Yeah, @pera, I hear you.
So a couple things I don’t understand with the Ueberauth Google implementation (and for @danschultzer and the asset package)…
There are 3 config/ENV variables that these implementations rely on:
GOOGLE_CLIENT_ID
GOOGLE_CLIENT_SECRET
GOOGLE_REDIRECT_URI
The flow for both these implementations (so far as I understand it):
- a user comes to your Phoenix site, clicks on the “Google Sign In” link whose target is another Phoenix route,
/auth/google
. - Somehow, the request to
/auth/google
redirects to the the Google Sign In page for configured client, e.g.https://accounts.google.com/signin/oauth/identifier?client_id=123
- After successfully authenticating against Google, Google makes a GET request back to your app, e.g.
http://localhost:4000/auth/google/callback?code=xxxxxyyyyzzz&scope=email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&hd=mysite.com&prompt=consent
And that’s where I can’t follow what it’s doing. Is the plug checking the supplied code in the GET request from Google to verify that it actually is from Google and properly signed? Because I assume there’s something there that’s preventing randos from making GET requests against that same endpoint and having it issue a session.
How I did my implementation of this was simpler (IMO). It required only 1 config: the GOOGLE_CLIENT_ID
. I used the Google Sign In button provided by Google – I just had to include their JS. The flow was this:
- User comes to my Phoenix site, clicks the Google Sign In button.
- The Google JS fires a popup which requests
https://accounts.google.com/signin/oauth/identifier?client_id=123
page (identified by the Google Client ID). - After the user has successfully auth’d, execution came back to the JS, and it entered into the user defined callback.
At that point, your JS has the JWT produced via the signup, and it can POST that value to any endpoint you define in your app, and then:
4. Your app would verify the signature of the JWT to make sure it hadn’t been tampered with – setting GOOGLE_CLIENT_SECRET
and GOOGLE_REDIRECT_URI
was not required.
Why/how is Ueberauth verifying the OAuth response?