9

I plan to create application with Spring RESTful API backend and client on AngularJS.

I'd like to secure my Spring RESTful API with Google OAuth2 Authorization server.

I have an architectural question:

After successful authorization in Google I'll receive accessToken from Google OAuth2 Authorization server. Do I need to transfer this accessToken to my client application(AngularJS) or I need to introduce some own security layer in my backend application(for example with JWT) and based on Google accessToken to issue own jwtToken and only transfer this token to my client app ?

In other words - is it safe to show accessToken from Google to my client AngularJS app and use it for an authentication in my own RESTful API?

Also, in case of my RESTful API do I need to validate Google accessToken with Google Auth server after each call from my client application(AngularJS) to my secure RESTful API ?

alexanoid
  • 24,051
  • 54
  • 210
  • 410
  • What is the purpose of your application? Do you need to access Google APIs? If I'm not wrong, Google Oauth token has limitation (25 refresh tokens per user) – Valijon Jan 06 '16 at 12:26
  • Yes, it must access Google APIs. – alexanoid Jan 06 '16 at 12:27
  • I see. Each user will provide credentials? If yes, you need to authenticate with given credentials and persist in your application (cause of request limitation). But, there are also token limitations [https://developers.google.com/identity/protocols/OAuth2#expiration](https://developers.google.com/identity/protocols/OAuth2#expiration) – Valijon Jan 06 '16 at 12:33
  • Thanks, but could you please answer my questions ? – alexanoid Jan 06 '16 at 13:02
  • @alexanoid IMO It is not safe to let the angular application know your private key. I also tried to do this and at the time I checked, it was possible to 1) send the request to your backend, 2) make your backend sign the request with your private key then 3) let the backend forward the request or 3-bis) return the signed request to angular and let angular send it. – Arnaud Denoyelle Jan 06 '16 at 13:43
  • @ArnaudDenoyelle thanks. So, in order to implement a proper application I'll introduce own authentication/authorization layer in my backend based on own JWT and will communicate with AngulaJS application based on own jwtToken. Google OAuth2 access/refresh tokens I'll only use for the secure access Google API from my backend logic. Am I right ? – alexanoid Jan 06 '16 at 13:49
  • 1
    @alexanoid I actually misread your question. Yes, it is safe to show the access token to the angular app because the angular app HAS to send it with every request. Maybe you would like to follow this series of 5 tutorial about how to secure a Spring REST application with an angular client : http://spring.io/blog/2015/01/12/spring-and-angular-js-a-secure-single-page-application (this is the url of step 1 and gives access to following steps) – Arnaud Denoyelle Jan 06 '16 at 13:55
  • 1
    @ArnaudDenoyelle thanks a lot, this an awesome tutorial with a source code, especialy this one https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2 Right now I'm wondering or it is possible to substitute own Auth server in this tutorial with Google OAuth2 Auth server.. – alexanoid Jan 06 '16 at 14:47

1 Answers1

6

is it safe to show accessToken from Google to my client AngularJS app and use it for an authentication in my own RESTful API?

It's not your access token actually, it's meant to be used by your client. It's perfectly safe to give them the token as they MUST send the token to your backend with each request. This is because of the nature of REST.

in case of my RESTful API do I need to validate Google accessToken with Google Auth server after each call from my client application(AngularJS) to my secure RESTful API ?

Yes, you have to call Google whenever your clients sends a token to your backend. There are several reasons why a token can be invalidated. For example the user can revoke the access from your application, the token simply expired, etc.

More reading on implementing a REST backend with Google OAuth 2

Arnold Galovics
  • 3,246
  • 3
  • 22
  • 33
  • Man, I appreciate your work and effort. As far as I could find, you are the only one who managed to post a valuable tutorial on a topic of securing a Spring REST API using external oAuth provider, so I respect you very much. I have only one concern. Is your tutorial still up to date? I am absolutely new in the world of Spring, so I don't know the newest approaches used to deal with things here, but as I follow your approach and gather information from other sources I get a feeling that your approach might be a little bit outdated. Please say that my feelings are wrong this time. :) – Salivan Sep 30 '18 at 15:55
  • It might be outdated as it was written more than a year ago but the fundamentals haven't changed. There might be some technical detail differences compared to Spring Boot 2 but overall, if you know the basics, you can port it to any framework. – Arnold Galovics Sep 30 '18 at 19:02