REST API + OAuth + Mobile Flow

Question

I have to develop a RESTful API for a mobile application and I have some concerns about the flow of the communication between those parts. I'm new to the API development for mobile devices and OAuth.

The project in common should work this way:

• users are allowed to login using only their Google accounts
• the mobile application uses the website API and all the information is stored on the backend

I found a similar question here OAuth on REST API for mobile app and I prefer the first solution from it, but I have some questions about the security of this solution.

1) Should I use OAuth2 for the API? I'm not sure it's a good idea just to send the user's Google ID to the API to get user's data.

2) How can I check on the server that the Google ID is correct and actual? Or it's not important at all?

I'm thinking about this scenario, but I'm not sure it's the best solution:

1) The user logs in on the mobile application for the first time using his Google Account.

2) The mobile application receives Google ID and some additional information.

3) The mobile application sends the Google ID to the server.

4) The server uses OAuth2. It creates an account for the user (saving the Google ID in the database) and returns an access token to the mobile application.

5) The mobile application stores the access token locally and uses it for requests to the server. Once the access token expires, the user has to login in the mobile application again using his Google account.

I have some concerns about using just Google ID for generating a token. I mean, anybody can just use somebody's Google ID to create a token. Bad idea :(

Also should I use JWT better as a token?

Thanks for your help!

Answer 1

1. You should send the user's id_token to the API instead

2. There are a couple of different ways in which you can validate the integrity of the ID token on the server side:

   a) "Manually" - constantly download Google's public keys, verify signature and then each and every field, including the iss one; the main advantage (albeit a small one in my opinion) I see here is that you can minimize the number of requests sent to Google.

   b) "Automatically" - do a GET on Google's endpoint to verify this token https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}

   c) Using a Google API Client Library.

As for the workflow, it's mostly correct, except for the last step, where you can instead refresh an access token without prompting the user for permission. Btw, Google's id_token is actually a JWT.