Question posted in 
I have a Spring Boot server which performs the entire OAuth 2.0 Authorisation flow by using Google as an auth provider. I use the Spring OAuth library which already has filters for OAuth endpoints for providers like Google and Facebook.
I have a React front end which kicks this flow off by opening a new window with a URL that points to the Google authorisation endpoint on my server when a user clicks login.
When the server has successfully authenticated a user and retrieved a JWT token from Google, I need to pass this back to my React front end and store the token so that the user can then use it to make authorised requests to my backend API.
As far as I understand I cannot get my front end to send a GET request to my backend for the token as the OAuth Authorisation flow works using redirects. Otherwise I could have returned the JWT to my front end in the body of a HTTP response as described here: https://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#ExAccTokResp
My alternative then is to redirect to a front end ‘login success’ page from the server on a successful authorisation attempt by appending the JWT token as a URL parameter which my front end will then parse and store. Exposing the JWT as a URL parameter doesn’t seem safe however, is there a better/more secure way I can redirect back to my client with a JWT token from my server?
2
Answers
If exposing JWT in url isn’t safe, carrying jwt in request header isn’t safer either. So as long as not storing anything secret in the jwt, your are safe. To prevent the token from failing into wrong hand, you can set a short expire time, and refresh the jwt periodically. Anyway, the front end is transparent to the user, so don’t worry about people seeing it.
It’s a bit confusing why you are fetching the authorization credentials on the resource server. If your intention was to secure you API using google’s access tokens, they need to be granted to the client. You are opening yourself up to security issues if you create some bespoke solution for what OAuth already solves.
You have two options really.
Set up your backend as an OAuth authorization server and go through an an authorization code grant with PKCE to your frontend. Either map the claims received from google into your own token or include the token as a claim.
Complete the google authorization flow in your frontend client using the authorization code with PKCE grant.
The second approach is far better in my opinion. Here is google’s authorization code with PKCE documentation. Disregard their recommendation for javascript apps as current oauth security best practice recommends against implicit flow.