I am trying to understand how the JWT sent from Google to the client when using the sign in with Google feature, can be verified on my server for authentication.
I would like to authenticate a user with a specific email on my server.
Here's the flow as I perceive it:
- User clicks "Sign in with Google."
- Client obtains a JWT from the Google API.
- Client forwards the JWT to my server.
- Server verifies the token using Google's provided client library.
- I validate if the email is "[email protected]."
- If it's the whitelisted email, I issue a cookie granting access to protected APIs.
However, I'm curious about the potential for JWT manipulation. Is it feasible for someone to tamper with a JWT and send it to my server, claiming the email "[email protected]" without actual access to that email, thereby gaining access to protected APIs?
How can I ensure that the user claiming ownership of the email actually owns it?
Does the verification method of the client library, such as GoogleJsonWebSignature.ValidateAsync in the Google client for .NET, handle this aspect of security?
I have managed to receive JWT on my server but fail to understand how it is to be trusted.
It appears that the method:
GoogleJsonWebSignature.ValidateAsyncof google's .net client ultimately handles the verification of the JWT via a server to server transaction.Thus I can count on the user being who they claim to be after having verified the JWT.
While of course, as with any other form of authentication, being aware of the possiblity that the user's Google account may have been hacked.
I had read somewhere that a JWT token was a self enclosed system, and that it can validate itself, which may technically still be true but threw me off and made me think there wasnt a server to server verification happening.