Is it a good idea, to use Google Oauth 2.0 for login and permission administration?

Question

I'm currently working on a project, where the developer before me implemented the login into an intern tool via google Oauth 2.0

He does that, by just grabbing the user domain, after authenticating with google and checks if it is "ourCompany.com".

If yes, he renders the page, if not, he redirects the user to the login. (So basically he does one oauth request per page view.)

I'm pretty new to Oauth 2.0 but as far as I understand it, this is not, how it should be used?

He wants to use Oauth, because his idea is to organize all our employees over google groups/organizations and thus have a central place to give and take permissions. (Which I have to implement now.)

He said I should "just also get the groups on each request" and that's it. (Which I tried btw. as a "quick win" but couldn't manage to get them from google yet, not sure If it is even intended)

My understanding of how this should work is the following:

1. The user is redirected to the google Oauth 2.0 service with a scope to get his groups/organizations.
2. We get back an access Token, which I then would use to ask the google API for the users groups/organizations.
3. Based on these informations I would then set the users rights in our application itself. (For example The user is in a google group "author", then I would give him the author role in our application)
4. The user then gets logged in via a "normal" PHP session, which takes over for the rest of the application, instead of always asking the Oauth service.

Does this approach make sense or is my colleague right with his implementation? The only benefits I see in his solution is, that we get "real time" information, if the user still is in a group or not.

But from what I've read about Oauth 2.0 so far, his implementation does not feel right for me, on the other hand I don't feel secure enough at this topic to say it's wrong.

So any explanations/opinions would be very welcome.

Additional informations about the project:

• We use Laravel 5.4
• I thought about using the "socialite" plugin (https://github.com/laravel/socialite) and for permissions (https://github.com/spatie/laravel-permission)

Answer 1

If the intended user groups in your application are the same as the Google groups configured for your domain, then I think it's OK to use the Google domain groups. If not, you could use new groups (possibly with some prefix like myApp-group1), but you could end up with many groups if multiple applications does it.

There is also a question who can modify the Google domain groups. Is it the same person/role who would have the right to modify permissions in your application?

I would consider creating a separate access management for the application if:

• There is a chance of people outside of your company using the application.
• You needed to modify existing Google groups (if there are some) just to make them fit your application.

It looks like you can read user's groups by Google Directory API with an access token containing scope https://www.googleapis.com/auth/admin.directory.group.member.readonly. But I have no experience with it.

I think it's common to use LDAP (or MS Active Directory) as an access management for in-company applications, so the idea of using Google groups is not strange.

The auth sequence you described looks correct.