How to validate Google OAuth JWT

Question

I'm trying to validate a google jwt I got from the client, but most of the information I can find online is lacking.

For instance, this post on Stack Overflow:

From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken the recommended approach:

"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.

Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."

It isn't clear to me what I'm supposed to do to validate this jwt. Most of the information I can find about how to verify the signature says to use the x5c key from jwks, but Google's page, found through the discovery doc, excludes that key.

Answer 1

Validation of JWT is covered in the spec (RFC 7519, section 7.2). One of the steps is validation of a signature, it's covered in JSON Web Signature (JWS) spec (RFC 7515, section 5.2). Specifications are the law but to apply the law you should understand how most applications do it or should do it. That is covered in JWT - Best Current Practices (JWT BCP; draft 06)

You can read all of that and try to implement it on your own or you can use one of the client libraries Google provides for you where all of this is, well, also done for you.