Validate Google Identity CredentialResponse JWT using Node.js

Question

I'm currently implementing Sign in With Google on a website of mine using the callback approach. So far it works; a user clicks a button, a network call is made, and a JWT is returned.

At this point I would like to parse and validate the JWT. Of course, I don't want the client to just send an email address to the server and have the server create an account. Instead, I want to pass the JWT to the server, validate it's Google authenticity, then extract and use the email.

What's the most straightforward way to do this? The Google Developers site links to some libraries, sure, but none of them specifically show how to validate the Google Identity response.

I've gotten this far, using the Jose npm package, but the Google Developers docs don't list where to get the key from:

const parsed = await jose.jwtVerify(req.body.jwt.credential, MAGICAL_PUBLIC_KEY, {
  issuer: 'https://accounts.google.com',
  audience: GOOGLE_CLIENT_ID, // provided by developer console
});

void parsed.email;

This all seems like stuff that should be handled by the google-auth-library library, but it only has example for performing the OAuth dance server side.

Answer 1

Upon further research I did find a page documenting how the google-auth-library can be used for this: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token