TTC
Theo's Typesafe Cult2y ago
venego

OAuth2+OIDC are very confusing

sorry for the very long-ass question, and thanks in advance. not sure where to ask this. (OAuth2 implementation) I just spent 6 hours watching videos and reading google-identity's docs on how to implement openIdConnect. and I'm still very confused. for example: (in the response_type)
If the value is code, launches a Basic authorization code flow, requiring a POST to the token endpoint to obtain the tokens. If the value is token id_token or id_token token, launches an Implicit flow, requiring the use of JavaScript at the redirect URI to retrieve tokens from the URI #fragment identifier.
why would google send me a fragmented identifier? isn't the JWT token supposed to be sent to the server. is it secure that I get a url encoded hash that has the user's information in it... sent to the browser. I'm not sure about what I'm doing but here is how I'm implementing it: - in the browser, user clicks on login with google - user gets redirected to the back-end, the back-end generates the url encoded string for the consent. - the consent(google's) redirects the user back to the font-end with the JWT token. - I have to send that back to the back-end to do parse it and something with it (not sure about this yet) here is the get request for the consent: 
{
  client_id: '161581761691-3tjdu1rca5q35h60qcgrd7eb0tb2ulmp.apps.googleusercontent.com',
  response_type: 'id_token', //implicit flow (openid connect)
  redirect_uri: 'http://127.0.0.1:3000/login',//front-end login page
  scope: 'openid profile email',

  //I still haven't read about `nonce` and `state`, I only know that they are for security
  nonce: 'akonamatata',
  state: 'I need to generate a session token',
}
{
  client_id: '161581761691-3tjdu1rca5q35h60qcgrd7eb0tb2ulmp.apps.googleusercontent.com',
  response_type: 'id_token', //implicit flow (openid connect)
  redirect_uri: 'http://127.0.0.1:3000/login',//front-end login page
  scope: 'openid profile email',

  //I still haven't read about `nonce` and `state`, I only know that they are for security
  nonce: 'akonamatata',
  state: 'I need to generate a session token',
}
- why does google send the JWT as a hash? I would like to send it to my API instead of the browser - why does it have to be JWT? while if I "misused the OAuth2" as an authentication method, I would get the user's data without having to deal with url decoding, base64 decoding.
4 Replies
venego
venego2y ago
and I still don't know how to differentiate between login and signup, do I just use the received email as the username, and check if the user already exists or not and act accordingly? also is it fine to use the JWT sent by google's auth server in the authentication http-only cookie instead of my token?
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
venego
venego2y ago
ok, thank you for notifying me about this, I'll switch to auth code. I'm using the back-end to redirect the user to the consent because I need to generate the state and nonce there. I feel like it's a thing that would make the font-end messy. yh I know these steps and I know JWT, but I don't even get a public key to make sure it's not being missed with. why they don't just send a simple stringified object instead? anyhow I already got it to work. but I'll do as you've said, and take the other route instead. although I'm using the user's email address as the id for the username in the db table. I feel like it pretty muddy. IDK. thanks for the response.
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
Want results from more Discord servers?
Add your server