Google OpenID Connect Public Keys

Question

What exactly does the response from https://www.googleapis.com/oauth2/v3/certs mean? I am trying to verify a JWT I got via the Google OpenID Connect process using node-jsonwebtokens and the key used to verify the signature must be one of those two. The source code however suggests that node-jsonwebtokens awaits a different key format than available in the response:

[
  {
   'kty': 'RSA',
   'alg': 'RS256',
   'use': 'sig',
   'kid': 'e53139984bd36d2c230552441608cc0b5179487a',
   'n': 'w5F_3au2fyRLapW4K1g0zT6hjF-co8hjHJWniH3aBOKP45xuSRYXnPrpBHkXM6jFkVHs2pCFAOg6o0tl65iRCcf3hOAI6VOIXjMCJqxNap0-j_lJ6Bc6TBKgX3XD96iEI92iaxn_UIVZ_SpPrbPVyRmH0P7B6oDkwFpApviJRtQzv1F6uyh9W_sNnEZrCZDcs5lL5Xa_44-EkhVNz8yGZmAz9d04htNU7xElmXKs8fRdospyv380WeaWFoNJpc-3ojgRus26jvPy8Oc-d4M5yqs9mI72-1G0zbGVFI_PfxZRL8YdFAIZLg44zGzL2M7pFmagJ7Aj46LUb3p_n9V1NQ',
   'e': 'AQAB'
  },
  {
   'kty': 'RSA',
   'alg': 'RS256',
   'use': 'sig',
   'kid': 'bc8a31927af20860418f6b2231bbfd7ebcc04665',
   'n': 'ucGr4fFCJYGVUwHYWAtBNclebyhMjALOTUmmAXdMrCIOgT8TxBEn5oXCrszWX7RoC37nFqc1GlMorfII19qMwHdC_iskju3Rh-AuHr29zkDpYIuh4lRW0xJ0Xyo2Iw4PlV9qgqPJLfkmE5V-sr5RxZNe0T1jyYaOGIJ5nF3WbDkgYW4GNHXhv-5tOwWLThJRtH_n6wtYqsBwqAdVX-EVbkyZvYeOzbiNiop7bDM5Td6ER1oCBC4NZjvjdmnOh8-_x6vB449jL5IRAOIIv8NW9dLtQd2DescZOw46HZjWO-zwyhjQeYY87R93yM9yivJdfrjQxydgEs8Ckh03NDATmQ',
   'e': 'AQAB'
  }
]

It doesn't have the classical BEGIN PUBLIC KEY block, is it maybe encoded? Is there an additional step needed?

related question https://stackoverflow.com/questions/31183318/what-returns-the-google-public-key-endpoint — Sergey Ponomarev, Jan 19 '20 at 17:36

score 3 · Accepted Answer · answered Jul 08 '15 at 17:23

3

That code indeed deals with PEM-formatted certificates/keys instead of the JSON Web Key (JWK) formatted key material that is published by Google on the URL that you gave.

There is however a different URL that serves the (same) key material in PEM format here: https://www.googleapis.com/oauth2/v1/certs. You can use that representation in node-jsonwebtoken.

answered Jul 08 '15 at 17:23

Hans Z.

50,496
12
102
115

Do you know why in the v3 version of the endpoint the PEM format was replaced with JWK? The PEM certs we can use with openssl tool but the JWK certs we have to convert to PEM first and this is not so easy to do – Sergey Ponomarev Jan 19 '20 at 17:23

score 0 · Answer 2 · answered Jun 03 '22 at 15:58

I was able to use n and e successfully with the following code, and then create a public key in Java to decode a JWT which was sent by Google.

String n_str = "...string value of n.... ";

String e_str = "... string value of e...";

byte[] n_bytes = Base64.getUrlDecoder().decode(n_str);

byte[] e_bytes = Base64.getUrlDecoder().decode(e_str);

BigInteger n = new BigInteger(1, n_bytes);

BigInteger e = new BigInteger(1, e_bytes);

RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec(n,e);

KeyFactory keyFactory = KeyFactory.getInstance("RSA"); 

PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);

Google OpenID Connect Public Keys

2 Answers2