Search code examples
authenticationmobileoauth-2.0google-oauth

How does OAUTH2 identity providers interact with client through a server

I’m struggling to understand something about OAuth2. Let’s say I have SPA, Mobile client and Server and I want to authorise a user through google account. Mobile application is, obviously, on a mobile phone and SPA is hosted somewhere on a machine I control.

Do i understand it correctly following this website: https://learn.microsoft.com/en-us/dotnet/maui/platform-integration/communication/authentication?tabs=android ?

When logging through a mobile client:

  1. User open mobile client and clicks on “google login” button

  2. Mobile client sends a http request to my backend server, establishing TCP connection

  3. Backend server establishes connection with google auth endpoint

    3.a) in asp.net it’s for instance Request.HttpContext.AuthenticateAsync function

  4. Somehow user interacts with google log in website

    4.a) Here is my question: how does this redirection work? How does the user interact with the google auth page when it’s my server establishing this connection?

  5. After user logs in on this google page, google returns to my server set of claims that server can use to create JWT token (using also a secret that is on my server only)

  6. This JWT token is returned to the mobile client using TCP connection from point 2.

Do I understand it correctly? How much different is this scenario when using SPA application hosted on a machine I control? I can’t find an explanation of what requests are established at any point because all resources explain it through existing libraries which hide most of the complexity.

Solution

  • There are two parts to a code flow:

    • The app opens the system browser which uses the front channel to interact with Google. The user then authenticates there.

    • An authorization code is returned to the app via browser redirects. The app then POSTs this to the backend. The backend then performs back channel requests to Google, to swap the code for tokens.

    LEARNING OAUTH MESSAGES

    OAuth provides a security architecture, and, as you indicate, it is inportant to understand how it works, rather than just calling a login method of a vendor library.

    Here is an article of mine on OAuth Messages, though no backend is used in that example.

    It is recommended also to use an authorization server to manage the connection to Google, and to issue tokens for your apps and APIs.