5

I'm testing google singin for a SPA js+nodejs app. I've added this:

<script src="https://apis.google.com/js/platform.js" async defer></script>

and these:

<meta name="google-signin-client_id" content="YOUR_CLIENT_ID.apps.googleusercontent.com">
<div class="g-signin2" data-onsuccess="onSignIn"></div>

in html5/js client side. following this guide:

https://developers.google.com/identity/sign-in/web/sign-in

when the users authenticate the library gets the token and pass it to the server as explained here:

https://developers.google.com/identity/sign-in/web/backend-auth

on server side (nodejs) the token is verified using this function:

client.verifyIdToken(
    token,
    CLIENT_ID,
    // Or, if multiple clients access the backend:
    //[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3],
    function(e, login) {
      var payload = login.getPayload();
      var userid = payload['sub'];
      // If request specified a G Suite domain:
      //var domain = payload['hd'];
    });

MY QUESTION IS: when is the client_secret used? as I've used CLIENT_ID front end to get the auth token from google then I've used CLIENT_ID server side for token verification. I thought that the token could have been verified using client_secret (that is SECRET) known only server side so that no one else getting the token can auth that user. What am I missing?

user1658162
  • 2,721
  • 2
  • 19
  • 23
  • 1
    Client secret is only used if you are requesting access to additional data from Google from your backend server, e.g. offline access to the user's Contact, Calendar, or Drive data. The secret is used by the server to exchange an auth code from the client app for access tokens to retrieve authenticated data. In your case, sounds like you are just passing basic user data contained in an ID token (a signed JWT) to your server to verify the user's identity. If you don't need to access any authenticated Google resources from your server, you don't need an access token and don't need the secret. – Steven Dec 24 '16 at 01:53
  • Here are blog posts explaining the authentication-only use case: https://android-developers.googleblog.com/2016/01/using-google-sign-in-with-your-server.html and the authorization for API access use case: https://android-developers.googleblog.com/2016/02/using-credentials-between-your-server.html – Steven Dec 24 '16 at 01:55

2 Answers2

1

It appears the Client you have created is a Public client , The Client Secret is used in a Private Client .

Edit : I am sorry I used the term private client instead of Confidential client . Basically we have 2 types of clients in Oauth2

  1. Public Clients :- These are clients which don't need a client secret .

  2. Private Clients :- These clients have a Client secret .

I cannot give you a very certain answer as to why you do not get to see your client-secret as I have not worked with these specific libraries before , however it seems to me that may be you had a created a public client instead of a Confidential one .

UchihaItachi
  • 2,602
  • 14
  • 21
  • now I'm getting really confused...what's the difference in terms of googleAuth between apublic and private client? the following guide doesn't talk about public or private client: https://developers.google.com/identity/sign-in/web/sign-in – user1658162 Dec 23 '16 at 21:44
1

I believe I have the answer,

See here: https://firebase.google.com/docs/auth/admin/verify-id-tokens

It explains how to check the signature of the JWT on your own (if you wanted) and this is also what the google-auth-library is doing. Inside the library, search for verifySignedJwtWithCertsAsync() inside of oauth2client.js. Google handles the signing of the JWT using their own private key during the federated sign in process. By the time the JWT is returned to you and sent to the auth library, it's already been signed. This is great because you never have to touch a private key. It's securely stored at Google, you just let Google handle that part. Then, when you send the JWT up to your server, the key id claim in the header lets the auth library know which public key to use to decode it. If the public key fails to decode it, then the authentication has failed.

Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com and use a JWT library to verify the signature. Use the value of max-age in the Cache-Control header of the response from that endpoint to know when to refresh the public keys.

If all the above verifications are successful, you can use the subject (sub) of the ID token as the uid of the corresponding user or device.

Community
  • 1
  • 1
Allen
  • 2,717
  • 2
  • 30
  • 34