Can I use the passport-google callback to authenticate android/ios users?

Question

I have a node.js server which authenticates using google-passport-oauth2. My server-side code looks like that from the documentation:

app.get('/auth/google',
    passport.authenticate('google', { scope: 
        [ 'https://www.googleapis.com/auth/plus.login',
        , 'https://www.googleapis.com/auth/plus.profile.emails.read' ] }
));

app.get( '/auth/google/callback', 
    passport.authenticate( 'google', { 
        successRedirect: '/auth/google/success',
        failureRedirect: '/auth/google/failure'
}));

I figure that /auth/google redirects to google's login, and when permissions are recieved, the google profile and token are sent to the callback /auth/google/callback.

Now I am making an android app which wants to authenticate with this API. I'm using the directions for integrating Google Sign-In to do the authentication on google's end. Now my android app has the profile and token and wants to verify it with my server.

I've tried doing this with passport-google-token and passport-google-id-token (not sure the difference...), but it didn't work for whatever reason. Now I'm looking at other possibilities, like a Google Client API library for node.js, but it seems bulky. Then there's the tokeninfo endpoint, which involves an extra request and more latency. Or maybe I should look at express-jwt?

And suddenly, I wonder... couldn't I just pass the token from my android app to the server at auth/google/callback? That would make things a little simpler. I think this must be a pipe dream, because I haven't found any information about doing it. But if it's possible, how should I format the token/profile data in the request so the passport.authenticate() method recognizes it? (JSON, form data, headers)

If this can't be done, I'm taking suggestions for well-documented token verification libraries for node...

Answer 1

I still don't know about reusing the google-passport-oauth2 route, but I did figure out how to validate Google's idToken using passport-google-id-token.

The documentation says:

The post request to this route should include a JSON object with the key id_token set to the one the client received from Google (e.g. after successful Google+ sign-in).

But it only works if it's sent as a query string (GET or POST works).

https://localhost:8888/auth/googletoken?id_token=xxxxxxxxxx

I have a feeling this is not the most secure method, but I'll have to deal with that later.

EDIT: It turns out, the token is useless without the client ID (in your app), so it's OK to send it by querystring.

EDIT 2: One of the google-id-token devs has reminded me that the JSON will only be received if body-parser has been installed.