Spring Boot and RESTful API(12)JWT Auth on the Server

Spring Boot and RESTful API(12)JWT Auth on the Server

One way to decode the id_token from google is as follow:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={id_token}

The response will be similar to theses
{
"azp": “xxxxxx-bkfjkg7vvi9fhio0aeoedr4lofe57hjh.apps.googleusercontent.com",
"aud": “xxxxxx-bkfjkg7vvi9fhio0aeoedr4lofe57hjh.apps.googleusercontent.com",
"sub": “xxxxxxxxxx",
"email": "[email protected]",
"email_verified": "true",
"at_hash": “xxxxxxxxxxx",
"iss": "accounts.google.com",
"jti": “xxxxxxxxxxxxxx",
"iat": "1507055545",
"exp": "1507059145",
"name": "hua luo",
"picture": "https://lh5.googleusercontent.com/-fyLKT4QgfF8/AAAAAAAAAAI/AAAAAAAAABw/ZXyuDNN-DKI/s96-c/photo.jpg",
"given_name": "hua",
"family_name": "luo",
"locale": "en",
"alg": "RS256",
"kid": “xxxxxxxxxxxxxxxx"
}

Base64 decode the first part https://www.base64decode.org/
{
    "alg":"RS256”,
    "kid":”bb77447d5897a11b7357c502c61fc54f0910b4f5"
}

Base64 decode the second part
{
    "azp”:"xxx-bkfjkg7vvi9fhio0aeoedr4lofe57hjh.apps.googleusercontent.com”,
    "aud”:"xxxxx-bkfjkg7vvi9fhio0aeoedr4lofe57hjh.apps.googleusercontent.com”,
"sub":"112302643546263131011”,
"email":"[email protected]”,
"email_verified":true,
"at_hash”:"xxxxxx”,
"iss":"accounts.google.com”,
"jti”:"xxxxxxxx”,
"iat":1507054442,
"exp":1507058042,
"name":"hua luo”,
"picture":"https://lh5.googleusercontent.com/-fyLKT4QgfF8/AAAAAAAAAAI/AAAAAAAAABw/ZXyuDNN-DKI/s96-c/photo.jpg”,
"given_name":"hua”,
"family_name":"luo”,
"locale":”en"
}

Get cert files from here
https://www.googleapis.com/oauth2/v1/certs

“xxxxxxxxxxxx": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIYC+xxxxxxx\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xNzEwMDMxMTQzMzRaFw0xNzEwMDYxMjEzMzRaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPAFKRP1GL3H/T/d8tKpKrrbZ8kBuNAZyF\neqahDuhr3kzqZpTlhsiEWIQQWm0ymi/ZxXRyMhomCp62hZZw7np9c4HALOVy93C/\nQuWVfMyB8PavHfUqSj349KIbK0hEwoWUum5leVK1jiT4MvTcpwG+8E8oQYB5shqE\nq4yuqABAeVn/a0ywegtlQB6KMYxNEIcGOBJOjlnhFOBF5L3rPqwsWJPxJxmMnQnG\n0T2Nt5A8ynpbRLDlDWX6ZCEgI5gt70jsqNVe69NxVKfQYV/++UzFckZcqx++0aYq\nye4EBqE5pRHHCYypHHP11X73nmtJVvAw+AUAY5xa7a0fNBm7JvTjAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\xxxxxxx\ngLkeyzTS1yRMNadkPwhHOa+U4uS0hw8taRIsV7NCR2qW2rKzlRJ/d6H+uWR3MbTK\nvVGXw9+Jlnylfrx6pxmMjg++ZsA3GDBQirHiBFho+W2X8QwOszIqlFcJibN7TvHu\n4Dg2jym7Vr1mvnVMh/HRRx+VjlDzTVKpbZStn39E331rFtZjM55kHVCreuToEPGy\n80NyZSO33mIYfXjCysqej7PqlTrU0CmKse22ySPPz9QwwlZ2Q1qldK9uD2U5SzWQ\n0QWqWE5hHCXTPEfyAIDHBtQhYP+DJSzV66D2EX0DoIVvBgyWfXaP/3G2\n-----END CERTIFICATE-----\n",

More information
https://accounts.google.com/.well-known/openid-configuration

To make it simple, I will try to verify that from the server from here
One way to decode the id_token from google is as follow:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={id_token}

And then store on key in Redis for cache.

References:
http://www.svlada.com/jwt-token-authentication-with-spring-boot/
https://github.com/bfwg/springboot-jwt-starter
https://github.com/szerhusenBC/jwt-spring-security-demo
https://dzone.com/articles/validating-jwt-with-spring-boot-and-springsecurity
https://aboullaite.me/spring-boot-token-authentication-using-jwt/

https://github.com/hhimanshu/google-oauth2-jwt-secure-api
https://www.npmjs.com/package/react-google-login

https://stormpath.com/blog/jwt-java-create-verify
https://jwt.io/
https://github.com/jwtk/jjwt
https://stackoverflow.com/questions/37695877/how-can-i-decode-jwt-token-in-android

https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken
https://forum.forgerock.com/topic/openid-connect-jwt-validationverification/
https://stackoverflow.com/questions/24875253/openid-connect-how-to-verify-id-token-in-java
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples#markdown-header-jws-verification-using-a-jwk

https://github.com/google/google-api-java-client
https://stackoverflow.com/questions/38998702/verify-a-signature-in-jwt-io