williamsandonz
Reputation: 16430
Is creating a user in my database from gapi.client.oauth2.userinfo secure?
I am registering a button with gapi.signin.render
I then use gapi.client.load('oauth2', 'v2');
and gapi.client.oauth2.userinfo.get().execute();
I send the user email and name to my server to create an account for the user. My concern is, anyone could POST that info to my server, I'm not verifying anything.
Is there a GET url that Google provides that I send the Access token to and receive the email back to ensure that the user has authorised? Figure I must be missing something :-/
Upvotes: 0
Views: 87
Answers (1)
abraham
Reputation: 47873
It is not safe to just send the profile details via ajax. You should send the access_token to the server and have the server perform an authenticated people.get API request to get the details.
GET https://www.googleapis.com/plus/v1/people/me?access_token=xyz123
Upvotes: 1
Related Questions
- Google Sign-In, Database Side
- Creating a Google authentication service with users stored in own database in Golang
- How to securely insert and user user info in databases when using Google sign-in Api
- Storing Google API credentials in a database. Is it secure?
- get user information into database in google authentication
- Google OAuth2 - Correct Usage?
- Google API: Authenticating with oauth user id
- Create Google Users using API
- Google OAuth2 acceptable use
- Google OAuth 2.0 User id datatype for MYSQL