0

I'm thinking about a rewrite of a existing application. This legacy application does not separate frontend and backend. It's a single application with server side rendering.

I want to rewrite it to a separate backend that provides a restful API and a frontend. Right now I plan to use Node.js with Express and tsoa as backend and SvelteKit as frontend. I don't think the actual technology used to implement the application matters, but I wanted to mention it just in case; the only requirement is to separate the frontend from the backend.

Users log in to the legacy app with Google as the authorization server. This will have to stay this way.

How to authenticate the user in the backend? Ideas/questions I have had so far:

  • Can OAuth provide something like a JWT so that my backend can confirm that the user is logged in?
  • Do I need to implement a JWT mechanism myself between frontend and backend? And if it is suggested: How can the backend be sure that the request for a JWT is legitimate?
  • Should the backend provide the login?
  • Am I misunderstanding the problem?
Improve this question
3
  • 2
    At the end of the OAuth loop you have a token to access e.g. Google's API as the authenticated user. Typically this is immediately used to ask "who am I?" and the result used to find or create a user in your own system. It's up to you how you use that information to then authenticate between frontend and backend, e.g. creating a token for use in a header or a cookie. Commented Feb 7, 2023 at 8:31
  • Thank you for improving my post, @jonrsharpe. If I understand you correctly, you suggest I should send the google-access-token to the backend, which in turn validates the google-token and provides the frontend with a new token used in the subsequent requests. Right? Commented Feb 7, 2023 at 8:38
  • 3
    The backend should be getting the token from Google to start with, otherwise you're exposing the OAuth secret to the frontend. Perhaps you mean the code which the OAuth provider redirects you back with, and you validate through exchange for a token. But yes, the backend gives the frontend a new token of some kind once authentication is completed, you don't use the API token from Google for that. Commented Feb 7, 2023 at 8:48

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.