I'm testing google singin for a SPA js+nodejs app. I've added this:
<script src="https://apis.google.com/js/platform.js" async defer></script>
and these:
<meta name="google-signin-client_id" content="YOUR_CLIENT_ID.apps.googleusercontent.com">
<div class="g-signin2" data-onsuccess="onSignIn"></div>
in html5/js client side. following this guide:
https://developers.google.com/identity/sign-in/web/sign-in
when the users authenticate the library gets the token and pass it to the server as explained here:
https://developers.google.com/identity/sign-in/web/backend-auth
on server side (nodejs) the token is verified using this function:
client.verifyIdToken(
token,
CLIENT_ID,
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3],
function(e, login) {
var payload = login.getPayload();
var userid = payload['sub'];
// If request specified a G Suite domain:
//var domain = payload['hd'];
});
MY QUESTION IS: when is the client_secret used? as I've used CLIENT_ID front end to get the auth token from google then I've used CLIENT_ID server side for token verification. I thought that the token could have been verified using client_secret (that is SECRET) known only server side so that no one else getting the token can auth that user. What am I missing?
It appears the Client you have created is a Public client , The Client Secret is used in a Private Client .
Edit : I am sorry I used the term private client instead of Confidential client . Basically we have 2 types of clients in Oauth2
Public Clients :- These are clients which don't need a client secret .
Private Clients :- These clients have a Client secret .
I cannot give you a very certain answer as to why you do not get to see your client-secret as I have not worked with these specific libraries before , however it seems to me that may be you had a created a public client instead of a Confidential one .