OAuth2 / JWT / OpenID Connect for mocking auth... which isn't that different from doing it for real, actually.
https://mock.pocketid.app
499949ba52 | ||
---|---|---|
cmd/mailer | ||
examples | ||
kvdb | ||
mockid | ||
oldxkeypairs | ||
public | ||
vendor | ||
xkeypairs | ||
.gitignore | ||
.ignore | ||
.prettierignore | ||
LICENSE | ||
README.md | ||
default.jwk.json | ||
go-test.sh | ||
go.mod | ||
go.sum | ||
mockid.go |
README.md
go-mockid
OAuth2 / JWT / OpenID Connect for mocking auth... which isn't that different from doing it for real, actually.
Enabling Google OAuth2 (Mid-2020)
- Create an account at https://console.developers.google.com/apis/dashboard
- Go back to https://console.developers.google.com/apis/dashboard
- Create a New Project from the dropdown in the upper left that lists the current project name
- Give the project a name such as
Example Web App
and accept its generated ID - Click "Create"
Add your test domain
- Go back to https://console.developers.google.com/apis/dashboard
- Select your new project from the upper-left drop-down
- Select
Domain Verification
from the left hand side of the screen - Add your test domain (i.e.
beta.example.com
), but a domain that you actually own - Select
Verify Ownership
- Follow the specific instructions for adding a txt record to the subdomain you chose
- Add a collaborator / co-owner if you wish
Enable OAuth2
- Go back to https://console.developers.google.com/apis/dashboard
- Select
OAuth consent screen
- Select
External
- Complete the consent screen form
Create Google Credentials
- Go back to https://console.developers.google.com/apis/dashboard
- Select
Credentials
from the left sidebar - Select
OAuth ID
- Select
Web Application
- Fill out the same test domain and test app name as before
- Save the ID and Secret to a place you won't forget (perhaps a .gitignored .env)
Update your signin page.
- You need to put your default scopes (i.e.
profile email
) and client ID in the meta tag of your login page HTML.profile
is the minimum scope and is always returned.
<head>
<meta name="google-signin-scope" content="email">
<meta
name="google-signin-client_id"
content="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
/>
</head>
- Although it should be possible to use an thin OAuth client, you'll probably want to start by including the (huge) Google platform.js
<script src="https://apis.google.com/js/platform.js" async defer></script>
- You can start off with the Google's sign in button, but you need your own
data-onsuccess
callback. You can also adjust thedata-scope
per button to include more stuff. Scopes are defined at https://developers.google.com/identity/protocols/oauth2/scopes
<div
class="g-signin2"
data-onsuccess="ongsignin"
data-scope="profile email https://www.googleapis.com/auth/spreadsheets.readonly https://www.googleapis.com/auth/drive.readonly"
></div>
<script>
window.ongsignin = function (gauth) {
// Note: this is a special prototype-style instance object with few
// enumerable properties (which don't make sense). Requires API docs.
// See https://developers.google.com/identity/sign-in/web
console.log(goauth)
};
</script>
- Despite the documentation stating that passing a token as a query is deprecated and to use the
Authorization
header, the inspect token URL only supports the query parameter:GET https://oauth2.googleapis.com/tokeninfo?id_token=<token>
- You can also validate the token with Google's public key
- https://accounts.google.com/.well-known/openid-configuration
- https://www.googleapis.com/oauth2/v3/certs (note that one of the Key IDs will match that of your kid)
- While testing you'll probably want to revoke the app's permissions
- Go to https://myaccount.google.com/permissions
- Under "Third-party apps with account access" click "Manage third-party access" and search in the long list and click "Remove access".
- Under "Signing in to other sites" click "Signing in with Google" and search in the list to revoke access
- Active tokens will persist until they expire (1 hour), so you may need to clear cache, cookies, etc, which can be a pain
- Sign out can be accomplished with a button that calls
gapi.auth2.getAuthInstance().signOut().then(function() { });