I am studying OIDC, and I have a question of understanding...
I would like to register on StackoverFlow with Google (which use the OIDC protocol).
So EndUser not yet registered
set-cookie: SID=...;Domain=.google.com;Path=/;Expires=...;Priority=HIGH
~~ Why does StackoverFlow have the access to the SID cookie on the domain google.com at the redirection ? ~~
Sorry, StackoverFlow doesn't have the access to the SID cookie ! My question now is : How does stackoverflow know that the user is authenticated? Because the session cookie is set by google...
TL;DR -- Google gives you a code that you give to StackOverflow and StackOverflow verifies the code with Google.
The OAuth2.0/OIDC specs define several ways that Google and StackOverflow can securely communicate regarding a user's authentication and authorization. When I was learning it, the main obstacle I had to overcome was my expectation that it would be simpler than it is.
Takahiko Kawasaki (@takahiko-kawasaki) has published a convenient reference "Diagrams And Movies Of All The OAuth 2.0 Flows" at https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85 A "flow" is a series of steps taken by the user, the auth server (Google, in this case), and the "client" (StackOverflow in this case).
StackOverflow is using the "Authentication Code" flow, which is the first one in the article.
Here's a somewhat simplified description of what happens.
When you click the "sign in/up with google" button on StackOverflow, it redirects your browser to accounts.google.com with some parameters on the querystring:
When you're done on the Google side, Google redirects you back to the StackOverflow URL with some new stuff in the querystring.
After those two redirects, StackOverflow has an authorization code. StackOverflow sends the code to Google along with a secret string that Google previously assigned to StackOverflow.
I can't see this happen in my browser network trace, because it is between StackOverflow and Google, but I think StackOverflow takes both the Identity Token and the Authorization Token, both in JWT format.
These tokens are signed, so StackOverflow (or anyone, really) can verify they were actually sent by Google and not modified in transit. The payload of these tokens contains information about the user, such as name, email address, etc.
NOTE: It is possible for the Google Authorization Token to be a random unique string (an "opaque token"), but I'm assuming here that it's a JWT. If it is opaque, there's an extra step where StackOverflow uses it to fetch user information from Google.