Login/Register
Google OpenID Connect: How to verify id_token?
Asked Answered
Solved oauth-2.0google-apigoogle-oauthopenidopenid-connect
C

1

6

I create Backend server, which gets the ID Token from mobile application (iOS). How can I verify that this token is OK and can be used it securely?

Official Google's documentation about validating token:

https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken

It recommends to verify the ID Token locally, without sending verification request to the Google. Is it OK to check some fields from ID Token locally like in documentation or maybe should I send some request to Google to verify token as well?

Google documentation mentions about debugging and verifying ID Token with:

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

But it doesn't recommend to use it in production. I thought also about using Access Token along with the Id Token and verify Access Token first with:

https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=

But does it make the whole process of validating client's credentials (mobile app, web app) more secure?

Criticism answered 4/1, 2017 at 10:28 Comment(1)
Possible duplicate of Validate Google Id TokenJudijudicable
P
2

Fist let me start by saying I don't work for Google. However I have been developing with Google Oauth2 since 2012. A while back I asked a Googler just this question.

His recommendation was if you have a refresh token just request a new access token. If its bad the server will return an error. If you have an access token send a request if its bad the server will return an error.

There isn't really much point in validating it first your just sending two requests to the server for every request you make. All you will be doing is preventing errors on a small percentage of the requests you are making in the long run.

I have never bothered with the id token. Id token is a jwt so you should be able to open it I think.

update

You should consult Verifiy the integrity of the id token.

You can also do some checking on your own. The id token is a jwt if you decrypt it you get or by calling the tokeninfo endpoint

{
  "iss": "https://accounts.google.com",
  "azp": "407408718192.apps.googleusercontent.com",
  "aud": "407408718192.apps.googleusercontent.com",
  "sub": "11720055326",
  "at_hash": "HQVaIRLqmsjaTt8KoOIQ",
  "name": "Linda Lawton",
  "picture": "https://lh3.googleusercontent.com/a-/AAuE7mDuIWqXzrrp-65cIhXSD2HjCI8WYsWHR0fDx5_wQPY=s96-c",
  "given_name": "Linda",
  "family_name": "Lawton",
  "locale": "en",
  "iat": 1567751,
  "exp": 1567755
}
  • iss should be https://accounts.google.com
  • aud will be the client id of your app 7408718192.apps.googleusercontent.com
  • at_hash there may also be some way to validate against this but i haven't bothered
Patellate answered 4/1, 2017 at 10:56 Comment(7)
Thanks for the answer, but it's not exactly what I need. Using access token is quite clear case: I send access_token to get some data and on every request Google validates my access_token. But when I get ID Token I don't have to send any request to Google, because all details I have there. However, I'm sure that your answer will help other vistiors of this question.Criticism
Maybe I haven't understood your question. Google is recommending that you check the token locally to ensure that its valid. Why wouldn't you follow their recommendations? My point is checking access token and tokeninfo are just going to put extra load that you probably don't need.Patellate
Yeah, you are right about checking JWT token locally, whatsmore I think that is the concept of JWT token to limit additional request (to providers or databases). However, I was wondering if is it safe to process ID Token sent via "open" API with HTTPS POST request to the backend.Criticism
I am not the person to ask about HTTPS security with I don't know enough about it. Not sure I would classify it as an "open" connection.Patellate
I think it's right answer. I think the validation of the JWT token fields like aud is important and makes using JWT tokens more secure. So don't ignore these types of fields.Criticism
You only get the token Id back if you request openId as a scope. Which pops up something like access to know who you are on Google. Most of my customers balk at additional scopes.Patellate
So how do you verify an id_token? Do you need a public key to verify such a token? If yes, where to get it from?Baksheesh

© 2022 - 2024 — McMap. All rights reserved.