Best Practices for Associating userId (from JWT) with Google OAuth Tokens
I have a few questions regarding the OAuth flow in a hypothetical context. Let's imagine the following situation: we have a JavaScript client (React JS), a Keycloak server, and a REST API (Spring Boot). We use Keycloak to identify the user via a JWT. Once authenticated, we want to offer the user the ability to link their Google Calendar to their account. It is therefore necessary to associate the user ID (present in the Keycloak JWT subject) with the Google access tokens.
I've had trouble finding the optimal method to achieve this association, other than using the "state" parameter of the Google API. Below is a sequence diagram representing the flow I've envisioned.
Could you confirm if this flow follows best practices? Is it secure and common? Are there other ways to achieve this association?
Thank you in advance for your help and advice.
A more standard option would be for your JS client to always manage authentication via Keycloak and configure it to use Sign in via Google for those users, who only need to do a single login:
Your JS client redirects to Keycloak
Keycloak redirects to Google for you, and includes a calendar scope
When login completes, Keycloak should be able to use an embedded token approach:
- Keycloak access tokens include the Google access token as a custom claim
Your JS client then calls your APIs with the access token. Your APIs can get the inner token and call Google APIs with it (CORS restrictions will prevent the JS client from calling Google APIs directly).
I have not verified this end to end with Keycloak, but it is a pattern to aim for. An authorization server (like Keycloak) can manage many connections for your apps, which helps to reduce complexity.
- Restrict Microsoft Azure App OAuth2.0 to Internal Users
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- REST API Server error using OAuth2 and Microsoft.AspNetCore.Identity
- hwi_oauth can't connect to FOS_OAUTH_SERVER
- How to Locate and Customize the OAuth Implicit Flow Redirect Screen?
- How to create secret in client app in Azure
- how to generate a bearer token for Azure api, with microsoft api
- OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?
- Unable to authenticate users using procore
- How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret
- Xero OAuth2 Questions
- why offline_access scope is needed to request refresh token in IdentityServer (OAuth2)?
- Is it possible to use delegated access with a confidential client, in the Microsoft Authentication Library?
- Customize the AWS Cognito hosted UI confirmForgotPassword page
- SugarCRM fileDownload error after upgrade
- Facebook graph api returns 400 bad request with correct access token
- How to identify a Google OAuth2 user?
- OAuth2 WebApi Token Expiration
- API Management OAuth 2.0 configuration issue
- linkedin oauth authorization fails with "Bummer, something went wrong"
- Angular CORS Error When Following Backend Redirect for OAuth2 Logout
- How to handle "unsupported_grant_type" from laravel passport
- How to get Response of REST API in JSON format by Default in Magento
- Is it possible to use Bearer Access Token to Authenticate against our tenants SharePoint to allow a daemon to upload files to document library?
- Bearer token not set as expected
- Setting up JWT authentication using the Identity Server and get access token
- What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?
- OAuth and redirect_uri in offline Python script