The Big Picture: Google Authentication Using OAuth2 and ASP.NET C#

For anyone who stayed with me through my first article series, I wanted to follow up today with a one-stop reference for everything we discussed.

The three articles in this series are available here:

  • Part One: Getting Started – An overview of Google’s OAuth2 implementation and the logical process that your application should follow.
  • Part Two: Logging In – A detailed description of requesting authorization from the user and getting the user’s data once that authorization is granted.
  • Part Three: Validating Integrity – using C#’s RSA PKCS #1 support to validate Google’s digital signature in order to ensure the data hasn’t been corrupted.

I’ve made a downloadable Visual Studio solution that contains all the code you need to implement Google OAuth2 in your own ASP.NET C# applications. I designed this as a demo application to get you started right away. If you have any questions about it or problems with it, please leave a comment!

You can download the solution here: GoogleLogin

Please do not distribute this – instead, link to this article. If any bugs or problems come up with this solution, I’ll make sure that this download is kept updated.

Additionally, below is a list of the different nonstandard C# classes that are needed for this solution to work, along with a link to the relevant MSDN article. I’ve also included links to the documentation for the JWT spec and Google’s OAuth2 information.


C# Classes

Members of System.IO

  • File: Facilitates working with files (creating, deleting, etc.). This is used to write Google’s public certificates to your server’s local disk.
  • StreamReader: An implementation of TextReader for reading text from a byte stream. This is used to read Google’s JSON-formatted response.
  • StreamWriter: An implementation of TextWriter for writing text to a byte stream. This is used to send the contents of the POST request to Google.

Members of System.Net

  • HTTPWebRequest: An implementation of WebRequest that uses HTTP. This is used to send a POST request to Google to obtain authorization to use the user’s credentials.
  • HTTPWebResponse: An implementation of WebResponse that uses HTTP. This is uses to download Google’s response once the user authorizes the application.
  • WebRequest: Used to send data streams through the Internet. This is used to request Google’s public certificates for caching locally.
  • WebResponse: Used to receive data streams through the Internet. This is used to download Google’s public certificates.

Members of System.Security.Cryptography

  • RSACryptoServiceProvider: Utilizes the RSA algorithm for asymmetric encryption and decryption. This is used to decrypt the JWT signature using Google’s public key.
  • RSAPKCS1SignatureDeformatter: Verifies an RSA PKCS #1 signature. This is used to verify that the JWT signature matches the signed data.
  • SHA256: Generates the SHA256 hash for a given input. This is used to generate the hash of the JWT segments signed by Google.

Members of System.Security.Cryptography.X509Certificates

  • X509Certificate: Provides a simple set of methods for working with X509 Certificates. This is used to convert the locally-cached Google public certificate into an X509 Certificate object for programmatic use.
  • X509Certificate2: An extension of X509Certificate that provides more methods for working with certificates. This is used to extract the public key from the locally-cached Google certificate.

Members of System.Text

  • Decoder: Decodes a byte array into a string. This is used with UTF8Encoding (described below).
  • UTF8Encoding: Represents UTF-8 encoding of text. This is used with Decoder to convert a byte array into a string in our Base64Decode function.

Members of System.Web.Script.Serialization

  • JavaScriptSerializer: Provides serialization and deserialization functionality for AJAX-enabled applications. This is used to serialize Google’s JSON-formatted responses into key-value pairs.

2 thoughts on “The Big Picture: Google Authentication Using OAuth2 and ASP.NET C#

  1. GertJan

    Hey Claire,

    This serie about OAuth helped me a lot to make my own implementation of Google-OAuth. It is also the only one on the web with detailed information, or the only one i could find (And i searched very well).

    So a very big THANK YOU is the least i can say.
    Strange that others never replied on these articles.

    Thanks again and greetings from the Netherlands…!


  2. Claire Post author

    Hey GJ,

    Thanks for your comment! It makes me really happy to know that my work was useful for someone else. 🙂



Leave a Reply

Your email address will not be published. Required fields are marked *