1

I am creating a web application, I am enabled the login with google openid connect and it is working. Now I want to protect the resources (rest api) with the access_token but I am not finding how to pass a custom audience (https://api.myapp.com) and custom scopes (read:users add:users) to create the access_token, is it possible create custom audience and scope by google openid connect to protect my resources?

If I dont validate the access_token (audience and scopes) I can compromise my web application.

See the below image. enter image description here

Thanks in advance.

Regards, Arsenio

Arsenio Aguirre
  • 163
  • 1
  • 1
  • 13
  • Why would you want custom scopes? Shouldn't you be using your own authorization server for that? an authorization server has to be configured as to which scopes it supports. You cant configure googles authorization server. – Linda Lawton - DaImTo Mar 15 '21 at 16:58
  • 1
    Hi @DaImTo, thanks for your response. I have an authorization server and it supports custom audience and scopes, so when the request arrives to the protected resources I can validate the audience, scopes and others. Now I am trying provide access to my web app with google login by openid-connect and I would like to replicate the same behavior. For instance, I can provide some identity providers to access to my web application. I am thinking that I can use google openid for authenticate the users but I can't authorize the access to protected resources. I dont know if it is clear for you. – Arsenio Aguirre Mar 15 '21 at 17:18

0 Answers0