Google Sign In - Difference between Access Token, Authentication Token and JWT ID Token

1
votes

I am using OAuth Flow in my web app. My web app interacts with Google Calendar API, and users authenticate by Signing In with Google (using their Gmail account).

I just wanted to make sure that my understanding and usage of Authentication Tokens and Access Tokens is correct:

  1. The JWT ID Token is only needed during Sign-in. We just need to validate it once during Sign-in like so: client.verifyIdToken({idToken: token, audience: CLIENT_ID}). The ID Token is not used to Authenticate a user to My Web App. Reference: https://developers.google.com/identity/sign-in/web/backend-auth

  2. This JWT ID Token is completely different from the Authentication Token I pass along to My Web App's secured(authenticated) endpoints. The Authentication Token represents a user's session, and it can be generated using any library (ie.crypto.generateRandomNumber()).

  3. On the other hand, I will have many Access Tokens, which I use to access third-party APIs (ie. Slack API, Google Calendar API). These Access Tokens are different from the JWT ID Token and Authentication Token mentioned above.

Is my understanding/implementation correct ? At one point, I was actually using my Google Calendar API Access Token as my Web App's Authentication Token, but realized this may be wrong. The Access Token would Authorize a user to use Google/Third-Party APIs, but I need a separate Authentication Token to Authenticate users into My Web App.

1
authenticationoauthjwtauthorizationgoogle-authentication

1 Answers

0
votes

The JWT ID Token is only needed during Sign-in

Correct this is called Open Id connect, the id token is used to verify that the user behind the computer is the owner of the account as they know the login and password. Think of it as your birth certificate it proves you are you.

This JWT ID Token is completely different from the Authentication Token

Correct Id token or open id connect is built on top of Oauth2 which is used for authorization.

The Authentication Token represents a user's session, and it can be generated using any library.

Incorrect Oauth2 allows your application to request consent of the user who has been authenticated via Open id connect in some cases to grant the application access to their data. It has nothing to do with a session. With an access token your application has access to data for an amount of time. with a refresh token your app would be able to request a new access token when ever it expires. Consider authencation is more like your drivers license you are authorized to drive a car.

I will have many Access Tokens, which I use to access third-party APIs

Correct each third party api has their own authorization server. Your app will need to be registered by them they give you a client id and secret which you can use to generate access tokens to access your users data via their api.

Client id + client secret + user consent = access token & refresh token to the api that the scope granted

At one point, I was actually using my Google Calendar API Access Token as my Web App's Authentication Token, but realized this may be wrong.

Pre open id connect this probably happened a lot and still does.

The Access Token would Authorize a user to use Google/Third-Party APIs, but I need a separate Authentication Token to Authenticate users into My Web App.

Technically yes you do. But if you have an internal login system where your users create accounts in your system that that is your authentication there, your just requesting additional authorization to the users google account and you can store their refresh token as part of your internal authentication.

You can use multiple authentication providers (Facebook, twitter, google) but its best to have an internal one that maps them all together otherwise the user may end up with three accounts in your system.