Context
I wanted to have some way of authenticating user on my personal project. Implementing authentication allows us to apply per-user rate limiting.
Since I did not want to deal with password management (reset password flow, HMAC, etc), decided to rely on third party service.
What I did
I thought I could ask users to login using their gmail, and retrieve profile.id and use it as user_id on my service.
To make sure whoever sending request to our API endpoint is authenticated, I used jwt.
// here, userId is just user's gmail address (hashed)
export function signAccessToken(
userId: number,
jwtSecureCodePlain: string,
expire: StringValue = "15m"
): string {
return jwt.sign({ id: userId, jwtSecureCode: jwtSecureCodePlain }, SECRET, {
expiresIn: expire,
});
}
What I did wrong
OAuth 2.0 is about “what can this client do on a third-party API?”
OIDC is the right standard for “who is this user?”
The main use of OAuth2.0 is to obtain an access_token, which allows the service to call API request to third party app (e.g google, github).
it is for authorization, and not for authentication