We're implementing "Sign in with Google" into an MVC5 application according the latest documentation, which is quite different and more straightforward than most of the examples we've seen on the web.
Part of the process is to "Verify the Google ID token on your server side" as described on this page: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
We're told here that "Rather than writing your own code to perform these verification steps, we strongly recommend using a Google API client library for your platform", which is fair enough, but
a) there's no code sample for .net on that page, b) the project documentation doesn't seem to relate to Sign in with Google in any way c) if you actually look at the github for the .net client library here: https://github.com/googleapis/google-api-dotnet-client it says "This client library is supported but in maintenance mode only" which makes me wonder whether we're even meant to be using it.
Can anybody please give us some guidance on whether we're supposed to be using that library, or coding our solution manually, or using a third party JWT library of some kind?
Thanks for reading!
CodePudding user response:
I think this is what you are looking for.
using Google.Apis.Auth;
using System;
using System.Threading;
using System.Threading.Tasks;
public class IAPTokenVerification
{
/// <summary>
/// Verifies a signed jwt token and returns its payload.
/// </summary>
/// <param name="signedJwt">The token to verify.</param>
/// <param name="expectedAudience">The audience that the token should be meant for.
/// Validation will fail if that's not the case.</param>
/// <param name="cancellationToken">The cancellation token to propagate cancellation requests.</param>
/// <returns>A task that when completed will have as its result the payload of the verified token.</returns>
/// <exception cref="InvalidJwtException">If verification failed. The message of the exception will contain
/// information as to why the token failed.</exception>
public async Task<JsonWebSignature.Payload> VerifyTokenAsync(
string signedJwt, string expectedAudience, CancellationToken cancellationToken = default)
{
SignedTokenVerificationOptions options = new SignedTokenVerificationOptions
{
// Use clock tolerance to account for possible clock differences
// between the issuer and the verifier.
IssuedAtClockTolerance = TimeSpan.FromMinutes(1),
ExpiryClockTolerance = TimeSpan.FromMinutes(1),
TrustedAudiences = { expectedAudience }
};
return await JsonWebSignature.VerifySignedTokenAsync(signedJwt, options, cancellationToken: cancellationToken);
}
}
The library is in maintenance mode because it has been deemed stable / done by Google. They will only be making changes to it if they find critical issues.
CodePudding user response:
I hope this Url will help u: https://googleapis.dev/dotnet/Google.Apis.Auth/latest/api/Google.Apis.Auth.GoogleJsonWebSignature.html
using Google.Apis.Auth;
using Google.Apis.Auth.OAuth2;
GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(Token);
This is a small example on how to validate your token.