5

I have a node.js server which authenticates using google-passport-oauth2. My server-side code looks like that from the documentation: 

app.get('/auth/google',
    passport.authenticate('google', { scope: 
        [ 'https://www.googleapis.com/auth/plus.login',
        , 'https://www.googleapis.com/auth/plus.profile.emails.read' ] }
));

app.get( '/auth/google/callback', 
    passport.authenticate( 'google', { 
        successRedirect: '/auth/google/success',
        failureRedirect: '/auth/google/failure'
}));

I figure that /auth/google redirects to google's login, and when permissions are recieved, the google profile and token are sent to the callback /auth/google/callback.

Now I am making an android app which wants to authenticate with this API. I'm using the directions for integrating Google Sign-In to do the authentication on google's end. Now my android app has the profile and token and wants to verify it with my server.

I've tried doing this with passport-google-token and passport-google-id-token (not sure the difference...), but it didn't work for whatever reason. Now I'm looking at other possibilities, like a Google Client API library for node.js, but it seems bulky. Then there's the tokeninfo endpoint, which involves an extra request and more latency. Or maybe I should look at express-jwt?

And suddenly, I wonder... couldn't I just pass the token from my android app to the server at auth/google/callback? That would make things a little simpler. I think this must be a pipe dream, because I haven't found any information about doing it. But if it's possible, how should I format the token/profile data in the request so the passport.authenticate() method recognizes it? (JSON, form data, headers)

If this can't be done, I'm taking suggestions for well-documented token verification libraries for node...

ki9
  • 5,183
  • 5
  • 37
  • 48
  • I'm still having some trouble with this, are you using both `passport-google-oauth` and `passport-google-plus-token` in conjunction with each other operating on different routes. If I use just `passport-google-plus-token` how can I get to work within a browser (not Android or iOS app). – skyguy126 May 09 '18 at 22:23
  • I never used `passport-google-plus-token`. – ki9 May 15 '18 at 19:17

1 Answers1

4

I still don't know about reusing the google-passport-oauth2 route, but I did figure out how to validate Google's idToken using passport-google-id-token.

The documentation says:

The post request to this route should include a JSON object with the key id_token set to the one the client received from Google (e.g. after successful Google+ sign-in).

But it only works if it's sent as a query string (GET or POST works).

https://localhost:8888/auth/googletoken?id_token=xxxxxxxxxx

I have a feeling this is not the most secure method, but I'll have to deal with that later.

EDIT: It turns out, the token is useless without the client ID (in your app), so it's OK to send it by querystring.

EDIT 2: One of the google-id-token devs has reminded me that the JSON will only be received if body-parser has been installed.

Community
  • 1
  • 1
ki9
  • 5,183
  • 5
  • 37
  • 48
  • I am in a similar position you were. How did things work out? – Sealer_05 Apr 10 '16 at 18:39
  • I'm afraid this is still the method I'm using. If you figure anything out, let me know. – ki9 Apr 10 '16 at 20:23
  • I cant even get that to work. For some reason I just get invalid_token when I go post or get with the token in the query string.... – Sealer_05 Apr 11 '16 at 01:36
  • 1
    Apparently i had access_token in my url instead of id_token. Google says to put it in the query string here so I don't think we should be concerned. https://developers.google.com/identity/sign-in/android/backend-auth#verify-the-integrity-of-the-id-token – Sealer_05 Apr 11 '16 at 02:19
  • Yes, it seems like [the token is worthless without the client ID](https://github.com/jmreyes/passport-google-id-token/issues/8#issuecomment-201347857). Which is good: now I don't have to fix anything. – ki9 Apr 11 '16 at 04:20
  • But if you do want to use POST data, note that [`body-parser` is prerequesite](https://github.com/jmreyes/passport-google-id-token/issues/8#issuecomment-208572839). – ki9 Apr 11 '16 at 22:54
  • how did this workout ? trying to do the same – Sushilzzz Apr 02 '21 at 07:59