0

I plan to use Google Wallet (in-app purchase) to sell subscriptions to my Web based application. Wallet calls my server back (based on the JWT) that my server generates.

As part of my callback implementation I want to double make sure that no one but Google Wallet can successfully call the post back handler.

As far as I can see all I can all I can do is trust the Seller ID, and the Seller Data (which could contain information about my customer, etc) to ensure that post back call is legitimate.

My current plan is to encrypt the seller data field so hopefully only my application can read the data in that field. Are there any other best practices / thoughts that might be worth considering to ensure that the post back handler is as secure as possible.

The application is a Python WSGI app, running under Apache (SSL of course).

Thanks for your time.

Devraj
  • 3,025
  • 24
  • 25

1 Answers1

1

Please note that the postback JWT is signed with your Seller Secret. Only you and Google know the Seller Secret. You verify the authenticity of the postback JWT by ensuring that it is signed with the Seller Secret (more details below).

Also note that a postback JWT is different than the order JWT generated by your server since it also contains the order Id. A hacker would not be able to re-use the order JWT to generate a valid postback JWT without knowing the Seller Secret.

When you receive back the postback JWT you can make sure it is sent by Google by verifying he signature. A JWT is made of "Header.Claims.Signature". The "Signature" is generated using the SHA-256 algorithm with the Seller Secret.

See the following for more details and code examples:

JWT Spec: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#anchor4

Python sample: https://developers.google.com/commerce/wallet/digital/docs/samples#iap-py

JWT decoder: https://developers.google.com/commerce/wallet/digital/docs/jwtdecoder

Mihai Ionescu
  • 2,108
  • 1
  • 12
  • 15