1

We're verifying a Google ID Token on ColdFusion servers. We have everything working but one thing puzzles me:

In the instructions here Google says to use their public keys to verify the token. When we retrieve the keys, in the JSON object there are 2 of them. Whether we grab the PEM or the JWT there are 2 keys.

Example JWT: enter image description here

Example PEM: enter image description here

How do we know which key to use? Through testing we find that one works and we're able to decode the JWT to validate while the other doesn't. Right now we're having to try both of them to see which one works. Is there something we're missing that indicates which of these keys is the one to use?

jps
  • 20,041
  • 15
  • 75
  • 79
CFMLBread
  • 734
  • 3
  • 7

1 Answers1

1

The keys are identified by the key Id "kid":

The "kid" (key ID) parameter is used to match a specific key.

In case of the JWK, you see the kid value in the JSON and you can see the same kid values in the first column of the PEM example. Your token has a "kid" claim in the header part. Decode the header to extract the kid.

e.g.:

{
  "typ":"JWT",
  "alg":"RS256",
  "kid":"3dd6ca2a81dc2fea8c3642431e7e296d2d75b446"
}
jps
  • 20,041
  • 15
  • 75
  • 79
  • Thanks for the response and it makes perfect sense. However, when we examine the token we get from Google we do not see any 'kid'. Nor do we see anything with a value that would point to one of these keys? Here are the headers in the Google Token POST: Accept-Encoding, Accept-Language, Origin , Sec-Fetch-Dest , Sec-Fetch-Mode , Sec-Fetch-Site , Upgrade-Insecure-Requests , XCluster-name, XSite-name , accept , connection , content-length, content-type , cookie (Contains the ‘credential’ token), host , user-agent – CFMLBread Mar 11 '22 at 15:41
  • With header I mean the header of the token. Is is a JWT? Did you inspect it on https://jwt.io ? – jps Mar 11 '22 at 15:45
  • 1
    THAT is what I needed. OMG, I didn't even realize there was a 'header' in the JWT. I don't pretend to be an encryption expert so I appreciate the info. Thank you! – CFMLBread Mar 11 '22 at 16:31