0

I have a typical web application and I'd like to let users register using their google account. My front-end application is written in ionic/angular so I use a plugin (https://github.com/CodetrixStudio/CapacitorGoogleAuth). I believe that it uses "oauth2 implicit flow" (correct me if I'm wrong).

I've configured application on google developer console (web application) and I'm able to use my account to get access token and account info.

My problem is that I'm not sure if I'm doing it right. Because:

  1. There is something called "client secret" on the google console but I have no clue how to use it or if it applies to this flow (I think that not but I'm not sure)
  2. What I plan to do next is to send the access token to my back-end, then verify the token. I hoped that process of token verification can be "offline". But it turns out that I need to send a request to google. So my question is: Isn't there a way to sing the token using "client secret" so that I could verify the token on the back-end without bothering google?
  3. I don't want to reinvent the wheel but cannot find any example of user registration. Should I just verify token, grasp email address and add it to my DB? (Do I need something else from oauth response?)
user2146414
  • 840
  • 11
  • 29
  • 1) If you are not already using the Client Secret your code is not using a secure authentication method. 2) No you cannot sign your own tokens. You must authenticate with Google and request the desired tokens (Access, Identity, Refresh). – John Hanley May 10 '20 at 02:01
  • 3) Yes, you can verify Identity tokens off-line provided that you have already downloaded Google certificates, which change periodically. 4) There are hundreds if not thousands of articles on this topic on the Internet. Start with reading the OAuth spec so that you understand how this process works, then play with an example in your language, then deploy a test instance. – John Hanley May 10 '20 at 02:05
  • @John Hanley Yes, threre are many articles. I've been reading and keep reading:) 1) i assume it should be kept secret (on server side), right? Could you give me some example usage link? 2) I didnt mean signing myself but google could use my client secret to sign it but as i understand it works the way you pointed out in point 3. Thanks for your comments – user2146414 May 10 '20 at 07:48
  • @John Hanley Are you absolutely sure that I need to use the client secret? I think that in my scenario (where I only need to make sure that google confirm existence of the given email address) I dont need it – user2146414 May 10 '20 at 08:40
  • I read your answer, a good start. The key is to understand how you are using OAuth. There are many OAuth grant types. Google only supports two. If all you need is the Identity Token, your answer is OK. However, the `implicit grant flow` is not a "trusted" method. Now that you have started with implicit, learn how the `authorization code grant` works. Since you have a backend (webserver) you should be using this flow. The method you are using will present problems for you in the future with token expiration, the user will need to login over and over, etc. – John Hanley May 10 '20 at 17:45
  • @JohnHanley Thank. I'll read. And regarding the need to login over again: Isn't it the way most websites with OAuth2 registration work? I.e. When you come back then you can click "login with google", you choose your account and after verification of your token on back-end you get a session ID that keeps you logged in. – user2146414 May 10 '20 at 18:13
  • OAuth is both very easy to use and complicated at the same time. There are lots of little nuances to learn. The types of OAuth Tokens (Access, Identity, Refresh). What type of access (`offline`, etc.). How to correctly store tokens (webserver database, cookies, etc). Maybe you noticed that some websites do not require you to login again after the first time. You can reboot your computer and then go back to the site and you are still logged in. These are the details that you have not uncovered yet. Think user experience, security and how you want your website to behave. – John Hanley May 10 '20 at 18:24

1 Answers1

0

I think I'm ready to answer my own question now (hope it'll be helpful to someone)

First of all I'd like to recommend this video: https://www.youtube.com/watch?v=996OiexHze0

The first thing is that there are two main OAuth2 flows:

  1. code
  2. implicit

The second thing is to distinguish between authentication and authorization. Authentication is telling "who you are". Authorization is about "what you can do". Most of the time when you read about OAuth2 it is focused on authorization (like getting access to some resources if you have a token).

But in my case it is a problem of authentication and OAuth2 OpenID is what I need (again - more details in video). And I use implicit flow (that returns token directly to the caller) because I need to display user's email in the registration form (and let him to fill in the rest). So in my scenario there is no need to use "client secret" (that is used to get token from code - applies to code flow).

So my communication schema would look like this:

  1. User opens registration page
  2. Clicks "Register with Google" button
  3. He is redirected to Google's OAuth2 page where he can accept request
  4. Result is returned to my front-end application. The result contains id_token (JWT signed by google)
  5. My Angular application can fill some registration fields (for example e-mail address) using the result
  6. User (from Angular app) sends a registration request to back-end. The request contains id_token - it can be verified (online or offline; see https://www.oauth.com/oauth2-servers/signing-in-with-google/verifying-the-user-info/ - at the end of article offline verification is touched and there is a link to Google's doc) in order to make sure the e-mail address is an existing one
  7. After successful token validation it is up to the web application what to do next. For example it could save user's e-mail address.

In the case of mobile app it uses some internal Android library but general schema applies.

Regarding flows I send you to the video.

user2146414
  • 840
  • 11
  • 29
  • Also read this: https://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth?rq=1 and follow links:) – user2146414 May 10 '20 at 17:43