I am kind of new to OAuth2 and OpenID connect and I have been checking their different workflow, but I could not find an answer to that simple question.
If I understand well, I can use OAuth2 (for example with Google as Resource Server, Authz Provider), to access on behalf of the user, to data owned by this user on Google Resource servers (like their google calendar).
I can also leverage OpenID connect, to get a JWT token that I can validate to verify that the current user's is who they pretend to be (according to Google, that we trust in that scenario).
But if I need to implement AuthZ in my application (for example to make sure that the current user only accesses resources that belong to them), I have to do it myself right? OAuth2 doesn't help me here? (I can still leverage the identity (with their email for instance) of the current user provided in the ID Token (JWT) for AuthN though).
Is my understanding correct?
Thanks for the help!
It depends on what resources you're referring to and the granularity of the control.
OAuth 2's scopes are what you would check in the access token returned from the authorization server. Whatever scopes are in the access token represent what access the user is allowed herself AND the access she has consented your app to on her behalf. The resource server needs to verify the proper scope is in the access token before allowing access to the coordinating resource.
How the OAuth flow works is your app makes an authorization request with certain scopes included.
The authorization server is supposed to eliminate any scopes the user isn't allowed whether they consent or not, then ask if the user consents to the remaining scopes and to authenticate.
Sometimes the "asking to consent" part is done implicitly (not ideal). Furthermore, it can be done either all or none or by allowing the user to pick and choose.
After the user successfully authenticates, your app receives an access token (skipping over some details not relevant here) which includes the scopes corresponding to the access the user has consented to.
When the access token is sent to the resource server, it should check that the token has the required scope(s) in it's verification of that token before allowing access.
So, if you're talking about resources on Google, Google does have some scopes that you can include in the authorization request and the user will have to consent to. They should then be returned in the access token, and Google, as the resource server, will deny access if they aren't present when a call is made requiring an access token. Sometimes the finer grain control might not be available with the scopes Google has, though.
If you're talking about using a different resource server, then yes, you'd need to implement the Authz part yourself. If you didn't need much control, you could implicitly tie the consent to whether they've successfully authenticated with Google or not (and ideally tell the user that's the case), but this would be outside of OAuth and you'd lose much of the security it provides for authorization here. Otherwise, you need an authorization server that knows about your resource server and has established that mutual trust between the resource server and your app.