0

Can anybody help me...? I would like to use Google sign-in as a login in my App. As I need a proper authentication of my users in front my server, I need to verify the freshness and the single-use of the id_token. In other words, the id_token should be recently created and not used. Contrariwise, impersonation could occur...

According OpenId Connect standard, there is a nonce or challenge set by the server and sent to the user's client, which is added to the request and included in the id_token as a response. This nonce helps in such verification.

Is there a way in which the freshness the single-use of a token can be verified using Google sign-in/identity?

Many thanks in adavance!

Roger Jardí
  • 1
  • 2
  • Are the 'iat' (issued at timestamp) and 'exp' (expiration timestamp) inside the ID token useful for your purposes? https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint – Steven Jan 26 '16 at 05:07
  • Hi Steven, thanks for your idea. Assuming that my clock is synchronized with Google, in some way I could verify the freshness. However, the solution of nonces is more secure. But 'iat' and 'exp' do not prevent from reusing an 'id_token'. To keep a list of id_tokens in order to find duplicities is the last thing I would like to do.... In addition, the expiration can not be customizable. – Roger Jardí Jan 26 '16 at 07:52

1 Answers1

1

Google's OpenID Connect spec compliant authorization endpoint is https://accounts.google.com/o/oauth2/v2/auth (you can find Google's OpenID Connect configuration in the discovery doc). Per OpenID Connect spec, nonce is actually required in the implicit flow.

Here is an example request: https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=id_token&client_id=407408718192.apps.googleusercontent.com&scope=email+profile&nonce=onetimenonce

mengcheng
  • 331
  • 1
  • 3
  • Thank you mengcheng! I know that it is possible...but in this case I should open a Web View that's something not desirable. Let me explain myself better. In https://developers.google.com/identity/choose-auth, it is recommended to use "Google Sign-In" in Android apps. Can I get the same with Google Sign-In for Android (https://developers.google.com/identity/sign-in/android/)? If not.... Is there any alternative to a Web solution? – Roger Jardí Jan 29 '16 at 08:54