How can I decode a google OAuth 2.0 JWT (OpenID Connect) in a node app?

From the specification point of view, what you are encountering is [OpenID Connect].

id_token is a [JWS] signed [JWT]. In this case, it is a "." separated string with three components. The first portion is the header. The second is the payload. The third is the signature. Each of them are Base64url encoded string.

When you decode the header, you will get something like:

{"alg":"RS256","kid":"43ebb53b0397e7aaf3087d6844e37d55c5fb1b67"}

The "alg" indicates that the signature algorithm is RS256, which is defined in [JWA]. The "kid" indicates the key id of the public key that corresponds to the key used to sign.

Now I am ready to answer some of your questions:

2: How will I know when I need to pull in a fresh version of it?

When the kid of the cached cert file (a [JWK] file) does not match the kid in the header, fetch a new cert file. (BTW, the URL from which you pull the certs are called x5u.)

3: It seems like passing in true for noVerify (3rd arg in jwt.decode) is a terrible idea. How can I get that to work without passing that in?

Indeed. Perhaps you might want to look at another library such as kjur.github.io/jsjws/ .

References

• [OpenID Connect] openid.bitbucket.org/openid-connect-core-1_0.html
• [JWS] tools.ietf.org/html/draft-ietf-jose-json-web-signature
• [JWT] tools.ietf.org/html/draft-ietf-oauth-json-web-token‎
• [JWK] tools.ietf.org/html/draft-ietf-oauth-json-web-keys
• [JWA] tools.ietf.org/html/draft-ietf-jose-json-web-algorithms