I have asp.net web api project with a spa( vue3 ).

the need to give the users the ability to login to the website using their Facebook, google account.

I have succeeded to add Facebook auth and the way i did is :

From the font end :

1. using javasript to ask facebook auth api for an access token to get the user profil infos(Email,profil Picture) using my client id of course after that the users enter their credentials

2. Get the access token and send it to the server (asp.net web api)

3. from the server send a get request to facebook with the access token the the client secret so he can verify it before give my the resources i asked

4. get the users infos and send a jwt to the final user so he can access my web api (asp.net web API )

I find the method very straight forward and secure since nothing sensitive have to be done in the front end

I'm struggling to use this method to authenticate users using google.

I read a tons of documentations but could find anything useful, any tips?

CodePudding user response：

The only way to verify a google access token is to use it. Send a request to the user info endpoint, or the people api to request profile data. If it works its valid if it doesnt its not. However If you have an id_token from the signin process there is a method to verify that.

• Validating an ID token
• Obtaining user profile information

From what i remember a signin access token returned by facebook is a jwt so it can be validated by testing the cliams. A google access toekn is not a jwt so can not be validated against its claims but the id token is a jwt and can.