How to build your OAuth flow when using Google id token?
My client(front-end) is a native mobile app (built with Flutter). For the backend, I'm using Spring to expose resources via Rest API endpoints. I want to implement Google Sign-In for my application. Also, I want to use OAuth flow for my own end points.
I found overall flow recommended for this situation Authenticate with a backend server. So as I understood the process is like this:
I use google sing in my native app and it receives token when user signs in, then the app send it to my authorization server(AS). Then AS just directly sends access (+ refresh) token to the app(i.e client). We can say that it is a password grant type, but instead of using user and password to identify user, AS uses token which we received from google. And when the app calls my Resource server(RS) it uses access token issued by my AS. am I right? PS I draw some diagram showing this flow:
![[https://drive.google.com/file/d/1mvB6InwLAJeVe8DRqPFodyPRAz6lzUhK/view][2].](https://i.sstatic.net/HXPQs.png)
In summary, the question is how to build your Oauth flow when you receive google token id? is using password grant type recommended for this situation? Does it make sense using authorization code flow, considering that my client has already received id token?
The preferred option if your Authorization Server (AS) supports it, is to do this, which should require zero code changes to your app:
Your app only connects to your own AS and only uses tokens from your AS - it is standard for your app to use Authorization Code Flow (PKCE)
The AS redirects to Google and also handles the response, swapping Google tokens for AS tokens, which are then returned to the app
This won't work if you use the Password Grant however, since this flow does not support federation. If it helps, my visual blog post has more info on this design pattern.
GOALS AND TRADE OFFS
- The User Experience should be the same whether or not you use federation
- Future Extensibility is worth thinking about - the pattern I describe generally gives you the best options if you want to integrate 3 other login options in future
- Technical Simplicity for your UIs and APIs is also worth thinking about - how much code complexity are you adding?
Unfortunately, the technology is often imperfect. I hope at least my comments help you to understand the goals behind the OIDC standards.
YOUR CODE AND THE LIBRARIES YOU USE
I would be a bit careful in this area. The link you referred to is very Google specific and focused on calling Google APIs to get Google data. If this is your goal then that is fine, but it may limit you if you also want to do non Google stuff.
The code samples on my blog are focused on being OIDC standards based, which starts with using standard messages. This gives me the best future options, via AppAuth libraries. It is not easy though - the tech is definitely much harder than it should be.
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- What is the purpose of the 'state' parameter in OAuth authorization request
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token
- Error creating bean with name 'corsConfigurationSource'
- MailKit OAuth2 SMTP Office365 Send Mail