Purpose of "client_x509_cert_url" field in JSON file generated by Google Oauth 2.0 Provider

Question

When we create a new "Client ID" on Google developers console and select the Application Type as "Web", we get the option to download a JSON file that includes a lot of key-value pairs. This JSON file is for the consumption of the Open-ID web client during the setup phase.

One of the key value pairs I see is "client_x509_cert_url: https://www.googleapis.com/robo/v1/metadata/x509/......".

When I copy paste the above URL in a browser I see an empty JSON response {}. I suppose the intent here is to let an OPEN-ID connect client to populate the public cert of a public-private RSA key pair for signing and encrypting JWT request objects. But I do not see any documentation on how to upload a client certificate in the Google developers console.

Is this because Google does not support JWT request objects yet?

Answer 1

client_x509_cert_url is the URL of the public x509 certificate, used to verify JWTs signed by the client.

i think for a web application, it use the oauth2.0 authorization code flow, which does not need to sign the JWT, actually it does not use the JWT at all.

But if you create a service account, https://developers.google.com/identity/protocols/OAuth2ServiceAccount

and the downloaded json file will include a client_x509_cert_url, which that url does work and will display the public key of the certificate.

Than's because the service account uses the oauth 2.0 JWT Bearer Token flow, which client has to use private key to sign.