search

googleapis / google-api-dotnet-client

Google APIs Client Library for .NET
https://developers.google.com/api-client-library/dotnet
Apache License 2.0
1.33k stars 523 forks source link

JWT Validation after password change on Google #2822

Closed mlipovaca closed 1 week ago

mlipovaca commented 3 weeks ago

Hi there folks,

Is it possible to check if JWT token which is coming from OAuth to be invalidated after user changes the password on their google account, so we can detect on our website application if JWT token is valid or not from OAuth to invalidate all current active sessions ?

jskeet commented 3 weeks ago

I'm not an expert on this by any means, and @amanda-tarafa will no doubt answer when she's back from vacation - but my understanding is that JWT validation is a purely offline process that just checks that the JWT is still in date, that each individual part of it is valid, and that the signature is valid. In other words, it's checking that "something issued it correctly" rather than making any network requests - which means I wouldn't expect it to be able to detect a password change.

amanda-tarafa commented 1 week ago

As @jskeet said, in general JWT validation is local and concerned with the JWT's self-contained information. This is definetely the case for all JWT validation that can be performed using Google.Apis.Auth.JsonWebSignature and Google.Apis.Auth.GoogleJsonWebSignature.

Of course, a JWT emitting system may have complex means of JWT validation that take into account any number of things appart from the JWT's self-contained information. From your question is not clear how you are obtaining these JWT's but you may be able to check with the JWT emitter if they offer such capability.

Note that Google.Apis.Auth library only emits JWTs for service accounts, and your question is about user accounts. You can obtain JWTs for user accounts through Google.Apis.Auth, but those are not emitted by the library, we are just passing along values received from Google's OAuth token endpoint (see id_token). If these are the JWTs you are referring to, you can use Google's OAuth support channels listed at the bottom of that page (currently the Stack Overflow google-oauth tag) to find more about JWT validation for your use case.

I'll be closing this issue now as I believe we've answered your question and there's nothing more that we can do client side. Feel free to leave a comment if you believe otherwise.