OAuth2: Configuring Google for OAuth2/OIDC

Google’s API supports OAuth2 and OIDC, and can be used to both authenticate and authorize users.

In this article, I will show how to use the Google web console to configure an Application that can support OAuth2/OIDC.  We will then use a small, local Docker image to implement the Client Application side and smoke test the solution.

Prerequisites

Create OAuth2 Application in the Google console

Make sure you have selected your project from the upper left pulldown.  Then from the main hamburger menu, select “API & Services” > Credentials.  Below is the URL

https://console.cloud.google.com/apis/credentials

Press “+ Create Credentials” as shown below, then select “OAuth client ID”.

This will take you to the OAuth client ID page, where you should select application type=”Web Application”, name=”googletest1″, and authorized redirect URI=”http://localhost:8080/login/google/callback”.  Press “Create”.

This will save the values and popup a dialog that shows you the OAuth2 client ID and client secret.  Save these values, because you will need them for testing in the next section.

Validate flow with sample Client Application

You now have the necessary Google configuration to support OAuth2/OIDC from the “Authentication Server” perspective. You can validate by using your browser and a small local web application that will serve as the OAuth2 “Client Application” entity.

I would recommend you enable the developer mode of your browser (F12 on Firefox and Chrome), so you can follow along with the network requests being made.

I have built a small Docker image using Go that serves the role of “Client Application” and starts a web server on localhost:8080, and is ready to accept a code back from Google at “http://localhost:8080/login/google/callback”

export AUTH_SERVER=accounts.google.com
export AUTH_PROVIDER=google

export CLIENT_ID=<the oauth2 client id>
# will end with 'apps.googleusercontent.com'
export CLIENT_SECRET=<the oauth2 client secret>

export SCOPE="openid profile email"

# remove any older container runs
docker rm oauth2-client-app-golang

# run docker image locally, listening on localhost:8080
docker run -it --rm \
--name oauth2-client-app-golang \
--network host \
-p 8080:8080 \
-e AUTH_PROVIDER=$AUTH_PROVIDER \
-e AUTH_SERVER=$AUTH_SERVER \
-e CLIENT_ID=$CLIENT_ID \
-e CLIENT_SECRET=$CLIENT_SECRET \
-e SCOPE="$SCOPE" \
fabianlee/oauth2-client-app-golang:1.0.0

Pointing your browser at http://localhost:8080 will show a simple web page with a login link.

Press “OIDC LOGIN to google” and it will redirect you to “localhost:8080/login/”, which silently redirects to Google at “https://accounts.google.com/o/oauth2/v2/auth” with parameters client_id, scope, and redirect_uri.

Google will then display a login form where you can enter in the credentials of a valid user.  Use the same credentials that you used to sign into the developer console.

Google may ask for 2FA (two-factor authentication), such as opening up the YouTube app on your phone or hardware YubiKey.

Once complete with the Google login process, from the browser developer console you will see a GET response back to the “http://localhost:8080/login/google/callback” with a code parameter.

Opaque to the end user, the Client web application then takes this code and exchanges it for an ID and Access Token via POST to https://oauth2.googleapis.com/token.

The decoded JWT ID token and raw access token are then shown in the browser.

 

REFERENCES

Google, OIDC support

Google, OAuth2 support

Google, OAuth2 scopes

Google, Creating projects

fabianlee github, oauth2-client-app-golang

fabianlee dockerhub, oauth2-client-app-golang

stackoverflow, access_token is not JWT but ID token is (related to oauth2 versus oidc)

github issue, access token from google is not JWT

stackoverflow, decoding JWT token in GoLang with jose