We currently have a backend authentication mechanism in place that utilizes JWT tokens. Users sign in or sign up using email and password, and upon successful authentication, the backend issues JWT tokens which are stored in the frontend's local storage or cookies. These tokens are essential for user authentication throughout the application.
Now, we're looking to incorporate Google OAuth into our authentication flow. Our current approach involves obtaining a code from Google OAuth's callback and exchanging it for an access token, which we then use to retrieve user information from Google (email precisely). Based on this information, we fetch the user from our database and generate JWT tokens for authentication.
We have following code as of now:
def google_callback_login():
code = request.args.get('code')
token = google_auth.fetch_token(GOOGLE_TOKEN_URL, code=code, client_secret=GOOGLE_CLIENT_SECRET)
# Retrieving user_info for user email
user_info = google_auth.get('https://www.googleapis.com/oauth2/v2/userinfo', headers={'Authorization': f'Bearer {token["access_token"]}'}).json()
# Loading user from user_email
user = db.session.query(User).filter_by(email=user_info['email']).one_or_none()
# login_helper returns jwt tokens
tokens_data = login_helper(user).get_json()
redirect_url = FRONTEND_BASE_URL + "/login" + '?access_token=' + tokens_data['access_token'] + '&refresh_token=' + tokens_data['refresh_token']
# Redirect to the login page with access tokens and refresh tokens in the url params, and the frontend now stores them and authenticates user
return redirect(redirect_url)
However, we're unsure about the correct design pattern for handling this integration. Specifically, we're concerned about the security implications of sending JWT tokens directly in URL parameters.
We've considered two alternative approaches:
Sending a temporary token with a short expiry time (e.g., one minute) to the frontend, which it can then use to make a request to our backend API in order to retrieve JWT tokens. Sending the Google OAuth code received in the callback URL to the frontend, which it can then send back to the backend to generate JWT tokens -- not sure of the potential risks of exposing the Google OAuth code to the frontend.
We're seeking guidance on the best design pattern to ensure both security and usability in this scenario. Any insights or recommendations would be greatly appreciated.
Additional Context
- Our backend is implemented using
- We're using Flask-JWT
- Our frontend is built using React/NextJS
