I have an Angular11 UI front-end utilizing Google's RS256 authentication by
import { SocialAuthService, GoogleLoginProvider, SocialUser } from 'angularx-social-login';providers: [{ id: GoogleLoginProvider.PROVIDER_ID, provider: new GoogleLoginProvider('my Google-Client-ID')}]When Google sends me back the JWT token, I send it to my NodeJS App server to establish a JWT-based communication for the session, so this NodeJS App server must validate this JWT. According to this angular-university.io article section "Leveraging RS256 Signatures",
Instead of installing the public key on the Application server, it's much better to have the Authentication server publish the JWT-validating public key in a publicly accessible Url.
I found this JWK (not JWT) link https://www.googleapis.com/oauth2/v3/certs from Google Identity by Erji. Is this the right public key?
Its not exactly an x509 cerificate, but yes that is the JWK is used to validate a given signed JWT.
If we check out the .well-known endpoint found in Googles documentation
It points us to,
jwks_uri "https://www.googleapis.com/oauth2/v3/certs"
For the JWKs which contains the currently valid keys for validating a signed JWT. The public key can be built of the information contained in the JWK endpoint
The n in is the key itself, the alg is the signing algorithm, and the kid is the key identifier.
RFC7517 defines the JWK standard and has full details on the fields