Inside my frontend react app I get a token from google like this, using @react-oauth/google package
const googleLogin = useGoogleLogin({
onSuccess: (response) =>
requestExternalLogin("google", response.access_token),
flow: "implicit",
});
token response object example:
access_token: "ya29.a0AX9GBdUordgkAamV_nnKl3NEF6..."
authuser: "0"
expires_in: 3599
hd: "visma.com"
prompt: "none"
scope: "email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
token_type: "Bearer"
I then pass that token to my .net backend and try to validate it like this:
var settings = new GoogleJsonWebSignature.ValidationSettings()
{
Audience = new List<string>() { _googleConfig.GetSection("clientId").Value }
};
var payload = await GoogleJsonWebSignature.ValidateAsync(googleToken, settings);
but I keep getting an exception that says {"JWT must consist of Header, Payload, and Signature"}
Access token that I get from google should be a valid JWT that canbe used to get information from google's apis. Am I missing a step here?
Google access tokens are not JWT's that can be validated in that manner. Try puting it in Jwt.io you will get the same error.
The only way to validate an google access token would be to use it with an api call if its not valid google will return an error.
You should be able to validate a refresh token though, and possibly an id token.