Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google OAuth: App or Server?

Tags:

node.js

oauth

passport.js

google-oauth

google-authentication

I'd like to implement Google OAuth. I'm a bit confused whether to have it implemented in the client (mobile app) side or the server side!!

Implementing it in the client side would mean shipping the key and secret in the app (which I want to avoid). However, if I do it in the server side, how do I send back the correct response to the client after a successful callback?

Also, what are the benefits of each of the two implementations?

like image 404
Yellen Avatar asked Oct 28 '25 09:10

Yellen

1 Answers

If you're talking about implementing the Google+ OAuth 2 authentication from a native mobile application (not a web view), then, what you need is to create an installed application client and a web application client in the google console. The first one is for your mobile application, and the second one for your server.

Here is the workflow I used for my application :

  1. the mobile application gets the authorization code from google with the g+ sdk, using a scope containing the web application client id. That way, the server has the authorization to connect with google+.

    Your scope could look like something like this:

    String LOGIN_SCOPES =
    "https://www.googleapis.com/auth/plus.login " +
    "https://www.googleapis.com/auth/userinfo.email";
String SCOPES = "oauth2:server:client_id:" + GOOGLE_SERVER_CLIENT_ID + ":api_scope:" + LOGIN_SCOPES;

  2. the mobile application calls a server route with the authorization code and the proper redirect uri (the one associated with the installed app in google dev console which usually looks like this 'urn:ietf:wg:oauth:2.0:oob').

  3. the server gets the access token from google with the authorization code, secret id, application id, and the installed application redirect uri (if you use the web application one, it will fail with a redirect_uri_mismatch error).

  4. the server does whatever it wants with the access token, creates a valid session and gives it to the application as a response to its request.

That way, you don't need to store anything on the client side. You still need to send the authorization code from the client to your server (preferably https), but this code can only be used one time and is immediately consumed by the server.

I hope it helps.

like image 168
trupin Avatar answered Oct 31 '25 01:10

trupin
Sign in to Comment

Related questions

SequelizeConnectionError in Node.js application
How to import a local SVG file in React?
How do I promisify my own function?
Firebase Functions "cannot determine backend specification"
Setting an env var in package.json for use with electron-reload?
How to style a phone number input in React?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!