fxza22cv3ST3Dsw3eQ1yzGi5YuO0scTpds0jqPAslddclo22zapqB1_6qplwunpT3qAuObYR5Xn3gPseyQiwDtIk7MpEkb_AA_r4bpUGIh9-1SX3ev8urVZJ1Sg1Y_Rr-u7oQO9pdQ",
   "e": "AQAB"
  },

what does this mean ? where is the public key or the certificate here?

Thanks for your Help !

Jaquith answered 2/7, 2015 at 11:27 Comment(0)

This looks like a JSON Web Key Set containing a description for an RSA public signing key. Parameters e and n for such keys are in turn described in JSON Web Algorithms.

Ku answered 2/7, 2015 at 12:20 Comment(0)

In addition to Pieter's answer, you can find the PEM X.509 certificate representation of those RSA keys here: https://www.googleapis.com/oauth2/v1/certs

Ehtelehud answered 3/7, 2015 at 9:22 Comment(0)

Using this output, you can build a public key which can be used for verifying JWT. Below is the link,

https://mcmap.net/q/1176680/-how-to-get-public-key-from-apple-public-key-json-response-in-java

Here, public key is build using n and e properties. You can then use library such as JJWT to verify the JWT using this public key.

Alic answered 27/2, 2022 at 16:29 Comment(0)

You can use jose library to convert that to a key and verify the signature later https://github.com/panva/jose

const rsaPublicKey = await jose.importJWK({
  kty: 'RSA',
  e: 'AQAB',
  n: '12oBZRhCiZFJLcPg59LkZZ9mdhSMTKAQZYq32k_ti5SBB6jerkh-WzOMAO664r_qyLkqHUSp3u5SbXtseZEpN3XPWGKSxjsy-1JyEFTdLSYe6f9gfrmxkUF_7DTpq0gn6rntP05g2-wFW50YO7mosfdslfrTJYWHFhJALabAeYirYD7-9kqq9ebfFMF4sRRELbv9oi36As6Q9B3Qb5_C1rAzqfao_PCsf9EPsTZsVVVkA5qoIAr47lo1ipfiBPxUCCNSdvkmDTYgvvRm6ZoMjFbvOtgyts55fXKdMWv7I9HMD5HwE9uW839PWA514qhbcIsXEYSFMPMV6fnlsiZvQQ'
}, 'PS256')

Then when you got the publicKey

const jwt = 'eyJhbGciOiJFUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjA0MzE1MDc0LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.hx1nOfAT5LlXuzu8O-bhjXBGpklWDt2EsHw7-MDn49NrnwvVsstNhEnkW2ddauB7eSikFtUNeumLpFI9CWDBsg'

const { payload, protectedHeader } = await jose.jwtVerify(jwt, publicKey, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience'
})

console.log(protectedHeader)
console.log(payload)

Note that the values in this example are explainatory, they are not the actual values, and you need to change the algorith from PS256 to RS256

Spavined answered 1/6, 2022 at 5:26 Comment(0)

Recommended topics

Hot tags