Secure Spring RESTful API with Google OAuth2 Authorization server

Question

I plan to create application with Spring RESTful API backend and client on AngularJS.

I'd like to secure my Spring RESTful API with Google OAuth2 Authorization server.

I have an architectural question:

After successful authorization in Google I'll receive accessToken from Google OAuth2 Authorization server. Do I need to transfer this accessToken to my client application(AngularJS) or I need to introduce some own security layer in my backend application(for example with JWT) and based on Google accessToken to issue own jwtToken and only transfer this token to my client app ?

In other words - is it safe to show accessToken from Google to my client AngularJS app and use it for an authentication in my own RESTful API?

Also, in case of my RESTful API do I need to validate Google accessToken with Google Auth server after each call from my client application(AngularJS) to my secure RESTful API ?

Answer 1

is it safe to show accessToken from Google to my client AngularJS app and use it for an authentication in my own RESTful API?

It's not your access token actually, it's meant to be used by your client. It's perfectly safe to give them the token as they MUST send the token to your backend with each request. This is because of the nature of REST.

in case of my RESTful API do I need to validate Google accessToken with Google Auth server after each call from my client application(AngularJS) to my secure RESTful API ?

Yes, you have to call Google whenever your clients sends a token to your backend. There are several reasons why a token can be invalidated. For example the user can revoke the access from your application, the token simply expired, etc.

More reading on implementing a REST backend with Google OAuth 2