Is the following model for Google OAuth2 authentication satisfactory and secure?

I have a users table in my SPA application (Phoenix API application) which contains the fields: name, email, registered_at, role_id. I use OAuth2 authentication by Google API. After the end-user authenticates at Google login page, my OAuth2 library gets his/her email address from Google’s profile API and I use that email address to mark him/her in my application as authenticated (logged in) by sending him/her a signed authentication token for future authorized requests. My question is this model safe and secure? Would it be possible for an attacker to get authorized in my application by tampering the Google response by injecting a custom email address inside the Google Profile response? Is it safe to rely only on the email address obtained by calling Google Profile API? Any additional security measures can be taken?

1 Like

As far as I know yes. ^.^;


In the meantime, I have read how the whole thing works and inspected the Elixir’s OAuth2 library code. Yes, it is in fact safe to authenticate by the email obtained by Google, since the email itself is obtained by authenticating against Goigle API as authorized API client.