Verify Gmail OAuth2 token and client spoof

Question

I'm following THIS example in order to allow the user to log in with his Google account in a remote server.

Basically I get the access_token in the client and send it to my server. In the server I check the response of

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XXXX

getting the email of the user and authenticating it in the server.

But I have a security question, what if a malicious developer create an app that allows Gmail login, store the users' access token and use them to spoof their identity in my server? How can I avoid that? Is there some way of validate the signature of the application that obtained the access token?

The token info returned is like:

{
    "issued_to": "XXXXXXXXXXXXXX.apps.googleusercontent.com",
    "audience": "XXXXXXXXXX.apps.googleusercontent.com",
    "user_id": "15285874285447",
    "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email",
    "expires_in": 3562,
    "email": "user@mail.com",
    "verified_email": true,
    "access_type": "online"
}

So probably the fields issued_to or audience are important for that validation?

EDIT: I'm not meaning a man in the middle attack. For example imagine I create a game called VirusX that allows gmail login. If no extra validation is made I could save the access_tokens and use them to access to another apps using gmail login.

Using the facebook API it is solved this way:

• You ask for the token using your FACEBOOK_APP_ID (Facebook SDK validates the app signature)
• The user logs in and you get the access_token and send it to the server
• The server retrieves the USER_ID calling to https://graph.facebook.com/me?access_token=XXXXX
• Then the server calls to https://graph.facebook.com/USER_ID?access_token=FACEBOOK_APP_ID|FACEBOOK_SECRET
• At this point if the token was not retrieved with your a FACEBOOK_APP_ID (the secret will not match) and you will receive a Invalid OAuth access token signature

Answer 1

I know this doesn't really answer your question but I'd like to offer an alternate tutorial/example on how to log in using a Google Account. I would recommend that you take a look at this post regarding how to verify backend calls using the Google Play services and oAuth2. We implemented this a few weeks ago and it was dead easy. Using this technique there's no way anyone can spoof an access token.

Answer 2

The only way someone can spoof is by man-in-middle and DNS attack. Unless you are expecting extreme breaches, don't even bother. It's too difficult to beat OAuth providers (Identity management their job !) if you follow simple security measures. As britzl said, follow the tutorial and your code is done.

Answer 3

The tokeninfo endpoint is most probably validating the token for you. As long as you are using HTTPS to communicate with it, you are probably safe. You can also unpack and parse the token yourself, there are libraries for this, but it's quite easy actually. See here form some details . You should really look at the verify backend calls link suggested above, it's more powerful and lets you verify not only the user, but that the request is coming from your own app (there are ways to fool it on a rooted device though).

For edited question:

The token is signed, so you can validate it. If validation fails, the token has been tampered with and you should not trust it (the Google tokeninfo endpoint does that). It also has a validity time, so you can check if it is expired. Thus if someone gets access to a token and sends it to your service (replay), they can only use it for a limited time (typically 30-60 mins). If you use the backend validation technique, it also makes sure that token comes from your app and not Virus X by validating your package name and signing certificate hash, which you have to register in advance. Do read how it works and use it instead of 'raw' profile tokens.

Generally, with a bearer type token is like a cookie -- if you have it, there is no way to distinguish between the original owner and someone who stole it. The mitigating factor is that the token can be revoked and it has a limited validity time.