Validate Google Id Token

by

There are a couple of different ways in which you can validate the integrity of the ID token on the server side:

  1. “Manually” – constantly download Google’s public keys, verify signature and then each and every field, including the iss one; the main advantage (albeit a small one in my opinion) I see here is that you can minimize the number of requests sent to Google.
  2. “Automatically” – do a GET on Google’s endpoint to verify this token
    https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}
  3. Using a Google API Client Library – like the official one.

Here’s how the second one could look:

private const string GoogleApiTokenInfoUrl = "https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}";

public ProviderUserDetails GetUserDetails(string providerToken)
{
    var httpClient = new MonitoredHttpClient();
    var requestUri = new Uri(string.Format(GoogleApiTokenInfoUrl, providerToken));

    HttpResponseMessage httpResponseMessage;
    try
    {
        httpResponseMessage = httpClient.GetAsync(requestUri).Result;
    }
    catch (Exception ex)
    {
        return null;
    }

    if (httpResponseMessage.StatusCode != HttpStatusCode.OK)
    {
        return null;
    }

    var response = httpResponseMessage.Content.ReadAsStringAsync().Result;
    var googleApiTokenInfo = JsonConvert.DeserializeObject<GoogleApiTokenInfo>(response);

    if (!SupportedClientsIds.Contains(googleApiTokenInfo.aud))
    {
        Log.WarnFormat("Google API Token Info aud field ({0}) not containing the required client id", googleApiTokenInfo.aud);
        return null;
    }

    return new ProviderUserDetails
    {
        Email = googleApiTokenInfo.email,
        FirstName = googleApiTokenInfo.given_name,
        LastName = googleApiTokenInfo.family_name,
        Locale = googleApiTokenInfo.locale,
        Name = googleApiTokenInfo.name,
        ProviderUserId = googleApiTokenInfo.sub
    };
}

GoogleApiTokenInfo class:

public class GoogleApiTokenInfo
{
/// <summary>
/// The Issuer Identifier for the Issuer of the response. Always https://accounts.google.com or accounts.google.com for Google ID tokens.
/// </summary>
public string iss { get; set; }

/// <summary>
/// Access token hash. Provides validation that the access token is tied to the identity token. If the ID token is issued with an access token in the server flow, this is always
/// included. This can be used as an alternate mechanism to protect against cross-site request forgery attacks, but if you follow Step 1 and Step 3 it is not necessary to verify the 
/// access token.
/// </summary>
public string at_hash { get; set; }

/// <summary>
/// Identifies the audience that this ID token is intended for. It must be one of the OAuth 2.0 client IDs of your application.
/// </summary>
public string aud { get; set; }

/// <summary>
/// An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never
/// changed. Use sub within your application as the unique-identifier key for the user.
/// </summary>
public string sub { get; set; }

/// <summary>
/// True if the user's e-mail address has been verified; otherwise false.
/// </summary>
public string email_verified { get; set; }

/// <summary>
/// The client_id of the authorized presenter. This claim is only needed when the party requesting the ID token is not the same as the audience of the ID token. This may be the
/// case at Google for hybrid apps where a web application and Android app have a different client_id but share the same project.
/// </summary>
public string azp { get; set; }

/// <summary>
/// The user's email address. This may not be unique and is not suitable for use as a primary key. Provided only if your scope included the string "email".
/// </summary>
public string email { get; set; }

/// <summary>
/// The time the ID token was issued, represented in Unix time (integer seconds).
/// </summary>
public string iat { get; set; }

/// <summary>
/// The time the ID token expires, represented in Unix time (integer seconds).
/// </summary>
public string exp { get; set; }

/// <summary>
/// The user's full name, in a displayable form. Might be provided when:
/// The request scope included the string "profile"
/// The ID token is returned from a token refresh
/// When name claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.
/// </summary>
public string name { get; set; }

/// <summary>
/// The URL of the user's profile picture. Might be provided when:
/// The request scope included the string "profile"
/// The ID token is returned from a token refresh
/// When picture claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.
/// </summary>
public string picture { get; set; }

public string given_name { get; set; }

public string family_name { get; set; }

public string locale { get; set; }

public string alg { get; set; }

public string kid { get; set; }
}

More Related Contents:

  1. How Google API V 3.0 .Net library and Google OAuth2 Handling refresh token
  2. How to programmatically remove a file from “share with me” in Google drive
  3. Google.GData.Client.GDataRequestException – Authentication suddenly fails in old code
  4. Get claims from a WebAPI Controller – JWT Token,
  5. How to enable CORS in ASP.net Core WebAPI
  6. Use multiple JWT Bearer Authentication
  7. Configure the authorization server endpoint
  8. .NET Core 2.2 Can’t be Selected In Visual Studio Build Framework
  9. Verifying JWT signed with the RS256 algorithm using public key in C#
  10. IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity
  11. How do I access Configuration in any class in ASP.NET Core?
  12. Render Razor View to string in ASP.NET Core
  13. JsonSerializerSettings and Asp.Net Core
  14. How to seed an Admin user in EF Core 2.1.0?
  15. How to validate signature of JWT from jwks without x5c
  16. ASP.Net Core Content-Disposition attachment/inline
  17. Cannot resolve scoped service from root provider .Net Core 2
  18. Inject service into Action Filter
  19. How to get user Browser name ( user-agent ) in Asp.net Core?
  20. Dependency injection resolving by name
  21. Dependency injection, inject with parameters
  22. How to set json serializer settings in asp.net core 3?
  23. Unable to edit db entries using EFCore, EntityState.Modified: “Database operation expected to affect 1 row(s) but actually affected 0 row(s).”
  24. JSON serialization/deserialization in ASP.Net Core
  25. .NET Core include folder in publish
  26. Customize JSON property name for options in ASP.NET Core
  27. ASP.NET Core – Authorization Using Windows Authentication
  28. Equivalent of UseUrls for .NET Core 3.1/IHostBuilder
  29. Formatting DateTime in ASP.NET Core 3.0 using System.Text.Json
  30. How to renew the access token using the refresh token?

Leave a Comment