How google OAuth sends JWT?

Question

I am trying to understand how google OAuth works. I have implemented this oauth tutorial from spring docs. Below is the screen shot of network traffic occurred when I selected my account from the list of accounts shown by the google.

Resource 1

Resource 2

Resource 3

I guess OAuth works on JWT, and once username and password is correct, it should return JWT. However, I am not able to find JWT returned by google in above network traffic. Am I understanding it wrong?

score 1 · Accepted Answer · answered Jun 14 '22 at 13:35

1

OAuth2 may use JWT but it is not a requirement even though I believe (not sure on that one) that it would be used between Spring-security and Google.

However the communication is between the server and Google so you would not get the token in the front-end. If you get a token in your front-end it would most probably one generated from your own back-end.

answered Jun 14 '22 at 13:35

grekier

2,322
1
16
23

Do you mean to say that the JWT generated by OAuth provider is not forwarded to the browser, but browser might receive the JWT generated by the spring boot server which redirected to google login? **Q2.** Also there has to be some unique session related id (if not JWT) sent by server to the browser to identify the authenticated browser user session, right? Can you please point out it in above pics? – MsA Jun 14 '22 at 22:56
Q1: Your browser has its "session" in your back-end. Not in Google. And your back-end handle all auth/communication with Google - except a possible redirect to Google directly one might say. Q2: The session related things you have in those context would be towards your back-end from your front-end and in browser but based on the Google URL (when you get redirected) – grekier Jun 15 '22 at 11:19
"the session related things", it should be the single thing, either single session ID or JWT right? And since OAuth does away with session ID and is based on JWT, I should be able to spot it in the network traffic, right? I just want to see it in the network traffic, want to find cookie that holds this specific JWT, just as a confirmation to my understanding of how OAuth works based on JWT. – MsA Jun 17 '22 at 13:14
If you want to see some JWT, you will need to configure your Spring Boot back-end to send one. As of now, it only sets the JSESSIONID cookie – grekier Jun 20 '22 at 06:38
**Q3.** Do u mean by default, spring sec uses `JSESSIONID` instead of JWT? But [this](https://stackoverflow.com/questions/52573539/spring-adds-a-jsessionid-despite-stateless-session-management) related thread says: (1) Even with SessionCreationPolicy.STATELESS, a session can still be created outside the scope of spring security. (2) Spring-Security won't create the session and won't rely on the session for providing authentication. But, any other component of app is still free to create the session. **Q4.** Doesnt this mean there must exist JWT cookie at least for STATELESS? – MsA Jun 21 '22 at 13:46
I think you're still mixing things a bit. 1. OAuth and JWT are not the same. JWT might be used for OAuth but isn't required. 2. Authentication in Google is not the same as authorization in your backend. Meaning that, even if Google uses OAuth, Spring security might be configured to set up stateful auth (even if doesn't make a lot of sense to do so). 3. In response to your Q4, no it must not but it can be setup in your backend, which btw would be a common way to do it, but still has to be configured in Spring (not out of the box) – grekier Jun 22 '22 at 06:59
Yeah I know OAuth ≠ JWT. But, I just realized the point 2!! The official spring sec guide seems to incorrectly use `SessionCreationPolicy.ifRequired` instead of `SessionCreationPolicy.STATELESS` which is natural with OAuth. All online tutorials are using `SessionCreationPolicy.STATELESS` and manually sending/receiving JWTs to/from browser, which is again more natural with OAuth than sending and receiving `JSESSIONID`. I was confused if the official spring security guide is still sending and receiving JWT (as thats how it should be done) along with `JSESSIONID`, but that is simply not the case! – MsA Jun 23 '22 at 08:20

How google OAuth sends JWT?

1 Answers1