Reputation: 25172
OAuth2 flow in full-stack NestJS application
Yet another OAuth2 question that isn't quite covered elsewhere.
I'm using NestJS backend, React frontend, Passport and my own DB for authentication. Trying to add an OAuth2 identity provider (Google).
I configured my NestJS app as an OAuth Client. After logging in I'm receiving the callback at which point I have an access_token and the requested user details extracted from the payload of the id_token. This is encapsulated in a class extending PassportStrategy(Strategy, 'google') and an AuthGuard('google') and much of it is handled automatically. Code here.
At this point however, I need to maintain an authenticated session between backend (NestJS) and frontend (React). I suppose I need a JWT, but I'm wondering about the best approach:
- Can I use a token provided by the IdP (e.g.
id_tokenoraccess_token)? So that I don't have to worry about issuing tokens myself. I.e. the frontend receives the token (either from backend, or the IdP directly), sends it on every request, backend verifies it with the IdP on every request (verifyIdTokenorgetTokenInfoofgoogle-auth-library).
One drawback here is the extra network request every time. I'm not sure if there's a need for that because the IdP is only used to identify the user, not for access to other resources. Another drawback is that I need to store a refresh token and handle when the token expires (get new one, update it on the frontend).
- So alternatively, could I just issue a JWT myself and not worry about checking in with the IdP? Once the JWT expires I'd need to prompt the user to log in again. In this case, I wouldn't need to store the IdP tokens. But is this good practice? One issue I can think of is that I won't detect if the user revokes access in the IdP (until the JWT expires).
Upvotes: 6
Views: 12662
Answers (2)
Reputation: 827
probably my solution would be helpful.
you could access complete source code of my app that implemented with react typescript (redux toolkit rtk Query) and nestjs included of google oauth2 flow with passport.js. resource
Upvotes: 0
Reputation: 25172
I ended up issuing my own JWT tokens and managing User sessions in my app, as described in this article: OAuth2 in NestJS for Social Login (Google, Facebook, Twitter, etc)
Upvotes: 2
Related Questions
- How to pass state during Nest.js Authentication flow
- NestJS jwt-passport Authentication
- How to build authorization service with NestJS?
- NestJS Authentication with Auth0 via `passport-jwt`
- NestJs authentication using jwt and private and public key
- NestJS : Auth guard flow
- Nestjs passport authentication with multiple strategies
- authentication using nestjs, passport with JWT strategy
- passport google oauth on localhost
- Implementing OAuth1 in NestJs