Sample code for 30+ languages & platforms
C#

Validate a Google ID Token

See more OAuth2 Examples

Demonstrates how to verify the signature of a Google id token.

Chilkat C# Downloads

C#
bool success = false;

//  This example requires the Chilkat API to have been previously unlocked.
//  See Global Unlock Sample for sample code.

Chilkat.Http http = new Chilkat.Http();

//  First get the public key we'll be needing..
string jwkStr = http.QuickGetStr("https://www.googleapis.com/oauth2/v3/certs");
if (http.LastMethodSuccess == false) {
    Debug.WriteLine(http.LastErrorText);
    return;
}

//  We have the following:

//      {
//        "keys": [
//  	{
//  	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
//  	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
//  	  "kty": "RSA",
//  	  "e": "AQAB",
//  	  "alg": "RS256",
//  	  "use": "sig"
//  	},
//  	{
//  	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
//  	  "e": "AQAB",
//  	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
//  	  "alg": "RS256",
//  	  "use": "sig",
//  	  "kty": "RSA"
//  	}
//        ]
//      }

Chilkat.JsonObject json = new Chilkat.JsonObject();
success = json.Load(jwkStr);

//  -------------------------------------------------

//  Load the following..

//   {
//    "access_token": "ya29.a0...0f",
//    "expires_in": 3599,
//    "scope": "openid https://www.googleapis.com/auth/userinfo.email",
//    "token_type": "Bearer",
//    "id_token": "eyJhb...o5nQ"
//  }

Chilkat.JsonObject jsonToken = new Chilkat.JsonObject();
success = jsonToken.LoadFile("qa_data/tokens/google_sample_id_token.json");
if (success == false) {
    Debug.WriteLine("Failed to load the JSON file...");
    return;
}

//  Get the id_token;
Chilkat.StringBuilder sbIdToken = new Chilkat.StringBuilder();
success = sbIdToken.Append(jsonToken.StringOf("id_token"));

//  Get the signature in base64url format.
//  The header + payload remains in sbIdToken.
string sig_b64Url = sbIdToken.GetAfterFinal(".",true);
string headerPlusPayload = sbIdToken.GetAsString();

Debug.WriteLine(sig_b64Url);
Debug.WriteLine(headerPlusPayload);

//  ---------------------------------------------

//  Try validating with each cert's public key.
//  Hopefully one will be the key that verifies.

Chilkat.Rsa rsa = new Chilkat.Rsa();
rsa.EncodingMode = "base64url";

Chilkat.JsonObject jsonKey = new Chilkat.JsonObject();
Chilkat.PublicKey pubKey = new Chilkat.PublicKey();

int numKeys = json.SizeOfArray("keys");
int i = 0;
while (i < numKeys) {
    json.I = i;

    json.ObjectOf2("keys[i]",jsonKey);

    success = pubKey.LoadFromString(jsonKey.Emit());
    if (success == false) {
        Debug.WriteLine(pubKey.LastErrorText);
        return;
    }

    Debug.WriteLine(Convert.ToString(i));
    Debug.WriteLine(pubKey.GetPem(true));

    success = rsa.UsePublicKey(pubKey);

    bool bVerified = rsa.VerifyStringENC(headerPlusPayload,"sha256",sig_b64Url);
    Debug.WriteLine("bVerified = " + Convert.ToString(bVerified));

    i = i + 1;
}

//  The output is:

//  0
//  -----BEGIN RSA PUBLIC KEY-----
//  MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
//  cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
//  9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
//  LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
//  LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
//  680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
//  -----END RSA PUBLIC KEY-----
//  
//  bVerified = True
//  1
//  -----BEGIN RSA PUBLIC KEY-----
//  MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
//  IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
//  Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
//  E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
//  TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
//  5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
//  -----END RSA PUBLIC KEY-----
//  
//  bVerified = False