Use SpringSecurity's OAuth2 functionality on demand on custom endpoint

Question

We have a Spring Boot web app which uses JWT based authentication/authorisation. Now, we want to add OAuth2 support so that users can login using their Google account. That would be easy to do using Spring Security.

However, the requirement is a bit different.

If the user wants to use the Google login functionality, he first needs to link their Google account. Basically login into our application using his/her credentials, and on their profile page link their Google account.

The flow would be something like the following:

1. Click the “Link Google account” button on user’s profile which redirects them to Google
2. In Google choose the account you want
3. Google returns with a code. After that, make a request to our backend, on an authenticated endpoint e.g. POST /users/{userId}/accounts which will receive the token returned by Google
4. In the backend, verify this token by making a request to Google
5. If all is good, link user’s account with Google by updating the db accordingly

My question is, for step 4, what is the best practice for that? How can I use all the stuff that Spring Security is offering to achieve this?

Thank you in advance,

Answer 1

You have the authorization code and you exchange for access token all over https and all in backend.

There is no need to validate access token ( I don’t think spring security even does this part for integration with google ) at your end.

This should be done by google when you request its resource.