Reputation: 941
Do I need to send google oauth access token and id token to my backend server?
I have a SPA and a backend API service. The google user signs in to the SPA at which point I obtain their access token & id token.
The backend service uses google identity to authenticate users of it using the id token. However one of the the backend services features needs to request data from the google analytics API which requires the users access token.
In this senario do I send both the id token and access token to my back end service?
Upvotes: 4
Views: 2262
Answers (1)
Reputation: 12322
Yes, in this scenario you could send the access token to your backend service so that it can contact Google's API. In most cases, access tokens are used as bearer tokens, which means that any client in possession of that token can use it to call the API. That's why you can pass a token issued to the SPA to a backend service and still be able to call Google's API.
At the same time, you should think of security implications. You should not send the access token to any services that you're not in control of. Meaning, you should not send the access token to service XYZ because that service needs it to call Google's API with a user's token if service XYZ is not under your control.
Upvotes: 6
Related Questions
- How to use Google OAuth to authenticate on the backend?
- What to do with oauth jwt token inside your backend?
- what is id_token google oauth
- OpenID connect - DO I need to verify the token at google at any request the user is making to my server?
- Should I send the id token from my SPA to my rest backend?
- Google Sign-In backend server authentication
- Google OAuth2 - Correct Usage?
- Do I have to verify google tokenID on every request?
- Does OAuth2 for Google's API need each user to be signed in Google?
- Should I use GoogleAuthUtil to call my backend to secure the communication even I don't need to use the logged Google user?