I want to get app registered user information via a Google app using JWT authentication. I’m trying to use OAuth2 Client to get the information of users who have group mail registered in the Google App I created. I’m planning to use OAuth2 Resource server with google for authentication, that is, for token creation and control.
Am I following the right method for the work I plan to do?
I apply the following methods in order.
- Using OAuth2 Resource Server to authenticate the user. This will authenticate the user with the client supplied credentials and obtain a JWT (JSON Web Token).
- Using the generated JWT, I will request access to Google services. Following this custom JWT authentication flow, I will grant an access token to the user’s client with access permissions.
- Using the Access token, I will get the user’s information by sending a request to the userInfoEndpoint provided by the OAuth2 Client.I will save the retrieved user information to my database with customOidcUserService.
I think you should read my tutorials.
OAuth2 resource servers don't authenticate users. Only Oauth2 clients do.
Authenticating a user requires some state to store the tokens. When the OAuth2 client is on the server, a session is generally used for that => you will have to configure a Spring application as an OAuth2 client if you want it to handle user authentication (and it will be secured with sessions, not access tokens).
Requests to resource servers should be authorized with an access token. How this token was acquired (with
authorization-codeflow involving a "human" user, withclient-credentialsflow for programmatic "user", withrefresh-tokenflow when this is supported, etc.) is none of resource server business. All that matters to it is if the access token was issued by an authority it trusts, if this token is valid (audience, expiry, etc.) and if it should grant access based on the claims (encoded in the token or introspected from it).User-info endpoints are not exposed by OAuth2 clients. It is served by authorization servers and consumed by clients (as a source for user data, another possible source being ID tokens in case of OpenID authorization server).
Google won't necessarily generate JWT access tokens. The access tokens it generates are intended to be used by Google services, and the token format is a contract between authorization and (Google's) resource servers. This format being a JWT or an opaque token should be transparent to OAuth2 clients (which should not try to interpret access tokens).
If you want to secure a resource server of your own written with Spring (stateless REST API secured with access tokens), you'll likely have to setup an intermediate authorization server with identity federation from Google. There are plenty of solutions either on premise (Keycloak is the most famous / feature-rich, but Spring also has a framework to build your own) or in the cloud (Auth0, Amazon Cognito, Azure AD, and many more). Most provide with "Login with Google" and issue JWTs (and allow you to do useful things like managing user roles).