Google + Authentication without Passport.js - node.js

I cant understand the standard flow of authentication and authorization of Google + without using Passport
Requirement:
No passport.js (i know it is simple to use it, but I dont want to use it)
No sessions (will not be using any session, i want to maintain statelessness)
Current architecture:
I had a REST API server, with JWT (JSON Web token),
user will get a access token from my server, when they do a POST /login
my server, will check the username and password and return with access token
this token is needed for future API query in my server
Question:
i) how can I replace my current authentication with Google + ?
ii) when i login using Google + button, I got a access token in my client side, do i send the token back to my server?
iii) but, my server has no information of this user?, do i need first create this user in my server, and when it sends an access token to my server, i will check if this user is valid and return it with my server access token? (so for this user, will not have password information on my server database?, and this access token from google will be stored in my server?)
iv) I read about their doc
they are using sessions, when the user first visit the page, I dont want to use sessiosn
I want to know the general flow, the code I could implement it myself,
I just want to know the common architecture to solve this problem!
It would be great, if you could show me the general concept to deal with this! :)

This is the most recommended way to implement Google+ sign in
Google Hybrid server side signin procedure
To sum it up, there is 2 part;
Retrieve the auth token from Google
Send the Google auth token to exchange for another token from your server
1) To retrieve the auth token from Google, you could use their available SDKs
2) Once you got the auth token from Google, send it back from your client to your server again
3) In your server, exchange the auth token from Google for their access token to allow you to use the Google API on behalf of the user. You could retrieve user information, post Google+ post
4) Generate your own server access token and send it back to the client
5) In your client, save your server generated access token to be used for CRUD from your server

Related

Google Sign Flow for Website. IDToken vs Access Token. Which one do I need?

What I ideally want to achieve is to be able to Login with Google SignIn, and put authentication on my Nodejs server's endpoints.
What I have done till now is log in the user in the browser, and send the IdToken to the server, validate this TokenId using verifyIdToken() using this link.
https://www.google.com/search?q=verify+idToke&rlz=1C5CHFA_enIN936IN936&oq=verify+idToke&aqs=chrome..69i57j0i13l2j0i13i30l3j69i60l2.12008j0j7&sourceid=chrome&ie=UTF-8
Question:
Once verified, should I generate an access_token using some package, and use that to secure my server's API? Or Use Google SignIn's IdToken as an access token for it?
Or Is there some other flow I'm not getting?
The id_token contains information about the user i.e. email, name, and profile picture.
If that's all that your application needs then the access_token won't be of use to you.
If you're trying to access/modify data belonging to the user, (i.e. trying to add an event to their calendar using the calendar api) then you need the access_token. The access_token is what will give you access to the user's account. If your application requests offline access to the user data then you will also receive something called a refresh_token that will let you regenerate your access token once it expires. If you add the refresh token to your oAuthClient it should automatically renew the access token for you when you make an api call.
Based on what you described I don't think you need the access_token and the id_token might be all you need.
More information is available on this page: https://developers.google.com/identity/protocols/oauth2

How to combine node express with passport providers and jwt?

I'm writing a single page web app using express and react.
I am now trying to choose the way to authenticate my users.
I want to let them register and log in with email and password and 3rd party provider like Facebook, Google etc...
I read some articles about passport and jwt (express-with-passport, jwt-with-passport), but none of them combined jwt and 3rd party provider.
The only way I could think of is to save the tokens in my db, and for each request to compare them (tokens provided by a 3rd party and tokens generated by myself using jwt)
Saving the token from a provider in my db and compare with each request makes sense, but using jwt I just need to verify the token without accessing the db.
How can I differ the tokens that I receive from the client? How can I tell when to access the db (for provider tokens) and when to verify using jwt?
EDIT:
The way of implementation I was thinking about is as follows:
- Username & password: Upon login, generate a token (using jwt) and send it to the client. Every request will include the token and the server will verify it.
- 3rd party provider: Let's say that the user is authenticated with Facebook. My server receive the token (using passport-js) from Facebook. Now I need to send the client its token. I could send the token I just received from facebook, but then how can I verify the token the client send to me afterward on every request?
So I could generate once again a token using jwt and work just like described above.
Is this a good implementation or am I missing something? I couldn't find
a full tutorial that describe all of those aspects.
Rather than using a token that an identity provider might give you, you might consider generating your own tokens based on a successful login callback to your application. Issue new tokens on every request for sliding expiration, and possibly consider the use of refresh tokens.
In your DB, you could store the authentication method for a given user (Facebook / Google / etc.) when they log in. When you receive a request with an invalid token, query for this auth method from the DB, then redirect them to the respective identity provider for re-authentication.
This will avoid DB lookups for most "normal" JWT validations for your app and gives you the full benefits of the stateless nature of the token.

Should my app issue it's own access tokens, when using external oauth2 provider (facebook)?

I would like to give the users a possibility to login with some external oauth2 provider (facebook) in my app. The client's part is running on mobile device in a native app.
I am not sure which of the approaches below should I prefer ?
Should the client send the user's access token by facebook with each request ? At each request backend asks facebook to validate the access token. Based on the validation's result, backend performs authorization and return corresponding result to the client.
Should the backend ask facebook to validate the access token only at user logon, then issue its own access token, return the access token back to the client and client will use this access token at making requests to the server to avoid contacting facebook at each request ?
I have read some questions about how to implement the auth with facebook and most of the devs are using B, but I haven't seen any explanation why is it good/bad to use A ?
What I see as benefits of the solutions:
backend doesn't need to care about issuing, refreshing, validating access tokens since this is done only by facebook's authorization servers.
this solution seems to be more effective, since it does not require to connect to facebook at each request.
Security tokens issued by Facebook are signed with a digital signature. The API server only needs access to the public key to validate the signature. There's no need at all to contact Facebook after the user authenticates.
A reason to issue your own tokens after the user signed in with Facebook could be to add claims to the token. But obviously having your own authorization server comes at a cost. It's up to you to weigh the pros and cons.
If you do decide to have your own authorization server, make sure not to write your own! There are open source options like Thinktecture IdentityServer.
I will vote for option B and here is my explanation,
Your API must authorise the request every time with some auth token , which cannot be external provider token, in such case anyone with an access token (eg: other developers) of other provider can access your api, basically there is no auth here.
When your sever issue access token, it's easy to validate and when needed could be revoked easily (eg: on password reset)
While authenticating , your server has fully control over issuing access token , so the validation is made only once and doesn't have to do every time while calling the API.

OAuth2 third party authentication with own tokens / no session

I'd like to be able to sign into my node app using LinkedIn, an email and password, Facebook, and possibly others. I don't want to use sessions/cookies. Instead, I want to use a header with a token for authorization -- jwt or something else. I'm open to anything here.
My question is the same as the one asked here: https://groups.google.com/forum/#!topic/passportjs/DJZZGKXDLsk -- I want the users to go through the following steps:
User comes to my site
User logs in through LinkedIn
User is redirected to post-login on my site
User can continue to interact with my site using header tokens (not session cookies)
Passport for LinkedIn OAuth2 more or less works for what I need it for, but the only problem is that it looks like this is entirely geared towards using sessions with cookies. After the callback url is hit on my server, I don't see a way to get tokens back to the client securely.
It also seems like I can use the LinkedIn frontend JS SDK to have users authenticate and post-authentication they can make a POST request to my server and at that point I would be able to confirm authentication with LinkedIn and respond with the tokens I create for authentication in the POST body. I'm not sure if this is recommended or secure and I don't love the idea of having the LinkedIn API key in the frontend JavaScript either.
How can I use LinkedIn OAuth2 to authenticate to my site and keep the authentication without cookies/sessions?

Token based authentication with mobile devices in ASP.NET

I'm trying to build a mobile app that has a login functionality with an ASP.NET web api, and I need to implement the token based authentication,
what I need is, as a first time the user login using username and password, a new token will be generated with expire date along with a refresh token, I'm thinking of the refresh token because the user doesn't have to login every time the token expires,
the token is saved in the mobile device and in the database, so with each request, sends the token whether in the request header or with the posted data,
I don't exactly know how the token based authentication works in terms of sending the token encrypted or hashed to the user and processing the request in the server
Edit:
an attacker in the middle can just read the token and start sending requests to the server using the token. I mean he doesn't need to know what the token actually means.
I created a class that has these properties (UserID,Token, RefreshToken, ExpiryDate), but I read that it is not a good approach,
I'm using AES for encryption and SHA256 for hash
Thank you for you help,
Please see the following articles in order to understand how token based authentication works in ASP.NET Web API.
http://www.codeproject.com/Tips/821772/Claims-And-Token-Based-Authentication-ASP-NET-Web
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Search OpenID and OpenID Connect specs, they will tell you exactly how the tokens should work in your case (non-confidential implicit client flow). You can add OpenID endpoints easily to your asp.net web api if you don't want to use an external openid server.

Resources