1

I have a web application where i have implemented delegated authentication via Google OIDC.(i.e. Browser redirects the users to google , they get authenticated and come back to my app). My app decodes the Google access and id tokens to authorize the user and things work fine.

I have another requirement where-in ,users of my application can access the APIs of my application using curl or other scripts. There will not be any browser interaction involved.I still want to rely on google to trust the the user is who she says she is.

One workflow I could think of is - User passes his Google ID and password while calling my API, my app will do password grant flow and get the token on user's behalf and use the token to validate API access.

However this is not practical since users will not be comfortable sharing their google credentials over curl with a third party app like mine.

What possible workflow could i use so that - User could get his id_token somehow via Google and passes it in the bearer token while calling my API. I can then validate the token. What are my options without any browser interaction?

WillMcavoy
  • 1,795
  • 4
  • 22
  • 34
  • Google OAuth for user credentials requires the user to interact with a web browser. No other method is allowed or supported. Tip: never implement a strategy where you ask for the user's Google username and password. The correct approach is for the user to authenticate via Google OAuth via your web server. – John Hanley Feb 07 '20 at 03:14
  • If you validate the web user account with Google OIDC, I assume that all the user accounts, web and in command line (like curl), are Google accounts, right? – guillaume blaquiere Feb 08 '20 at 19:29

1 Answers1

0

I'm not sure but One option is that you use the script as in this example and use Google's Server flow steps to enable the use these protocols and authentication.

Server flow:

  1. Create an anti-forgery state token
  2. Send an authentication request to Google
  3. Confirm the anti-forgery state token
  4. Exchange code for access token and ID token
  5. Obtain user information from the ID token
  6. Authenticate the user

Because OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 and this specification is designed for use with HTTP, I mean OpenID Connect uses only standard HTTP(S) requests and responses.

Another reference I hope you'll find useful is this library that I found OAuth2 for Apps Script

Also OpenID Connect allows to launch sign-in flows and receive verifiable assertions about the identity of signed-in users.If you need to implement an implicit flow, I recommend you to use Google Sign-In

Community
  • 1
  • 1
roberto_h
  • 79
  • 2