Reputation:
Secure Google Redirect URL
I enabled Google Login option in website from where I get UserInfo and Email. I am using Google APIs Client Library for PHP.
I set redirect URL to
$client->setRedirectUri('http://login.example.com/authenticate/redirect_back');
and same in Google Developers Console. So after successful user login Google redirect back to
now my question is "What if somebody intentionally create code=4/xzzzz?" because Google openly showing where it is going to redirect (see in screenshot link | sorry i cannot post with < 10 reputation).
I tried myself with dummy value and it get authenticated. But throws fatal error with invalid_grant when getting UserInfo. Is there a way to validate code value just after Google redirect back?
Upvotes: 1
Views: 1333
Answers (1)
Reputation: 5860
I guess you do not need to secure the Google Redirect URL.
Because the flow of authentication clearly says that,
once user grants the basic permission to access their data, user is redirected back to your website with Authentication code. The code is used to obtain Access Token, using Access Token the application can access current user data from Google, which could be used to register and login the user.
So in case a user tries to hit the callback URL with any arbitrary code, Google will not be able to authenticate the user and provide you with an User Info and email . Hence, you will not be able to register/login the user.
Upvotes: 1
Related Questions
- Google OAuth 2.0 "error" : "redirect_uri_mismatch"
- Google OAuth2 PHP client redirect_uri_mismatch when every possible URI is in console
- Google oAuth: redirect_uri_mismatch
- OAuth2 callback: redirect after getting an access token by authenticating a code
- Google Authentication Using PHP Library OAuth 2.0
- Authenticating with Google without using redirects
- Google with oauth 2
- google oauth authentication
- oAuth with PHP (for google api)
- Authenticating with Google OAuth