DEV Community

Mohamed Rasvi
Mohamed Rasvi

Posted on

Google identity Platform

This post I would like to explain how google identity platform works in a simple manner.

Most of the time, the Google Identity platform works as a proxy to configure identity providers. Google identity platform is little different to Azure ID, where you can create your own SAML and OIDC identity providers.

For the user authentication In this article, we will use federated identity provider Google.

Image description

Above User flow in details

  1. Users access the web application
  2. Application: check whether the user is logged in or not
  3. If you are not authenticated, the application will redirect to a federated identity provider : Google
  4. Once the user is authenticated successfully and redirects to the /__auth/handler endpoint, this service is hosted by Google
  5. The /__auth/handler service redirects back to the application

We need to understand the Main 5 concepts behind this google identity platform.

  1. Authentication
  2. Users
  3. Admin Auth API
  4. Multi-tenancy
  5. Differences between Identity Platform and Firebase Authentication

I will explain the main most important concept for this post; keep the article short and simple.

Authentication
Identity Platform allows users to authenticate to your apps and services, like multi-tenant SaaS apps, mobile/web apps, games, APIs and more. Identity Platform provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform.

How it works?
To sign a user into your app, you first get authentication credentials from the user. These credentials can be the user's
email address and password, a SAML assertion, or an OAuth token from a federated identity provider.
In the case of federated identity providers, the providers return those tokens to Identity Platform's authentication handler on the /__auth/handler endpoint. This service is hosted by Google, so you don't have to receive and validate the authentication artifact. After the tokens are received, our backend services will verify them and return a response to the client.
After a successful sign in, you can access the user's basic profile information, and you can control the user's access to data stored in Google Cloud or other products. You can also use the provided authentication token to verify the identity of users in your own backend services.

You can read here to understand the above all concepts here

Setting up a Google IDP on google idenity platform

  1. Go to google idenity platform
  2. Click Add A Provider and select Google
  3. Enter your Google Web Client ID and Web Secret. If you don't already have an ID and secret, you can obtain one from the API's & Services page.
  4. Configure the URI listed under Configure Google as a valid OAuth redirect URI for your Google app. If you configured a custom domain in Identity Platform, update the redirect URI in your Google app configuration to use the custom domain instead of the default domain. For example, change https://myproject.firebaseapp.com/__/auth/handler to https://auth.myownpersonaldomain.com/__/auth/handler. This is where confusion we see on the Google cloud document. Most of the time we don't read the concepts, so we assume our application must have this callback URL, /__/auth/handler, but we don't need this because /__/auth/handler is hosted in Google; it is a Google-hosted backend service that does the magic like creating JWT, etc.
  5. Register your app's domains by clicking Add Domain under Authorized Domains. For development purposes, localhost is already enabled by default.

  6. Click Save.

I'm not going to show the entire code, I just insert some example code snippets.

import { getAuth, signInWithRedirect, getRedirectResult, GoogleAuthProvider } from "firebase/auth";
const auth = getAuth();
signInWithRedirect(auth, provider);
getRedirectResult(auth)
.then((result) => {
// This gives you a Google Access Token. You can use it to access Google APIs.
const credential = GoogleAuthProvider.credentialFromResult(result);
const token = credential.accessToken;
// The signed-in user info.
const user = result.user;
// IdP data available using getAdditionalUserInfo(result)
// ...
}).catch((error) => {
// Handle Errors here.
const errorCode = error.code;
const errorMessage = error.message;
// The email of the user's account used.
const email = error.customData.email;
// The AuthCredential type that was used.
const credential = GoogleAuthProvider.credentialFromError(error);
// ...
});

Signing in users with the Client SDK

Let me know if you want to dive deep into the Google identity platform.

For example, integration with gateways like Kong.

Top comments (0)