Google JWT Authentication with AspNet Core 2.0

by

Posting my ultimate approach for posterity.

As Tratcher pointed out, the AddGoogle middleware is not actually for a JWT authentication flow. After doing more research, I realized that what I ultimately wanted is what is described here:
https://developers.google.com/identity/sign-in/web/backend-auth

So my next problems were

  1. I could not rely on the standard dotnet core Jwt auth middleware anymore since I need to delegate the google token validation to google libraries
  2. There was no C# google validator listed as one of the external client libraries on that page.

After more digging, I found this that JWT validation support was added to C# here using this class and method:
Google.Apis.Auth.Task<GoogleJsonWebSignature.Payload> ValidateAsync(string jwt, GoogleJsonWebSignature.ValidationSettings validationSettings)

Next I needed to figure out how to replace the built in JWT validation. From this SO questions I came up with an approach:
ASP.NET Core JWT Bearer Token Custom Validation

Here is my custom GoogleTokenValidator:

public class GoogleTokenValidator : ISecurityTokenValidator
{
    private readonly JwtSecurityTokenHandler _tokenHandler;

    public GoogleTokenValidator()
    {
        _tokenHandler = new JwtSecurityTokenHandler();
    }

    public bool CanValidateToken => true;

    public int MaximumTokenSizeInBytes { get; set; } = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;

    public bool CanReadToken(string securityToken)
    {
        return _tokenHandler.CanReadToken(securityToken);
    }

    public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
    {
        validatedToken = null;
        var payload = GoogleJsonWebSignature.ValidateAsync(securityToken, new GoogleJsonWebSignature.ValidationSettings()).Result; // here is where I delegate to Google to validate

        var claims = new List<Claim>
                {
                    new Claim(ClaimTypes.NameIdentifier, payload.Name),
                    new Claim(ClaimTypes.Name, payload.Name),
                    new Claim(JwtRegisteredClaimNames.FamilyName, payload.FamilyName),
                    new Claim(JwtRegisteredClaimNames.GivenName, payload.GivenName),
                    new Claim(JwtRegisteredClaimNames.Email, payload.Email),
                    new Claim(JwtRegisteredClaimNames.Sub, payload.Subject),
                    new Claim(JwtRegisteredClaimNames.Iss, payload.Issuer),
                };

        try
        {
            var principle = new ClaimsPrincipal();
            principle.AddIdentity(new ClaimsIdentity(claims, AuthenticationTypes.Password));
            return principle;
        }
        catch (Exception e)
        {
            Console.WriteLine(e);
            throw;

        }
    }
}

And in Startup.cs, I also needed to clear out the default JWT validation, and add my custom one:

services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

            })
            .AddJwtBearer(o =>
                {
                    o.SecurityTokenValidators.Clear();
                    o.SecurityTokenValidators.Add(new GoogleTokenValidator());
                }

Maybe there is an easier way, but this is where I landed and it seems to work fine! There was additional work I did that I left out of here for simplicity, for example, checking if there is already a user in my user’s DB that matches the claims provided by google, so I apologize if the code above does not 100% work since I may have removed something inadvertently.

More Related Contents:

  1. AddDbContext or AddDbContextPool
  2. How to set redirect_uri protocol to HTTPS in Azure Web Apps
  3. Store / Retrieve ConnectionString from appSettings.json in ASP.net Core 2 MVC app
  4. where to download the dotnet-dev-win-x86.1.0.0-preview 2-1-003180
  5. How to run stored procedures in Entity Framework Core?
  6. CORS issue while making an Ajax request for oauth2 access token
  7. Where are the Login and Register pages in an AspNet Core scaffolded app?
  8. Why do access tokens expire?
  9. Entity Framework Core service default lifetime
  10. why remove-migration run my app?
  11. How to identify a Google OAuth2 user?
  12. Using Postman to access OAuth 2.0 Google APIs
  13. OAuth2 and Google API: access token expiration time?
  14. Unable to create migrations after upgrading to ASP.NET Core 2.0
  15. Cannot resolve scoped service from root provider .Net Core 2
  16. OData Support in ASP.net core
  17. .NET Core vs ASP.NET Core
  18. Get Current User in a Blazor component
  19. .Net Core on Raspberry Pi 4 with Raspbian?
  20. Identity in ASP.Net Core 2.1< - Customize AccountController
  21. How to correctly get dependent scoped services from ISecurityTokenValidator
  22. Tag helper not being processed in ASP.NET Core 2
  23. client secret in OAuth 2.0
  24. How to publish environment specific appsettings in .Net core app?
  25. Configure cors to allow all subdomains using ASP.NET Core (Asp.net 5, MVC6, VNext)
  26. Read request body twice
  27. Validate Google Id Token
  28. OAuth 2.0 with Google Analytics API v3
  29. How to inject a reference to a specific IHostedService implementation?
  30. Sharing Cookies Between Two ASP.NET Core Applications

Leave a Comment