1

I'm using passport-jwt. Assuming that I do social login(which is kakao or facebook), I get accessToken and refreshToken as callbacks from social login. Then, is it not necessary to do jwt.sign? like this code

const token = jwt.sign({ id: snsId, provider }, "jwt-secret-key");

In other words, I am wondering if it is only necessary to compare the accessToken and refreshToken passed by the social login without having to write a secret-key.

this is my code

    module.exports = () => {
      passport.use(
        new KakaoStrategy(
          {
            clientID: process.env.KAKAO_ID,
            callbackURL: "/auth/kakao/callback",
          },
          async (accessToken, refreshToken, profile, done) => {}
        )
      );
    };

    router.get(
      "/kakao/callback",
      passport.authenticate("kakao", {
        session: false,
      }),
      async (req, res, next) => {
        const { snsId, provider, accessToken } = req.user;

        const token = jwt.sign({ id: snsId, provider }, "jwt-secret-key");
      }
    );
user15322469
  • 841
  • 1
  • 8
  • 31
  • Signing and verifying are two different things. There's no need so sign a token you receive from a social login provider (unless at some other point you want to make sure, it's you and only you how signed this token) but you should verify it with the providers public key, to be sure, it's really the provider who created this token (because in theory of course anybody can call your callback url). – derpirscher May 06 '21 at 14:36
  • @derpirscher What is the Providers public key?... can you give me a example?? – user15322469 May 06 '21 at 16:46
  • see this anwser where you can get the public keys for instance for login with google or microsoft. https://stackoverflow.com/a/61640048/3776927 Unfortunately this doesn't work with FB. But as you already have a server, you can (and should) verify your FB accesstoken like this answer to the same question https://stackoverflow.com/a/27295322/3776927 – derpirscher May 06 '21 at 18:12

0 Answers0