Reputation: 1558
Google OpenID Connect User Authorization
We have a SPA web application that supports OpenID Connect login from external Identity providers. Our application supports different user types (roles). We want to support Sign in with Google using Google Identity service (https://developers.google.com/identity/protocols/oauth2/openid-connect) but the Access Token seems to be for Google APIs only (we want to protect our own APIs). The ID Token is a JWT we can validate, but there is nothing in the claims we can use for Authorization.
Is it possible to add custom claims to the Google ID token that we can use for Authorization?
From the link above...
This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified
I guess this means they ONLY support Authentication and not Authorization? Is this true? Or is there some other Google service we need to use to get user roles (Google Cloud IAM, etc.)?
How does Google expect us to Authorize users they Authenticate?
Upvotes: 1
Views: 521
Answers (1)
Reputation: 19921
To get control over what the tokens contains, then my recommendation is to add a separate identity provider in-between your applications and Google. In this way, your applications only need to trust your local provider and it can provide the tokens that you need and you can add additional user information/claims to the tokens.
Just like this picture tries to show:
Upvotes: 0
Related Questions
- Relationship between Google Identity Services - Sign In with Google and User Authorization for Google APIs
- Does StackOverflow use OpenID Connect for Google log in?
- Open Identity and OAuth
- Google open id connect
- Google Sign-In or OpenID Connect
- OpenId Connect Questions -Authorization Code Flow (OAuth 2.0)
- Google OpenIdConnect People
- Google OpenID Connect conformance
- OpenID and Google
- Google Federated Login (OpenID + OAuth 2)