After getting token using Authorization Code Flow (OAuth 2.0), how can API knows that token sent from front end is valid?

0
votes

Lets say I have created my own application. We have react front end and RESTful API as backend and we are using Google OAuth for Authorization of our users. Front end is making calls to the APIs. Front end uses Authorization Code Flow of OAuth. After getting access token from Google OAuth server, front end uses this token to make calls to my backend.

Now Malicious user will get my API's URL, other information required for REST API from Chrome Network tab and can call directly to APIs with access token.

Questions:

How will my REST API know from where the request is coming?

Also how it will validate the access token?

Is it possible once User got all information about my REST API, it can call directly with fake access token?

I have look into the diagram for Authorization Code Flow. Below is the link. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types

But how will web api validate the token?

Please guide me if I am lacking some information.

2
oauth-2.0authorization

2 Answers

1
votes

Google's OAuth server will issue your front-end a JSON Web Token (JWT). This token is singed by Google private key. Your API needs to:

  1. Obtain Google's public key and
  2. Verify the signature of the JWT.

If that is valid, the token originated from Google. If not, it didn't come from Google or was tampered with.

After this, your API needs to do a few additional checks:

  • Check the expiration time and see that it's not in the past. This can be found in the exp claim.
  • Check that the token is not only from Google but for your API. This can be done by looking at the aud (audience) claim and seeing that it's for you.
  • Check when the token was issued, and ensure that it's not in the future. The issuance time is in the iat claim.
  • Check that you should start using it already, and there wasn't some sort of embargo on the usage period. This will be indicated in the not-before claim (nbf).
  • Check that the type of token is an access token (as opposed to an ID token).

(You can find a longer more detailed description in this howto.)

If you do these things, you can be sure that Google issued the token and that it was intended for your API. It does not indicate to your API that the caller was your front-end. The reason is that the token is an "bearer token", meaning the token is bound only to the one that bears or presents it. To ensure that only your app provides the token, you need it to prove possession of a private key. This is not possible when using Google as your token issuer (to my knowledge).

1
votes

My question is basically how do my rest api validate integrity of the token. I found the link: https://developers.google.com/identity/sign-in/android/backend-auth