Validating jwt token issued by googleapis fails using public certificates

Question

Validating jwt token issued by googleapis fails using public certificates

priyashpatil opened this issue 3 years ago · comments

Using firebase auth to generate tokens.. Code below is custom backend server which checks auth token passed by frontend client some code is removed.. But you'll get the idea..

validating token
google's public keys

import 'package:x509/x509.dart';
import 'package:http/http.dart' as http;
import 'package:jose/jose.dart';

var authToken = request.headers['authorization'];
var token = authToken.split(' ')[1];
var tokenHeader = token.split('.').first;
var joseHeader = JoseHeader.fromBase64EncodedString(tokenHeader);

var url = Uri.parse('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
var response = await http.get(url);

final key = json.decode(response.body)[joseHeader['kid']];
print(key);

var certificate = await parsePem(key).first as X509Certificate;
print(certificate.publicKey);

var jwk = JsonWebKey.fromCryptoKeys(publicKey: certificate.publicKey);
var keyStore = JsonWebKeyStore()..addKey(jwk);

var jwt = JsonWebToken.unverified(token);
var verified = await jwt.verify(keyStore);
print('verified: $verified');

Terminal output

Priyash · Answer 1 · Wed May 26 2021 16:16:02 GMT+0800 (China Standard Time)

Got it working.. I wasn't passing kid

  keys.forEach((key, value) {
    var cert = x509.parsePem(value).first as x509.X509Certificate;
    var publicKey = cert.tbsCertificate.subjectPublicKeyInfo?.subjectPublicKey
        as x509.RsaPublicKey;

    var jwk = jose.JsonWebKey.fromCryptoKeys(publicKey: publicKey, keyId: key);
    keyStore.addKey(jwk);
  });