You need to validate all ID tokens on your server unless you know that they came directly from Google. For example, your server must verify as authentic any ID tokens it receives from your client apps.
We do not currently have support for token validation
I found a rather old GitHub project on how to achieve this. gplus-verifytoken-csharp.
How is this coming along? any progress? or an alternative until this is done for .net 4.6?
I am not really sure if this has even made the list yet
has it @chrisdunelm
This is on a TODO list ;)
But it won't be done until after the fairly major refactoring/retargetting in #977.
I did a own Implementation using the microsoft nuget for jwt. See the gist: https://gist.github.com/twaldecker/da0594baeef0e15466c68112ae375988
It appears according to the comments here and at #1026 that id_token validation has been implemented in dotnet. Is there any example or documentation on how to do it? It is not so clear to me how to make use fo the code checked in to fix #1026. Any help would be much appreciated.
Have you had a look at the tests 7n the pull request you linked?
@mikecg Once you have a string containing the id_token (an id_token is a JWT), pass that string into GoogleJsonWebSignature.ValidateAsync. ValidateAsnyc will throw an InvalidJwtException if this is not a valid Google-signed JWT.
See https://github.com/google/google-api-dotnet-client/blob/master/Src/Support/IntegrationTests/GoogleJsonWebSignatureTests.cs#L84 for an example of this in an integration test.
Thank you, I figured it all out. Appreciate the help!
GoogleJsonWebSignature.ValidateAsync should support validating the aud: field in the token.
The validation thats going on now is signature and clock. Suggest passing in the aud: to validate.
This is useful if an app receives a googleID token...the audience field needs to match the service name. Apart from manually creating an idtoken with the aud: field set, services like cloud Tasks and Cloud Scheduler automatically can emit an idtoken for a given audience.
Most helpful comment
@mikecg Once you have a string containing the id_token (an id_token is a JWT), pass that string into
GoogleJsonWebSignature.ValidateAsync.ValidateAsnycwill throw anInvalidJwtExceptionif this is not a valid Google-signed JWT.See https://github.com/google/google-api-dotnet-client/blob/master/Src/Support/IntegrationTests/GoogleJsonWebSignatureTests.cs#L84 for an example of this in an integration test.