Databases
StackOverflow2013
Postsdbo
POUnderstanding the JWT token for Google OAuth2
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POUnderstanding the JWT token for Google OAuth2
    primarykey
    data
    text
    <p>ETA 2:</p> <p>I was able to figure out all this using publicly-available documentation and my SO's extensive knowledge of cryptography, along with a convenient code example on MSDN that handled the most important part of OAuth2 implementation - verifying the integrity of the signed JWT.</p> <p><a href="http://www.abettergeek.com/web-development/the-big-picture-google-authentication-using-oauth2-and-asp-net-c/" rel="nofollow noreferrer">I detailed in a three-part series on my blog.</a></p> <p>The critical component is verifying the integrity of the JWT response from your OAuth2 provider - many devs fail to implement this properly due to a poor understanding of cryptographic functions, which is why public documentation from various providers (including Google) recommend using a pre-existing library to handle authentication.</p> <p>The problem is that DotNetOpenAuth hasn't been updated in <strong>years</strong>, and I don't recommend using an aging library for authentication, since there's no telling what security holes may remain unpatched.</p> <p>The verification component in C# makes use of RSAPKCS1SignatureDeformatter.VerifySignature, and t<a href="https://msdn.microsoft.com/en-us/library/0h05c7e2.aspx?f=255&amp;mspperror=-2147217396#Anchor_3" rel="nofollow noreferrer">he sample code in the MSDN article on this method</a> is pretty much verbatim what you need to use to ensure that a signed JWT is valid and has not been intercepted by a malicious third party.</p> <p>ETA:</p> <p>I am posting this on Stack Overflow due to the fact that Google specifically directs users to Stack Overflow using the google-oauth2 tag for questions, help, and support regarding Google's OAuth2 API. The migration to Stack Overflow for all Google OAuth2 support was implemented in March 2013, as seen in this announcement:</p> <p><a href="https://groups.google.com/forum/#!forum/oauth2-dev" rel="nofollow noreferrer">https://groups.google.com/forum/#!forum/oauth2-dev</a></p> <p>Scenario:</p> <p>New ASP.NET C# application with third-party user signon. I'm first implementing Google OAuth2 and will then move on to other services (Facebook, generic OpenID, etc.). I know that there are existing libraries for C#, but I'd like to avoid using third-party libraries if possible.</p> <p>After a long time reading the OAuth2 documentation for Google and figuring out the JWT spec, I've gotten pretty far. However, I'm trying to make sure I understand the third segment of the Base64-encoded JWT that is returned by Google once the user has allowed my application to use their account.</p> <p>First two segments are just Base64-encoded plaintext. Got that much; that was easy to decode and parse with JavaScriptSerializer. What I'm stuck on is the third segment, which as I understand it needs to be used to verify the Google JWT as valid and untouched by any malicious code.</p> <p>I've been trying to use OpenSSL to decode the binary Base64-decoded segment before going into C# to write the code for my application, but I'm unable to decode or verify the content with Google's public certificate.</p> <p>Is there any decent documentation on C# and Google authentication? All I can find is examples using DotNetOpenAuth or other libraries.</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USClairelyClaire
    1. USClairelyClaire
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. COYou can probably look at the source code of DotNetOpenAuth. If you are implementing production code I strongly recommend you use an existing library. It is too easy to make a mistake and create a security risk, don't reinvent the wheel.
      singulars
      1. POUnderstanding the JWT token for Google OAuth2
      1. USmariuss
    2. COI was kinda hoping for some clear information on this. Stackoverflow is the official support for Google's OAuth2 API now, which is why I posted here... DotNetOpenAuth isn't being maintained anymore. I don't want to use it.
      singulars
      1. POUnderstanding the JWT token for Google OAuth2
      1. USClairelyClaire
    3. COIf you want to know what is used by StackOverflow itself, you should post to meta.stackoverflow.com.
      singulars
      1. POUnderstanding the JWT token for Google OAuth2
      1. USLex Li
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload