1

I am developing a website that has Login with google. once the user has signed in, I get a id token from the google js api and send to to the server to verify it.

I can verify and do the process easily with Google token info endpoint, but that will result in a lot of HTTPS Requests, as it sends an HTTPS request to google every time a user logs in with google.

Therefor I am verifying the JWT (id token) locally in the server, I have successfully authenticated the JWT with no problem. The problem I am facing is that I have to cache the google public JWKs inside the programme.

I am thinking of updating the JWKs every time I cannot find the correct JWK for the corresponding JWTs "kid". but this results in sending an HTTPS Request to google every time a JWK with corresponding "kid" not found.

will this be a vulnerability ? Is there a static period of time that I should Update the Google public JWKs ?

Can someone help me with this ? and point me in the right direction if I am doing anything wrong

Thanks

Bhanuka Yd
  • 646
  • 8
  • 25

1 Answers1

1

The point of having keys published on a TLS protected endpoint is that you can rotate them fast. Google does that. You will need to fetch the new keys each time a token comes in with a kid that was not cached before. There's no vulnerability to that if you make sure you verify the TLS server certificate that Google presents on the JWKs endpoint. There's probably a static rotation interval that Google uses but trying to use that will only increase the number of downloads (as apposed to "just-in-time") and Google may change the interval at will.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115