Which Key Do We Use When Verifying Google ID Tokens
We're verifying a Google ID Token on ColdFusion servers. We have everything working but one thing puzzles me:
In the instructions here Google says to use their public keys to verify the token. When we retrieve the keys, in the JSON object there are 2 of them. Whether we grab the PEM or the JWT there are 2 keys.
Example JWT:
Example PEM:
How do we know which key to use? Through testing we find that one works and we're able to decode the JWT to validate while the other doesn't. Right now we're having to try both of them to see which one works. Is there something we're missing that indicates which of these keys is the one to use?
The keys are identified by the key Id "kid":
The "kid" (key ID) parameter is used to match a specific key.
In case of the JWK, you see the kid value in the JSON and you can see the same kid values in the first column of the PEM example. Your token has a "kid" claim in the header part. Decode the header to extract the kid.
e.g.:
{
"typ":"JWT",
"alg":"RS256",
"kid":"3dd6ca2a81dc2fea8c3642431e7e296d2d75b446"
}
- Why do I get a "io.jsonwebtoken.ExpiredJwtException"?
- .NET Core 3.1 GoogleSignIn -The authentication handler registered for scheme 'Bearer' is 'JwtBearerHandler' which cannot be used for SignInAsync
- JWT signature verification failing
- IDX10603: The algorithm: 'HS256' requires the SecurityKey.KeySize to be greater than '128' bits. KeySize reported: '32'. Parameter name: key.KeySize
- How can I securize my code-first gRPC endpoints using Azure Authentication?
- AWS Lambda Custom JWT Validation
- Flask JWT Extended missing csrf access token
- Where should I refresh my JWT in SvelteKit
- Token is generated at the endpoint but does not arrive on the page
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- In JWT Authentication in .NET 7, how can a "validated" token be "missing"?
- What to validate 'iat' and 'sub' claims of a JWT against?
- How to use jti claim in a JWT
- Can't import jwt-decode in JavaScript file in React project
- JWT and CSRF differences
- Getting 'secretOrPrivateKey must have a value' error in NestJS JWT authentication
- Google Sheets, JWT client with Service Account
- Angular 17 & dot net Core 8 - Jwt on refresh adding to Audience
- Is "scope" a standard claim?
- Error when trying to Promisify JWT in Typescript
- reactjs call multiple axios posts in one async function
- TS2339: Property 'scope' does not exist on type 'JwtPayload'
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Express and React Token Authentication: req.cookies is empty in application but works in Postman
- Manually calculating JWT signature never outputs the real signature
- Why is lexik-jwt bundle returning an empty token with correct credentials?
- ASP.NET Core Web API with .NET Maui
- Why do we need to load user details from the DB for each request in JWT authentication with Spring Security?
- More accurate JWT token regex in JavaScript