c# - Understanding the JWT token for Google OAuth2 -


eta 2:

i able figure out using publicly-available documentation , so's extensive knowledge of cryptography, along convenient code example on msdn handled important part of oauth2 implementation - verifying integrity of signed jwt.

i detailed in three-part series on blog.

the critical component verifying integrity of jwt response oauth2 provider - many devs fail implement due poor understanding of cryptographic functions, why public documentation various providers (including google) recommend using pre-existing library handle authentication.

the problem dotnetopenauth hasn't been updated in years, , don't recommend using aging library authentication, since there's no telling security holes may remain unpatched.

the verification component in c# makes use of rsapkcs1signaturedeformatter.verifysignature, , the sample code in msdn article on method pretty verbatim need use ensure signed jwt valid , has not been intercepted malicious third party.

eta:

i posting on stack overflow due fact google directs users stack overflow using google-oauth2 tag questions, help, , support regarding google's oauth2 api. migration stack overflow google oauth2 support implemented in march 2013, seen in announcement:

https://groups.google.com/forum/#!forum/oauth2-dev

scenario:

new asp.net c# application third-party user signon. i'm first implementing google oauth2 , move on other services (facebook, generic openid, etc.). know there existing libraries c#, i'd avoid using third-party libraries if possible.

after long time reading oauth2 documentation google , figuring out jwt spec, i've gotten pretty far. however, i'm trying make sure understand third segment of base64-encoded jwt returned google once user has allowed application use account.

first 2 segments base64-encoded plaintext. got much; easy decode , parse javascriptserializer. i'm stuck on third segment, understand needs used verify google jwt valid , untouched malicious code.

i've been trying use openssl decode binary base64-decoded segment before going c# write code application, i'm unable decode or verify content google's public certificate.

is there decent documentation on c# , google authentication? can find examples using dotnetopenauth or other libraries.

if have pluralsight account, there excellent course dominick baier has a section covers this (in "jwt structure , format" section). have 10 day free trial can use if want.

first 2 segments base64-encoded plaintext. got much; easy decode , parse javascriptserializer. i'm stuck on third segment, understand needs used verify google jwt valid , untouched malicious code.

according dominick, third segment, base-64 encoded first 2 segments, concatenate them period character, , run through signature algorithm specified in alg element of header (which in first segment). base-64 result , have third segment - separated period.

but should point out google says in main documentation:

the mechanics of interaction require applications create , cryptographically sign json web tokens (jwts). developers encouraged use library perform these tasks. writing code without use of library abstracts token creation , signing prone errors can have severe impact on security of application.

since dotnetopenauth already, best way go. if looking google oauth2 implementation ready use dotnetopenauth - can try mine. it's had several thousand downloads on nuget already, you're not alone.

in regards dnoa not being maintained, believe referring andrew arnott's decision step down lead developer. true, , wish him well. doesn't mean dnoa isn't supported or maintained @ all. means supported community, rather individual or company. should able continue , support here on stackoverflow, or on dnoa google group.


Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -