0

I am trying to create a multitenant authentication service, for doing that I have created few oidc provider. For experiment purpose I added google external authentication service. Interesting part is, google authentication works even if I dont mention the client_secrect.

My question is How come google authentication works without having ( or wrong client_id)client id? Any explanation for that?

I used incognito mode/ private browse and deleted all the cookies/local/session data from storage. also deleted the user from the data base. still it retrives the data from google portal.

I created a store called DynamicAuthProviderStore for creating oidc objects and Added as a service in the startup file.

        OidcProvider asiaProvider = new OidcProvider
        {
            Scheme = "googledemo",
            DisplayName = "GOOGLE DEMO",
            Enabled = true,
            Authority = "https://accounts.google.com/",
            ClientId = "exampleId",
            ClientSecret = "exampleSecret",
            Scope = "openid profile email",
            GetClaimsFromUserInfoEndpoint = true,         
        };

builder.Services
.AddIdentityServer()
.AddIdentityProviderStore<DynamicAuthProviderStore>();
Kazi Minhaj
  • 51
  • 1
  • 8
  • Can you check the network tab in your browser dev tools? If you look at the response from Google, it might contain the ID token that your back-end is using to identify the user. I think most likely your application is not needing the use of Google's token endpoint, which would require a client secret with e.g. authorization code flow. – juunas Aug 28 '23 at 08:27
  • I just checked, and this is the response object properties: `{ "Url": "", "ConnectionToken": "", "ConnectionId": "", "KeepAliveTimeout": 4.0, "DisconnectTimeout": 6.0, "ConnectionTimeout": 6.0, "TryWebSockets": true, "ProtocolVersion": "1.3", "TransportConnectTimeout": 5.0, "LongPollDelay": 0.0 }` which property my backend is using to identity the user? @juunas – Kazi Minhaj Aug 28 '23 at 08:53
  • The response is returned in the URL query parameters or form data when Google sends the user back to your app. That one is not correct. – juunas Aug 28 '23 at 09:00

0 Answers0