JSON Web Tokens (JWT) validation - hippogamesunity/SimpleSignIn GitHub Wiki
Google returns id_token as a part of token response.
Note: This property is only returned if your request included an identity scope, such as openid, profile, or email. The value is a JSON Web Token (JWT) that contains digitally signed identity information about the user.
You can use JWT class from my asset to parse JWT and validate its' signature. If you have ASP.NET backend, move this class to it.
Nonce
If you need to send nonce with token request, refer to state description in Google docs (my asset generates random GUIDs for state).
You can use this parameter for several purposes, such as directing the user to the correct resource in your application, sending nonces, and mitigating cross-site request forgery. Since your redirect_uri can be guessed, using a state value can increase your assurance that an incoming connection is the result of an authentication request.
Links
- Response format: https://developers.google.com/identity/protocols/oauth2/native-app#handlingresponse
- JWT validation: https://developers.google.com/identity/openid-connect/openid-connect#validatinganidtoken
- Public keys for signature validation: https://www.googleapis.com/oauth2/v3/certs
- JWT debugger: https://jwt.io/