c# - Understanding the JWT token for Google OAuth2 -
eta 2:
i able figure out using publicly-available documentation , so's extensive knowledge of cryptography, along convenient code example on msdn handled important part of oauth2 implementation - verifying integrity of signed jwt.
i detailed in three-part series on blog.
the critical component verifying integrity of jwt response oauth2 provider - many devs fail implement due poor understanding of cryptographic functions, why public documentation various providers (including google) recommend using pre-existing library handle authentication.
the problem dotnetopenauth hasn't been updated in years, , don't recommend using aging library authentication, since there's no telling security holes may remain unpatched.
the verification component in c# makes use of rsapkcs1signaturedeformatter.verifysignature, , the sample code in msdn article on method pretty verbatim need use ensure signed jwt valid , has not been intercepted malicious third party.
eta:
i posting on stack overflow due fact google directs users stack overflow using google-oauth2 tag questions, help, , support regarding google's oauth2 api. migration stack overflow google oauth2 support implemented in march 2013, seen in announcement:
https://groups.google.com/forum/#!forum/oauth2-dev
scenario:
new asp.net c# application third-party user signon. i'm first implementing google oauth2 , move on other services (facebook, generic openid, etc.). know there existing libraries c#, i'd avoid using third-party libraries if possible.
after long time reading oauth2 documentation google , figuring out jwt spec, i've gotten pretty far. however, i'm trying make sure understand third segment of base64-encoded jwt returned google once user has allowed application use account.
first 2 segments base64-encoded plaintext. got much; easy decode , parse javascriptserializer. i'm stuck on third segment, understand needs used verify google jwt valid , untouched malicious code.
i've been trying use openssl decode binary base64-decoded segment before going c# write code application, i'm unable decode or verify content google's public certificate.
is there decent documentation on c# , google authentication? can find examples using dotnetopenauth or other libraries.
if have pluralsight account, there excellent course dominick baier has a section covers this (in "jwt structure , format" section). have 10 day free trial can use if want.
first 2 segments base64-encoded plaintext. got much; easy decode , parse javascriptserializer. i'm stuck on third segment, understand needs used verify google jwt valid , untouched malicious code.
according dominick, third segment, base-64 encoded first 2 segments, concatenate them period character, , run through signature algorithm specified in alg
element of header (which in first segment). base-64 result , have third segment - separated period.
but should point out google says in main documentation:
the mechanics of interaction require applications create , cryptographically sign json web tokens (jwts). developers encouraged use library perform these tasks. writing code without use of library abstracts token creation , signing prone errors can have severe impact on security of application.
since dotnetopenauth already, best way go. if looking google oauth2 implementation ready use dotnetopenauth - can try mine. it's had several thousand downloads on nuget already, you're not alone.
in regards dnoa not being maintained, believe referring andrew arnott's decision step down lead developer. true, , wish him well. doesn't mean dnoa isn't supported or maintained @ all. means supported community, rather individual or company. should able continue , support here on stackoverflow, or on dnoa google group.
Comments
Post a Comment