问题
I have an api and an Angular SPA that's completely separate from it, and they have different origins/hosts, I figured out the implementation to be like this: The user gets into the SPA, the SPA gets a CSRF token from the api (I'll have an endpoint that generates such tokens), the user clicks a 'sign in with Google' button that redirects him to Google's consent page (the CSRF token will be sent as a state field, also the client id will be sent), after the user's agreement Google Auth redirects back to the SPA with an authorization code and a state CSRF token, after checking the CSRF token the SPA sends the info to the api again to another endpoint, when the api gets it it sends to google auth api the authorization code along with the client id and secret(the secret is only known by the api) to get an access token, after that it gets the user's email from Google, so now it knows who is this user, the api generates a JWT token for this user and returns it back to the SPA.
Is this implementation secure enough? Have I missed something? Is the way I'm handling the CSRF part of this good enough?
来源:https://stackoverflow.com/questions/64204811/google-oauth2-and-spa