Search code examples
node.jsgoogle-oauthgoogle-calendar-apiservice-accounts

Authentication using Node.js OauthClient "auth-code" flow


I'm building a SaaS application which require read-access to a user's google calendar. After the user gives consent to access their calendar during the first sign-in, I want the application to be able to authorize itself to access any of the user's calendars at any time without having to prompt the user for authorization again.

Currently I'm trying to create an authentication flow following the '@react-oauth/google' node library (specifically the "authorization code flow" here: https://react-oauth.vercel.app/). In my frontend, I get a code from the user, which is sent and successfully received by my backend. The backend is then supposed to use the code to get an access token and a refresh token for that user, but the request to exchange the code for the access token (oAuth2Client.getToken(req.body.code);) is failing with error 401 (unauthorized client.)

My ultimate goal is to store the access token and refresh token in a database somewhere so that I can access that user's calendar later at any time.

If I treat the backend as an Oath Client on google cloud and pass in the credentials for that, I get error 401 - unauthorized client, but I've given it access to the calendar api on google console, as you can see in the image: enter image description here

How can I resolve the issue that I'm facing?

I started reading about service accounts that can do this for you but I'm unsure how to proceed. I saw that they can do domain wide delegation but my users will be signing in from their personal gmail accounts so that option is not applicable for me.

Frontend Code:

import { useGoogleLogin } from '@react-oauth/google';
import axios from 'axios';
export const LoginModal = () => {

    const googleLogin = useGoogleLogin({
        flow: "auth-code",
        onSuccess: async codeResponse => {
            console.log(codeResponse);

            const tokens = await axios.post("http://localhost:3001/auth/google/", {
                code: codeResponse.code
            });

            console.log(tokens);
        }
    })

    return (<>
...some html code
<button onClick={() => { googleLogin() }}>  
..some more html code
    </>)
}

Backend Code:

require('dotenv').config();

const express = require('express');
const {
    OAuth2Client,
} = require('google-auth-library');
const cors = require('cors');

const app = express();

app.use(cors());
app.use(express.json());

const CLIENT_ID = "xxx";
const CLIENT_SECRET = "xxx";

// initialize oathclient
const oAuth2Client = new OAuth2Client(
    CLIENT_ID,
    CLIENT_SECRET,
    'postmessage',
);

// get token from code given from frontend
app.post('/auth/google', async (req, res) => {
    console.log(req.body.code)
    const { tokens } = await oAuth2Client.getToken(req.body.code); // exchange code for tokens
    res.json(tokens);
});


app.post('/auth/google/refresh-token', async (req, res) => {
    const user = new UserRefreshClient(
        CLIENT_ID,
        CLIENT_SECRET,
        req.body.refreshToken,
    );
    const { credentials } = await user.refreshAccessToken(); // obtain new tokens
    res.json(credentials);
})

app.listen(3001, () => {
    console.log(`server is running`)
});

Solution

  • I figured it out. Basically, I was putting in the wrong clientid/client secret in my google console because I thought the frontend and backend needed different oauth client IDs. I used the same oauth client secret/id for frontend and backend and made sure to follow the answers here: https://github.com/MomenSherif/react-oauth/issues/12

    MAKE SURE TO PUT "postmessage" AS YOUR REDIRECT_URI! It will not work without that.

    Working code:

    frontend is the same

    backend:

    require('dotenv').config();
    
    const express = require('express');
    const {
        OAuth2Client,
    } = require('google-auth-library');
    const cors = require('cors');
    
    const app = express();
    
    app.use(cors());
    app.use(express.json());
    
    const CLIENT_ID = XXX
    const CLIENT_SECRET = XXX
    
    // initialize oathclient
    const oAuth2Client = new OAuth2Client(
        CLIENT_ID,
        CLIENT_SECRET,
        'postmessage',
    );
    
    
    // get token from code given from frontend
    app.post('/auth/google', async (req, res) => {
        console.log("got request!")
        console.log(req.body.code)
        const { tokens } = await oAuth2Client.getToken(req.body.code); // exchange code for token
        res.json(tokens);
    });
    
    
    app.listen(3001, () => {
        console.log(`server is running`)
    });