Node js JWT to verify token using Google's public keys

Question

I'm reading the https://developers.google.com/actions/identity/google-sign-in guide for the authentication flow. Now I need to access the user's profile information so I'm using the JWT library with the code:

var decoded = jwt.verify(token, google_key,{algorithms: ['RS256'] });

The guide says:

Use a JWT-decoding library for your language to decode the token, and use Google's public keys (available in JWK or PEM format) to verify the token's signature.

So i decided to use the PEM Format by using this code:

{
  "6f6781ba71199a658e760aa5aa93e5fc3dc752b5": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIPFwAmiva4MkwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xOTA0MDIxNDQ5MThaFw0xOTA0MTkwMzA0MThaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUnbzv92s5aD1gmiF71M7tPT+XcQWRc45Y\nQKRflT7sQuEYVx9Ke6D5fuOeThQl7YjLOXFlhLOyyFSBMC9dKQtAJuQ1P2CqKA6Y\nTtfvRQAppqrcivJH/Iz3aSmYF4fTOg1EWv7R/28BOu3cTar2grIpPXo0TLNaq6uT\n3DlyB0QHbs4Xfz1+0Urwf4E63IHWAbOIu9dVjhRNV8Y497xUpO3ZN81at1zjSC30\nvyJbiEIPMyVgJlD7rV0uGP+a4hhcNcN8yofVgr8loLMCjDPO7DrMJYt31xQQCdyi\n0RsSxBQaqGh/soiy5f3pqMZko5YoGS/ME5TOvwRo5ThgYDI6/JUnAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQC8E4nZ3Sz61gQfOOq3/YpstWrONNol\nH6+L2KyU0+63wG9huxLHJOQ0Xj7oooOjSv4prOE91F3sUjE7P+aVTrwbLpaIpmbd\nloHI6h4yvjWmfdijo8VqSgZyXXhs4USLPEANux870XWEnWXkpR9QeSRQnZuCR2tF\n4nqDN1DMaLv6XCa2q7JPS27tBo9rMxsvk4SQUeSj6qAMyudST1AKDEZkqRdIDUqn\nuaWltHIlky8NUw7gkjOBMIIpIkQapBJ6WDZALebCNsaLbpvTQl3r5ttgW/aSsiXW\nKaJWL3reZU1mVb7JVBoRi8Fks19SnX753fhd4OAdgt91QzVIf7dwY1PG\n-----END CERTIFICATE-----\n",
  "a4313e7fd1e9e2a4ded3b292d2a7f4e519574308": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIILHP1ZKgNVzIwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xOTAzMjUxNDQ5MThaFw0xOTA0MTEwMzA0MThaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU7f9ChF38PxQcCMVx2DT/wY6IvJajhWKL\nLxwMs0Z/xPV5CWqqE9hma8Y4+HIgtZn0Uic5dP0DMfko9946cwTPLhOp8Yu11wCW\n5+oAt7+q6yartJI0hV9LDmI9mPNeTcFePOgU1kt+qyiqF4bN6T6wlXVOLklBDaFE\n9JlCFtr3FWfobxTGvm6BWEdDbk/ocvhpyOG6+lI8QWfu2K8QiFZkQvfkJ6od6V/7\njxYDg8vNFW98UxL6Fbp6uNfu7FP2aPy5PvMaXjX/MF32UyfYJB4/dosN5AWgVotp\nfY1ly1EBISvPof0whdCeAzWmIqdzziGaJ/L5kCw+kFzHDuF4WlhHAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCOWDJs2YU7wLenPV0X8Q9LZLX0K+zb\n5HOoKEnf1ZAv4pg9GY0c3DNHfXrknjH+vPM0XbymEK+8EN8/6MBw96U2Lqxxcksj\nCZfK0FnIzT+ROE/FtrHHTnjqcd4aRES5Ffg7EU8lInUhqgmL/q7ZrZ1xBuz1cHPm\nza3aV/gaTs0cjEJWbNkLjDH5j55TBTXxmO32jgsh7i1uTnk1+P0SZKEgXWgKlCmG\nBP0Vx4+IEMfJvy8qdP/yJ50kGwaHjyMNdnxU33zylilxwXPdLWdV9N4KwTuLh4QF\n26EE8nUSCeP9tKKgdKsD/Q/wvuwBGQp4UVx4g/nsZHzxcdONdlhWYlVs\n-----END CERTIFICATE-----\n"
}

But actually I don't know to extract the PUBLIC KEY from this certificate to use the verify() instruction that i said before.

(I tried to use this Json variable but i got thi error:)

UnhandledPromiseRejectionWarning: Error: PEM_read_bio_PUBKEY failed

How can I take the PUBLIC KEY from the CERTIFICATE? I'm using Nodejs. Thanks in advance.

Raúl Dávila Raúl Dávila · Accepted Answer · 2019-09-24T19:02:57

The PUBLIC KEY is the actual string:

"-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIPFwAmiva4MkwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xOTA0MDIxNDQ5MThaFw0xOTA0MTkwMzA0MThaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUnbzv92s5aD1gmiF71M7tPT+XcQWRc45Y\nQKRflT7sQuEYVx9Ke6D5fuOeThQl7YjLOXFlhLOyyFSBMC9dKQtAJuQ1P2CqKA6Y\nTtfvRQAppqrcivJH/Iz3aSmYF4fTOg1EWv7R/28BOu3cTar2grIpPXo0TLNaq6uT\n3DlyB0QHbs4Xfz1+0Urwf4E63IHWAbOIu9dVjhRNV8Y497xUpO3ZN81at1zjSC30\nvyJbiEIPMyVgJlD7rV0uGP+a4hhcNcN8yofVgr8loLMCjDPO7DrMJYt31xQQCdyi\n0RsSxBQaqGh/soiy5f3pqMZko5YoGS/ME5TOvwRo5ThgYDI6/JUnAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQC8E4nZ3Sz61gQfOOq3/YpstWrONNol\nH6+L2KyU0+63wG9huxLHJOQ0Xj7oooOjSv4prOE91F3sUjE7P+aVTrwbLpaIpmbd\nloHI6h4yvjWmfdijo8VqSgZyXXhs4USLPEANux870XWEnWXkpR9QeSRQnZuCR2tF\n4nqDN1DMaLv6XCa2q7JPS27tBo9rMxsvk4SQUeSj6qAMyudST1AKDEZkqRdIDUqn\nuaWltHIlky8NUw7gkjOBMIIpIkQapBJ6WDZALebCNsaLbpvTQl3r5ttgW/aSsiXW\nKaJWL3reZU1mVb7JVBoRi8Fks19SnX753fhd4OAdgt91QzVIf7dwY1PG\n-----END CERTIFICATE-----\n"

In your example, Google gives us two keys. To know which one must be used, we first need to extract some information stored in the header of the JWT. For that, we can use the same jsonwebtoken library:

const header = jwt.decode(YOUR_JWT_HERE, { complete: true }).header;
/*
header = {
    alg: 'RS256',
    kid: '6f6781ba71199a658e760aa5aa93e5fc3dc752b5',
    typ: 'JWT'
}
*/

As you can see, header.kid matches an item from the certificates retrieved from Google. That is the one you must use to verify the JWT. In the end, the code looks something like this:

const jwt = require('jsonwebtoken');

const token = YOUR_JWT_VALUE;
const certificates = {
    "6f6781ba71199a658e760aa5aa93e5fc3dc752b5": "-----BEGIN CERTIFICATE-----\nMIID[...]dwY1PG\n-----END CERTIFICATE-----\n",
    "a4313e7fd1e9e2a4ded3b292d2a7f4e519574308": "-----BEGIN CERTIFICATE-----\nMIID[...]hWYlVs\n-----END CERTIFICATE-----\n",
};

// Get header information from token
const header = jwt.decode(token, { complete: true }).header;
// Get the corresponding public key specified in header
const cert = certificates[header.kid];

// Verify token
jwt.verify(token, cert, { algorithms: ['RS256'] }, (err, payload) => {
    if (err) {
      // Not a valid token
      console.log('Error:', err);
      return;
    }

    // Token successfully verified
    console.log('Payload:', payload);
});

Note: Google's certificates change from time to time. For simplicity of the answer I declared them as constants, but you must have this in mind. From Google:

These keys are regularly rotated; examine the Cache-Control header in the response to determine when you should retrieve them again.

Sources:

Get header information from JWT here.
This guide. Shoutout to Adrian Ancona.

Node js JWT to verify token using Google's public keys

1 Answers