0

I am trying to integrate GIT in my site. I have been successful in implementing the toolkit and want to validate the JWT sent from Google API with the *.p12 certificate provided during setup.

Exception Details: System.IdentityModel.SignatureVerificationFailedException: IDX10501: Signature validation failed. Key tried: 'System.IdentityModel.Tokens.X509SecurityKey'.

JSON Web Token Received: token: '{"alg":"RS256","kid":"qwYevA"}.{"iss":"https://identitytoolkit.google.com/","aud":"238895676270-i8o5fe2poogs83nki8jl5tgtfm7h9n5l.apps.googleusercontent.com","iat":1445739256,"exp":1446948856,"user_id":"","email":"","provider_id":"google.com","verified":true,"display_name":""}'

 var signingToken = new X509SecurityToken(new X509Certificate2(fileName, "notasecret"));
        TokenValidationParameters validationParameters =

                              new TokenValidationParameters()

                              {

                                  IssuerSigningKey = new X509SecurityKey(new X509Certificate2(fileName, "notasecret")),
                                  ValidAudience = "238895676270-i8o5fe2poogs83nki8jl5tgtfm7h9n5l.apps.googleusercontent.com",
                                  ValidIssuer = "https://identitytoolkit.google.com/",
                                  IssuerSigningKeyResolver = (token, a, ski, tvp) => { return new X509SecurityKey(new X509Certificate2(fileName, "notasecret")); },
                                  IssuerSigningToken = signingToken,

    };
        SecurityToken st;

        var result = tokenHandler.ValidateToken((Request.Cookies["gtoken"]).Value, validationParameters, out st);
user3220309
  • 3
  • 2

1 Answers1

1

The JWT generated by the Identity Toolkit is signed by Identity Toolkit's own RSA private key, not the .p12 you downloaded during setup.

You need to download the current active Identity Toolkit X509 public certs from https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys?key={YOUR_SERVER_API_KEY}, select the cert for the 'kid' in the JWT you received, and build a X509Certificate2 using that cert.

The SERVER_API_KEY can be generated in Google Developers Console where you have created OAuth2 clients.

Jin Liu
  • 2,203
  • 15
  • 13
  • Thanks Jin. Can you elaborate a bit more on how I can create a certificate using publicKeys in .NET? What's the use of the *.p12 that's mentioned in docs? Every example in docs seems to use *.p12. – user3220309 Oct 26 '15 at 21:32
  • I am not an expert on .NET, but probably you can use something like new X509Certificate2(Convert.FromBase64String(certString)) where the certString can be downloaded as described above. The .p12 file contains your own private key that you can use to prove your developer account when you make API calls to Google. Anyone else does not know your private key, so they can not access your project data at Google. The Google Identity Toolkit public cert is used for the other direction - your server needs to verify the IdToken is indeed issued by Google Identity Toolkit. – Jin Liu Oct 28 '15 at 01:45
  • Got it! For anyone in/from future, the way cert is passed from GET request on publicKeys method needs to be converted to valid text for FromBase64String method (since it's sent raw). In my case I was confusing \n as valid characters in cert. Thanks Jin. – user3220309 Oct 28 '15 at 18:08