We're verifying a Google ID Token on ColdFusion servers. We have everything working but one thing puzzles me:
In the instructions here Google says to use their public keys to verify the token. When we retrieve the keys, in the JSON object there are 2 of them. Whether we grab the PEM or the JWT there are 2 keys.
How do we know which key to use? Through testing we find that one works and we're able to decode the JWT to validate while the other doesn't. Right now we're having to try both of them to see which one works. Is there something we're missing that indicates which of these keys is the one to use?
The keys are identified by the key Id "kid":
The "kid" (key ID) parameter is used to match a specific key.
In case of the JWK, you see the kid value in the JSON and you can see the same kid values in the first column of the PEM example. Your token has a "kid" claim in the header part. Decode the header to extract the kid.
e.g.:
{
"typ":"JWT",
"alg":"RS256",
"kid":"3dd6ca2a81dc2fea8c3642431e7e296d2d75b446"
}