4

I'm trying to access & verify the id_token property of Google's OAuth API Response:

{
    "access_token": <Access Code Here>,
    "token_type": "Bearer", 
    "expires_in": 3600, 
    "id_token": <id_token here>
}

After obtaining my id_token value, I grab google's public key from their OpenIDConnect URI, the non-permanent link for which can be obtained from their openid-config page

{
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "8c9eb968f73744eaed421e48010142bce51a067f",
   "n": "uweJ3hFY9wqZ6ZG-iSNhQwHtKCGl8G_jcQgGPjOrS-Rum3dyDjicqkAyfS8XDn480KD_TZ5m-lqBjqfimePu2_cH4URDPIwsqSzJI2_piEhaqnXRptIe5YB5imAL6iETKaOPjw284Fc7EdHK-ekHMn3AXjsy9AIErwAVw4-4ZXXwHbyQXJy1DyUB4ZzxiEvw_qkQmLdltmrNkLOw-Xh-C9UkTZ9NA58bYPBnxLwnAu_ggw_g_-hCAs6OvXZbAfFHhIGBLyjtdDLVrfXo1112QREB9d5sEds0bKZtJcD9afl4E7Ht6G-g3jNP2clAu6-6B-cIe4-j8Ph1uJDPkAmDfw",
   "e": "AQAB"
},

According to Google & Specification RFC 7518 the "n" parameter is the "modulus", a Base64urlUInt-encoded value. Because of this, when I try to decode & verify it with pyJWT, i get the following Traceback & Error:

>>> decoded = jwt.decode(IDjwt, public_key, algorithms='RS256')
ValueError: Could not deserialize key data.

Keep in mind when I use pyJWT's other methods that skip verification, I can still easily grab the headers/payload from the id_token (meaning the issue lies with the public key, not the id_token). So my main issue is: How to I decode/use this Base64urlUInt-encoded value in Python? Is the Modulus not enough? The "e" or exponent value for this public key is AQAB, not sure if that's important.

Community
  • 1
  • 1
Tyrel Kostyk
  • 506
  • 1
  • 5
  • 11
  • Seems like you missed the two equal sign (=) suffix in your key string. Did you? – Sazzadur Rahaman Jul 11 '18 at 00:20
  • Unfortunately not, or I at least I don't think so. The string I grabbed came directly from [Google's Public Key API:](https://www.googleapis.com/oauth2/v3/certs) – Tyrel Kostyk Jul 11 '18 at 15:37
  • You got 256 bytes, that might be just the modulus, not the entire public key (?). I'm guessing here; I'm not a JWT expert. – Maarten Bodewes Jul 11 '18 at 16:04
  • Yes actually you are right, according to the [RFC 718 Specification](https://tools.ietf.org/html/rfc7518#section-6.3), the "n" parameter (which is what I grabbed) is the modulus. Is this not enough to decode & verify the token? I'm definitely no expert either, and the help is appreciated! – Tyrel Kostyk Jul 12 '18 at 15:57

0 Answers0