I am implementing JavaScript based Google or Facebook OAuth for a client login system, where I hope to use the Access Token and Email Id combination returned from Google/Facebook after successful authentication of the user to create session on the Server. I have a .NET based server application. I am hoping to send this Access Token and Email Id combination using some AJAX methods like $.ajax and creating a session for this email id on the server end.
Now I have a limitation, my server is behind a firewall and it cannot contact Google/Facebook to validate the access token.
One of my colleague pointed me out that as there is no communication between my Server and Google/Facebook, any malicious user can send me user A's email id with any random access token, and I have no way to check the validity of this token whether it actually belongs to User A.
My server is using SSL communication. So, how can I make this scenario secure.
I don’t think you should use a token you can’t validate. I don’t think your app can be run if you can’t contact IDPs to validate tokens. It’s a bit surprising, most firewalls let you call out, they don’t let others call in.