Search code examples
cookiesoauth-2.0google-oauthsession-cookiesopenid-connect

OIDC / OAuth - Retrieve SID Cookie

I am studying OIDC, and I have a question of understanding...

Context:

I would like to register on StackoverFlow with Google (which use the OIDC protocol).
So EndUser not yet registered

  1. EndUser click on login with google
  2. StackoverFlow redirect to https://accounts.google.com/o/oauth2/auth (accounts.google.com)
  3. EndUser gives it consent and login with credentials
  4. Google checks credentials and registers the endUser by storing the SID cookie through the reponse header set-cookie: SID=...;Domain=.google.com;Path=/;Expires=...;Priority=HIGH
  5. Google redirect to StackoverFlow
  6. ~~ StackoverFlow has the access to the SID cookie store on the Domain google.com ~~
  7. Stackoverflow knows that the user is authenticated

Question

~~ Why does StackoverFlow have the access to the SID cookie on the domain google.com at the redirection ? ~~

EDIT

Sorry, StackoverFlow doesn't have the access to the SID cookie ! My question now is : How does stackoverflow know that the user is authenticated? Because the session cookie is set by google...

Solution

  • TL;DR -- Google gives you a code that you give to StackOverflow and StackOverflow verifies the code with Google.

    The OAuth2.0/OIDC specs define several ways that Google and StackOverflow can securely communicate regarding a user's authentication and authorization. When I was learning it, the main obstacle I had to overcome was my expectation that it would be simpler than it is.

    Takahiko Kawasaki (@takahiko-kawasaki) has published a convenient reference "Diagrams And Movies Of All The OAuth 2.0 Flows" at https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85 A "flow" is a series of steps taken by the user, the auth server (Google, in this case), and the "client" (StackOverflow in this case).

    StackOverflow is using the "Authentication Code" flow, which is the first one in the article.

    Here's a somewhat simplified description of what happens.

    1) Redirect to Google

    When you click the "sign in/up with google" button on StackOverflow, it redirects your browser to accounts.google.com with some parameters on the querystring:

    • response_type: This tells Google which "flow" to use. In this case, it will give StackOverflow a code.
    • client_id: This tells Google that the auth request is for StackOverflow. StackOverflow previously set this up in their Google developer account.
    • scope: This tells Google what StackOverflow wants to access from the user's Google account (in this case, just email and profile information)
    • state: This is a string that Google will send back to StackOverflow. It looks like there's a bunch of stuff in there, including how to reconnect with the StackOverflow session, but I may be mistaken.
    • redirect_uri: This is the URL that Google will send the user back to when done with the sign-in process.

    2) Redirect Back to StackOverflow

    When you're done on the Google side, Google redirects you back to the StackOverflow URL with some new stuff in the querystring.

    • state: This is the same data that StackOverflow sent to Google. It's sent back now by Google so StackOverflow can use it to pick up where it left off when it sent you off to Google to sign in.
    • code: This is a string that represents the fact that the user authenticated. This code can be used once by StackOverflow to verify that you really did authenticate and get one or two tokens from Google.
    • scope: These are the scopes that Google actually allowed. It may be different than what StackOverflow requested in the previous step.
    • authuser: I don't know what this is. I don't think it's OAuth standard
    • prompt: I don't know what this is. I don't think it's OAuth standard

    3) StackOverflow Checks with Google

    After those two redirects, StackOverflow has an authorization code. StackOverflow sends the code to Google along with a secret string that Google previously assigned to StackOverflow.

    I can't see this happen in my browser network trace, because it is between StackOverflow and Google, but I think StackOverflow takes both the Identity Token and the Authorization Token, both in JWT format.

    These tokens are signed, so StackOverflow (or anyone, really) can verify they were actually sent by Google and not modified in transit. The payload of these tokens contains information about the user, such as name, email address, etc.

    NOTE: It is possible for the Google Authorization Token to be a random unique string (an "opaque token"), but I'm assuming here that it's a JWT. If it is opaque, there's an extra step where StackOverflow uses it to fetch user information from Google.