I'm following Google's new Sign In Button documentation. For the verification on server, they ask us to run the following code.(for NodeJS)
const {OAuth2Client} = require('google-auth-library');
const client = new OAuth2Client(CLIENT_ID);
async function verify() {
const ticket = await client.verifyIdToken({
idToken: token,
audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
});
const payload = ticket.getPayload();
const userid = payload['sub'];
// If request specified a G Suite domain:
// const domain = payload['hd'];
}
verify().catch(console.error);
I find it weird that at no point, we specified the Client Secret, which was shown in our Google Developer console along with the Client ID.
Since the Client ID is also embedded in the frontend website code, anybody could essentially copy it, and start their own server on my credentials right?
When I looked at the Oauth2Client2 constructor, it has the Client Secret as the second parameter, however it's optional.
(alias) new OAuth2Client(clientId?: string | undefined, clientSecret?: string | undefined, redirectUri?: string | undefined): OAuth2Client (+1 overload)
What is the logic behind this? Is not using the Client Secret on my server (as shown in the docs), creating a vulnerability on my site?