2

I registered an application in my google console and I got my client_id and client_secret.
Every solutions I checked until now didn't use client_secret at any level of doing this job.
What is client_secret used for though??
I'm using angularx-social-login for spa side.. so I used my client_id to get token from google and then send it to my backend server.. What should I do now?
How can I validate the token I got from google in backend?
By "Validation" I mean how can I be sure that the token is obtained using my SPA and my own WebApplication client_id?

Update: Thanks to Mosia Thabo this answer helped me. Thank U all.

abalfazl9776
  • 59
  • 7

2 Answers2

2

In OAuth2 there are 3 parties: the server (Google), the client (you) and the user (your users). The client_secret is used for client to server communication in a safe environment where "safe" means that you don't have to expose your credentials to the users. Since you're using an SPA that exposes all of its source code on the client side, you can't include your client secret in that source code or your users would be able to pretend to be your server and they'd have full access to all your users' information. Therefor you're most likely using OAuth2 workflows such as the password grant that only rely only on the client_id and additional credentials like a password and username that belong to the user. It's best that you follow the full authorization code workflow where you use your client_id and redirect your users to go authenticate with the server, so that you don't have to handle the sensitive user data like passwords.

To validate the access or ID token you will have to send the token to your backend and verify it there, or use Google's tokeninfo endpoint.

Robin De Schepper
  • 4,942
  • 4
  • 35
  • 56
0

Google has many clients coming in wanting to use their OAuth authentication endpoint and for google to know who they are every time they come back requesting authentication, it provides them with an unique ID(client ID) to be able to identify them and they use their provided password(client_secret) to login to that endpoint.

Those serve just like username and password.

Here're some useful links to help you configure OAuth with Google and Asp.Net Web API : BINGO!

boop
  • 7,413
  • 13
  • 50
  • 94
Mosia Thabo
  • 4,009
  • 1
  • 14
  • 24