DEV Community: Murali Krishna The latest articles on DEV Community by Murali Krishna (@muralikrishna8). https://dev.to/muralikrishna8 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F281755%2Fca59e7dd-3b6d-4331-a084-b5762cc48e2f.jpeg DEV Community: Murali Krishna https://dev.to/muralikrishna8 en Google One Tap login with Auth0 Murali Krishna Sun, 21 May 2023 14:02:02 +0000 https://dev.to/muralikrishna8/google-one-tap-with-auth0-4a2o https://dev.to/muralikrishna8/google-one-tap-with-auth0-4a2o <p>Assuming that you've created the project in the <a href="https://console.developers.google.com/project">google developer console</a> and configured the ClientID and ClientSecret in Auth0 under social connections. Let's see how you can enable login with Google One Tap using Auth0 and get the <code>id_token</code></p> <ol> <li>Letting the user log in using Google One Tap</li> <li>Extract user email from the <code>id_token</code> by google</li> <li>Use the extracted email to sign in with Auth0</li> </ol> <h3> 1. Letting the user log in using Google One Tap </h3> <h4> Include the google script (login.html) </h4> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://accounts.google.com/gsi/client"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <h4> Include the HTML tag to trigger one tap flow on page load </h4> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"g_id_onload"</span> <span class="na">data-client_id=</span><span class="s">"GOOGLE_CLIENT_ID"</span> <span class="na">data-context=</span><span class="s">"signin"</span> <span class="na">data-ux_mode=</span><span class="s">"popup"</span> <span class="na">data-callback=</span><span class="s">"handleLogin"</span> <span class="na">data-nonce=</span><span class="s">""</span> <span class="na">data-close_on_tap_outside=</span><span class="s">"false"</span> <span class="na">data-itp_support=</span><span class="s">"true"</span><span class="nt">&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <p>Google will use this tag as the configuration and triggers the one tap flow on load.</p> <blockquote> <p>🚧 Google uses something called <a href="https://developers.google.com/identity/gsi/web/guides/features#exponential_cool-down">Exponential cool down</a>, basically when ever you close the One Tap popup, it'll not show it again till the cool off period.<br> In order to see the popup, run this in the browser console and refresh the page<br> <br> <code>document.cookie = `g_state=;path=/;expires=Thu, 01 Jan 1970 00:00:01 GMT`;</code><br> </p> </blockquote> <h3> 2. Extract user email from the ID_TOKEN by google </h3> <p>There is a <code>data-callback="handleLogin"</code> attribute in the above, which will be called once the user logs in using the One Tap flow.</p> <p>The parameter for the <code>handleLogin</code> will contain the token from Google.</p> <p>The <code>response</code> will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"clientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GOOGLE_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GOOGLE_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"credential"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ID_TOKEN_WHICH_WILL_BE_A_JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"select_by"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Google will give us the <code>id_token</code> from which we need to extract the user email. Since it's in JWT format we can use some <a href="https://www.npmjs.com/package/jwt-decode">jwt decoding library</a> to parse it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">handleLogin</span><span class="p">(</span><span class="nx">response</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="p">(</span><span class="nx">jwt_decode</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">credential</span><span class="p">)).</span><span class="nx">email</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Decoded JWT should look something like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://accounts.google.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"nbf"</span><span class="p">:</span><span class="w"> </span><span class="mi">1684674651</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GOOGLE_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"105427290204744290733"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USER_EMAIL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email_verified"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GOOGLE_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Shinchan Nohara"</span><span class="p">,</span><span class="w"> </span><span class="nl">"picture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://lh3.googleusercontent.com/a/AGNmyxbMyc6kaGFYoe65-1eASeS6HwrIQt9HKD-qSyyp=s96-c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Shinchan"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Nohara"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1684674951</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1684678551</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"150ff9433d3511d76f10a443f8ab7beb94751477"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3. Use the extracted email to sign in with Auth0 </h3> <p>Now that we have the users email we can trigger the <code>authorize</code> call from Auth0. The problem is, if we trigger the <code>authorize</code> call normally it'll refresh the page which defeats the purpose of OneTap login. In order to avoid that we need to authorize with Auth0 using an <code>iframe</code></p> <p>For that we need to host the <code>iframe.html</code> at some path on your domain and inside the <code>iframe.html</code> we can call the <code>authorize</code> with the connection type as <code>google-oauth2</code> and responseMode as <code>web_message</code>.</p> <p><code>iframe.html</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.auth0.com/js/auth0/9.18/auth0.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">webAuth</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">auth0</span><span class="p">.</span><span class="nx">WebAuth</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_DOMAIN.auth0.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientID</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AUTH0_CLIENT_ID</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// we need this message to receive the extracted</span> <span class="c1">// google email from the parent window</span> <span class="nb">window</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// verify if the `message.origin` matches to the </span> <span class="c1">// original origin for security purposes</span> <span class="nx">webAuth</span><span class="p">.</span><span class="nx">authorize</span><span class="p">({</span> <span class="na">connection</span><span class="p">:</span> <span class="dl">'</span><span class="s1">google-oauth2</span><span class="dl">'</span><span class="p">,</span> <span class="na">login_hint</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">,</span> <span class="c1">// this is the email</span> <span class="na">responseType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">,</span> <span class="na">redirectUri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_DOMAIN.auth0.com/callback</span><span class="dl">'</span><span class="p">,</span> <span class="na">responseMode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">web_message</span><span class="dl">'</span><span class="p">,</span> <span class="c1">//Any additional options can go here</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">myAdditionalParam</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">something</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">authResult</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>We need to load the <code>iframe</code> in <code>login.html</code> and pass the extracted user email from the Google response to Authorize. Once the authorization is completed the <code>iframe</code> will <code>postMessage</code> the token to the parent(<code>login.html</code>). We can add a message event listener to receive the token from the iframe.</p> <p><code>login.html</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">handleLogin</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user_email</span> <span class="o">=</span> <span class="p">(</span><span class="nx">jwt_decode</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">credential</span><span class="p">)).</span><span class="nx">email</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">iframe</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">auth_iframe</span><span class="dl">"</span><span class="p">)</span> <span class="nx">iframe</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/iframe.html</span><span class="dl">"</span> <span class="nx">iframe</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">iframe</span><span class="p">.</span><span class="nx">contentWindow</span><span class="p">.</span><span class="nx">postMessage</span><span class="p">(</span><span class="nx">user_email</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nb">window</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// verify if the `message.origin` matches to the original </span> <span class="c1">// origin for security purposes</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">`Token: </span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">id_token</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="c1">// Here you have the Auth0 id_token</span> <span class="p">},</span> <span class="kc">false</span><span class="p">);</span> </code></pre> </div> <p>🚀 Now you have the <code>id_token</code></p> googleonetap auth0 identity auth