3

I'm implementing Facebook and Google SSO on my website using custom workflow (redirect urls, parsing on server side etc. - no javascript) and I got to the point I have access_token, token_type and expires_in and from Google also id_token and I am confused what to do next to authenticate the user. I read a little about authorization vs authentication, and that Facebook and Google SSO is OAuth2 which provides authorization, but not authentication, from which I understand that this way my web application is authorized to do something on behalf of the user, but I cannot be sure the user is the one who I think he is? My main source is this: OAuth Authorization vs Authentication

So, my question is, what should I do to be able to can consider the user logged in.

Thank you

Jan
  • 172
  • 1
  • 9

3 Answers3

3

In your case google (and facebook) is authenticators. This services just tells your application that user who try to login to your system is the one who he wants to appear.

Assume you differentiate users by unique email. Your application flow should be next:

  1. The user try to login to application using google Application do all redirection google flow stuff and gives you tokens
  2. Application need to store this tokens for future use
  3. Application check if this user's email presented in database
  4. If email is presented and google returns tokens (google authenticate your user successfully) you can login user in your app
  5. If email isn't presented in database but google authenticate user successfully you can store this user (with email) to your database - sign it up - this is new user in your system

Same flow with Facebook. Surely you can extend this logic to be more your application specific.

Community
  • 1
  • 1
Dmitriy Troyan
  • 483
  • 7
  • 13
2

SSO and OAuth are different. OAuth is authorization protocol. You are dealing Google and Facebook oauth.

OAuth

In case of oauth, after successful authentication(google/facebook) you will get access token. You can use token for maintaining the user session.

With this token user is authorized, Now you should check whether the user is present in your database, if yes then authenticate the user and redirect to your application.

SSO

SSO is user authentication service. There are way to implementing SSO like kerberos SSO, ADFS SSO.

botero
  • 598
  • 2
  • 11
  • 23
Hitesh Ghuge
  • 793
  • 2
  • 10
  • 39
  • Thank you for answer. I don't quite understand, I have 3 information which cannot be all true at the same time: 1) OAuth2 is for authorization, not authentication. 2) Facebook and Google login are both basically OAuth2. 3) Facebook and Google login provide authentication. So I use Facebook/Google login, which is OAuth2, which is not for authentication, but I can use it for authentication. Why? What in that I got wrong? – Jan Apr 09 '17 at 10:27
  • First of all OAuth is for authorization e.g. `google`. To login u need valid google uName and pass for authentication of google account, then only u get `access token` form oauth – Hitesh Ghuge Apr 09 '17 at 10:40
0

We should never use OAuth2 access token for authentication. For details, please refer https://oauth.net/articles/authentication/

The OpenIDConnect, built on top of OAuth2, can be used for authentication.

Google supports OpenIDConnect https://developers.google.com/identity/protocols/OpenIDConnect

The basic idea is Google will issue the client app (your application) a ID Token after the user has login his Google account. You can then extract user information (e.g. email, unique user id) from this ID token and proceed your login flow.

Frankie Hung
  • 561
  • 1
  • 6
  • 16