2

We're implementing "Sign in with Google" into an MVC5 application according the latest documentation, which is quite different and more straightforward than most of the examples we've seen on the web.

Part of the process is to "Verify the Google ID token on your server side" as described on this page: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token

We're told here that "Rather than writing your own code to perform these verification steps, we strongly recommend using a Google API client library for your platform", which is fair enough, but

a) there's no code sample for .net on that page, b) the project documentation doesn't seem to relate to Sign in with Google in any way c) if you actually look at the github for the .net client library here: https://github.com/googleapis/google-api-dotnet-client it says "This client library is supported but in maintenance mode only" which makes me wonder whether we're even meant to be using it.

Can anybody please give us some guidance on whether we're supposed to be using that library, or coding our solution manually, or using a third party JWT library of some kind?

Thanks for reading!

centralscru
  • 6,580
  • 3
  • 32
  • 43
  • 2
    I ran into the same issue as you and decided to just use the `Google.Apis.Auth` package for this: https://www.nuget.org/packages/Google.Apis.Auth/ (`await GoogleJsonWebSignature.ValidateAsync(idToken);` (which is a part of the `google-api-dotnet-client`). I think it's still the recommended way. – nbokmans Nov 04 '21 at 12:50
  • 1
    Thanks, glad it's not just us! – centralscru Nov 04 '21 at 14:03

2 Answers2

1

I hope this Url will help u: https://googleapis.dev/dotnet/Google.Apis.Auth/latest/api/Google.Apis.Auth.GoogleJsonWebSignature.html

using Google.Apis.Auth;
using Google.Apis.Auth.OAuth2;

GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(Token);

This is a small example on how to validate your token.

D A
  • 1,724
  • 1
  • 8
  • 19
  • Thanks, that does help - but isn't there supposed to be more to the validation (eg validating the csrf token, and " Use Google's public keys (available in JWK or PEM format) to verify the token's signature. These keys are regularly rotated; examine the Cache-Control header in the response to determine when you should retrieve them again."? Maybe the validate method does the latter automatically, and we just need to code up the csrf check manually? – centralscru Nov 04 '21 at 14:02
  • Doesn't work anymore for validating the access_token you get from their latest Google Identity Service (GIS) library anymore. – Jay Mar 22 '22 at 12:17
  • @Jay This is for use with the Google Apis .Net client library it will only work with this library. please open a new question with your code and i will have a look. make sure to post your code and your error. Google APIs is not Google Identity this is two diffrent things. – Linda Lawton - DaImTo Mar 22 '22 at 12:52
1

I think this is what you are looking for.

Retrieving the user identity

using Google.Apis.Auth;
using System;
using System.Threading;
using System.Threading.Tasks;

public class IAPTokenVerification
{
    /// <summary>
    /// Verifies a signed jwt token and returns its payload.
    /// </summary>
    /// <param name="signedJwt">The token to verify.</param>
    /// <param name="expectedAudience">The audience that the token should be meant for.
    /// Validation will fail if that's not the case.</param>
    /// <param name="cancellationToken">The cancellation token to propagate cancellation requests.</param>
    /// <returns>A task that when completed will have as its result the payload of the verified token.</returns>
    /// <exception cref="InvalidJwtException">If verification failed. The message of the exception will contain
    /// information as to why the token failed.</exception>
    public async Task<JsonWebSignature.Payload> VerifyTokenAsync(
        string signedJwt, string expectedAudience, CancellationToken cancellationToken = default)
    {
        SignedTokenVerificationOptions options = new SignedTokenVerificationOptions
        {
            // Use clock tolerance to account for possible clock differences
            // between the issuer and the verifier.
            IssuedAtClockTolerance = TimeSpan.FromMinutes(1),
            ExpiryClockTolerance = TimeSpan.FromMinutes(1),
            TrustedAudiences = { expectedAudience }
        };

        return await JsonWebSignature.VerifySignedTokenAsync(signedJwt, options, cancellationToken: cancellationToken);
    }
}

The library is in maintenance mode because it has been deemed stable / done by Google. They will only be making changes to it if they find critical issues.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Didn't work for me. I'm currently trying to migrate to the new GIS library, using google.accounts.oauth2.initTokenClient() and gisClient.requestAccessToken(). The access token that I get back is much shorter than the one the previous library gave me. JWT token debuggers tell me it's not a valid token. Unsurprisingly, validating through either GoogleJsonWebSignature.ValidateAsync() or JsonWebSignature.VerifySignedTokenAsync) fails, saying "JWT must consist of Header, Payload, and Signature". Having a hard time finding the solution here. – Jay Mar 22 '22 at 12:40
  • @Jay This is for use with the Google Apis .Net client library it will only work with this library. please open a new question with your code and i will have a look. make sure to post your code and your error. Google APIs is not Google Identity this is two diffrent things. – Linda Lawton - DaImTo Mar 22 '22 at 12:55
  • Thanks for the quick feedback. I have opened my own question on this. If you could help me out, I would be grateful. https://stackoverflow.com/questions/71572512/how-to-validate-google-identity-service-gis-access-token-on-server-side-in-c-s – Jay Mar 22 '22 at 13:02