Login to Single Page Application with Google authentication and Google Oauth 2.0

Question

We are developing an SPA - full client base javascript application and need to authenticate our users to get access to the internals.

As I found from the search we can outsource our authentication mechanism and use Google accounts for that. I learned from this site https://developers.google.com/accounts/docs/OAuth2Login - How to deal with Google API and mechanism for authentication.

In the short word, we need:

• send request to google url with params to ask user to allow SPA use their personal data
• in case of success we get a token from Google
• we may use this token to get access to API we were asked and work with it.

This is described well and I understand it and have some JS code to make it happen.

What I do not understand.

I have an application with it's private data. I want use user's e-mail as the login, or user id (doesn't matter how to call it) to access app's internals, such as user's created tasks, user's profile, etc. So, to display user's created tasks in my SPA I need query database with the user's e-mail.

I imagine the next scenario:

• user click Login with Google button
• we obtain an token - this means user was authenticated successfully
• we persist user and his e-mail to work with SPA
• when user click Logout we clear all access data

Where should I persist this data?

In case of Forms Authentication I understand that we pass login/password to server and if they match the database we create Forms Ticket and store it in cookie.

Is there any similar case with Google's auth? If I'll store user's email in cookie I think that's not very good from security reason. If I'll save a token - I'm not sure why I need it and how to use it in my SPA, I'm not using any Google API after authentication.

Do you have any example case how do we build our process in similar cases?

Thank you.

Answer 1

If all you need is the user's email address, then you would be better off using OpenID instead of OAuth. OAuth provides access to a user's account and services, scoped to a specific resource or set of resources. OpendID is designed just for logging into a third-party service. You can then extract the user's ID and email address from the OpenID login. Note: The ID will always be sent but the email address has to be explicitly requested during authentication.

Google also supports a hybrid OpenID+OAuth scheme that lets you piggyback OAuth requests on top of an OpenID login if there is some resource you need to authenticate to. Take a look at the authentication document to get an idea of how both protocols work and which is better for your scenario.

Once you have the email address returned, you probably shouldn't persist it in a cookie. The normally recommended way to handle it is to add it as a session parameter. That way only the session cookie is stored on the client, and the server can use it find the values it needs. This answer has a good explanation of the differences and when you want to use sessions versus cookies.