<div dir="ltr">We also have <a href="https://firebase.google.com/docs/auth/server/verify-id-tokens#verify_id_tokens_using_the_firebase_sdk">JWT validation</a> built into our <a href="https://firebase.google.com/docs/server/setup">Firebase server SDKs</a> for Java and JS. It's our intention to pull the JWT validation part out and open source it. We'd especially love to have Go and Python versions of this too.<div><br></div><div>I think OAuth libraries would be very valuable too but that is a much bigger scope. I think if we can begin with OIDC ID token validation and minting, that would be a huge leap forward. </div><div><br></div><div>For developer simplicity, I think it would also be really useful to have a standardized config file format that lists issuers, their clientIDs and private keys (for token minting). Something like:</div><div><br></div><div>{"Trusted IDPs" : [</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div>{ "issuer": "<a href="https://accounts.google.com">https://accounts.google.com</a>", </div><div>"clientID":"<a href="http://407408718192.apps.googleusercontent.com">407408718192.apps.googleusercontent.com</a>",</div><div>"private_key_id": "dd61bc1c4650952852514fbb3c4da84287383911",<br></div><div> "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDkfgHXC3pEgu55\nt9REvoT+cZhla+jetdwaLnEq7o89pb5Qn1EuEs+gIUkSYkBCWgS7lfbrivuzjm0C\nvTUOJauBLMQQvpyC50bMSkPs/zCrZ7e/axFWrYSZNO3ts+3HjBz3iLS+IUrGVwV2\nTABkh/y6fgoiKU9e/P7Ao8foIQz6en3VsYE/BU1vj2VXnUKwykkk9LAHh+6HOtxM\naUP8z829PHcrnDmpQwhPOQeObQIBOc5op8Z1E6NptWFI5R22yky7jg4KzwyyC41I\n8QnBMlJ/IuZMfdTsWFSSQ7geG/q2lCHLp+uUOLIgxUu+sSihictWpm8aeQv3cuF/\nGxKfQEBrAgMBAAECggEAPmMBUZv6qFYvkuBUfuieG3McrySFkrmI/UUM9THpvmVQ\nz2aQncnZEtnDv9c/wF4fyLArmSh7jQ0oSoUqxVAXwc9dQU0qIrvPItxsK3uJ6GML\nUqKDO21pNQO0qyBjngZtqlCTOQ6SAhGkliYuPUS8Bpd/YNBysXbWf/a4EHNlvcXL\n9GwjnxRXYrtjuMnTLw5orYv78Ne92Oe9NndIN9GPUkIy7S/PBGLM0nz3nb5ZZYm5\nT5RoLQrVF4m4VAV4+NJYsVrte2pGB7m0HIpVxCR7nGOTX0fOUydNAkQ97a6qHOtq\nUyhJ+l8b/XhdEzb9on1rCDqXbbPEnWN2/5DvXdaPIQKBgQD+VhuuSQtINj0MtU3g\nXYaNtAAn54p4Q80aCBB6RNrtWvCNlU8mQj8SB/7dU/PyzczcnXwDwuk7mmrKXjZj\nb9eQ44xTCl0u2EwfoUcpkCWo26prdm+97fPoQhYm4IBtbtPw/rzcKvT3psKTyCnK\n2opyw4wGiDApNd012e4elQUKowKBgQDl/J9Z/xrN3wIUlwO0B/1gc+SUo2ErkSz8\nUeA2i+VSx/cWNBdH0YtIsZWjmCbz2Ti2t8aAuO63jHfxZQF2SeBfBxSaYMm+sOvA\niwtTuUz88mzlHvj6pzbIe070s0i/uxik3/6HhNT2aZTsRgO8EH0xS0pBFNQVTHiC\nJEZ2clrXmQKBgBmQGAolZ0/ju7EaS/CAFfUKIXXhTMaXsfaq1tUjNInkuQbR+fmT\ncPlj+lbOiFdgHfYSkhNitMR72b3rSDYoWJdEd6clBIaf0M7hC+D+jvpw0akpZ0PE\ntd4jPky8Bcx59i1jvSG345U8mpP161VrL70nMFy7tXN+6XPvKoLCYZZXAoGAQRuA\nHSEr/GYKl7ucr8WnRDvq1O1fn87Mdm3TVH3MIOA9IcsDYDCBBsZHP3XeaR/wf0GN\nb3lrEwkwF2VpwYvuedhuS7nkwxgg1XRHc588nUsf6skW4RafWqgV1Q5AJQ8ZTeuf\nicvf4hZHs4+qlP3yAxd2YPA9jf4FC4qra/K5ptkCgYEA9WWO1D/9Zpcj4jnc9faN\n4+EniRdPc44tHPKx8VTIZ+GkeJ2Gbu/EqQFeYtEQojx24YyES6Bhz2hfWJ1lCHbj\nts7Alt3D5RkDgsRKVZ0kGXi7BkHCRKpDTmH05MSSy5ArVuy9jKrAYQuhlSxF6+x8\nVa175koIHbqLKBwU8guyFAM=\n-----END PRIVATE KEY-----\n"}<br></div></blockquote>]}</div><div><br></div><div>That way, when the RP registers for a clientID with the IDP, the IDP can autogenerate this snippet which can get easily appended to their whitelist config file and save developers from having to understand issuer and audience checks.</div><div><br></div><div>Other than Roland and Brian, who else would be interested in working on such an open source project?</div><div><br></div><div>thanks,</div><div>AD</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 11, 2016 at 9:34 AM, Brian Campbell <span dir="ltr"><<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><span class="">On Wed, Aug 10, 2016 at 1:42 AM, Adam Dawes via Openid-specs-ab <span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div>But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.</div><span style="font-size:10pt;font-family:"MS Gothic"" lang="EN-US"></span></div><br></blockquote><div><br></div></span><div>I've got a self-proclaimed excellent <a href="https://bitbucket.org/b_c/jose4j/wiki/Home" target="_blank">open source JWT validation library for Java</a> that is able and willing to help the cause. <br></div><div> </div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="line-height:1.5em;padding-top:10px;margin-top:10px;color:rgb(85,85,85);font-family:sans-serif;font-size:small"><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(213,15,37);padding-top:2px;margin-top:2px">Adam Dawes |</span><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(51,105,232);padding-top:2px;margin-top:2px"> Sr. Product Manager |</span><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(0,153,57);padding-top:2px;margin-top:2px"> <a href="mailto:adawes@google.com" target="_blank">adawes@google.com</a> |</span><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(238,178,17);padding-top:2px;margin-top:2px"> +1 650-214-2410</span></div><br></div></div>
</div>