DEV Community: ruuma The latest articles on DEV Community by ruuma (@ruuma_fb53ad7177cba32d962). https://dev.to/ruuma_fb53ad7177cba32d962 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3282518%2F4d950640-aecd-46a6-851e-724d7716d0b8.jpg DEV Community: ruuma https://dev.to/ruuma_fb53ad7177cba32d962 en Nuxt 3 + Google OAuth (PKCE) Minimal Setup Guide for Pure SPA (CSR) ruuma Wed, 25 Jun 2025 15:22:48 +0000 https://dev.to/ruuma_fb53ad7177cba32d962/nuxt-3-google-oauth-pkce-minimal-setup-guide-for-pure-spa-csr-1igf https://dev.to/ruuma_fb53ad7177cba32d962/nuxt-3-google-oauth-pkce-minimal-setup-guide-for-pure-spa-csr-1igf <blockquote> <p><em>✍ Originally published in Japanese on Qiita, this article was translated into English using ChatGPT and then reviewed &amp; edited by the author.</em></p> </blockquote> <h2> TL;DR </h2> <ul> <li>When you try to use <strong>Google OAuth + PKCE</strong> from Nuxt 3 CSR, you’ll hit the <code>client_secret</code> wall. </li> <li>Exposing <code>/auth/exchange</code> in a tiny BFF (Express / Spring, etc.) solves it. </li> <li>Full sample on GitHub → <a href="https://github.com/RuumaLilja/nuxt3-google-oauth-pkce-sample" rel="noopener noreferrer">https://github.com/RuumaLilja/nuxt3-google-oauth-pkce-sample</a> </li> </ul> <h2> Background </h2> <p>Google’s PKCE flow <strong>requires <code>client_secret</code> for <em>Web App</em> registrations</strong>.<br><br> Since a CSR-only app can’t keep secrets, the realistic solution is to proxy the token exchange through a BFF.<br><br> This article walks through a Nuxt 3 CSR + Express micro-service architecture that unblocks the flow.</p> <h2> Table of Contents </h2> <ol> <li>Why the client-secret trap exists </li> <li>Four architecture options for pure-front setups </li> <li>Step-by-step implementation </li> <li>Google Cloud configuration </li> <li>Express micro-service (code → token exchange) </li> <li>Nuxt 3 CSR client </li> <li>Appendix A: Deploy &amp; serverless tips </li> <li>Conclusions &amp; next steps </li> </ol> <h2> 1. Why Google PKCE still wants a client secret </h2> <ul> <li> <strong>RFC 7636 (PKCE)</strong> targets public clients → secrets should be unnecessary. </li> <li>Google’s policy: Web-App registration <strong>always demands client authentication</strong>. </li> <li>A CSR app therefore <em>cannot</em> call the token endpoint directly; a BFF must shield the secret.</li> </ul> <h2> 2. Four Architecture Options for Pure CSR </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pattern</th> <th>Outline</th> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td><strong>A. CSR + Micro-Service (this post)</strong></td> <td>Express/Lambda handles token exchange</td> <td>Works with Google, perfect for static hosting</td> <td>Need to run/maintain a micro-service</td> </tr> <tr> <td><strong>B. SSR + BFF</strong></td> <td>Keep secret inside Nuxt SSR</td> <td>Same origin, no CORS hassle</td> <td>SSR hosting &amp; ops cost</td> </tr> <tr> <td><strong>C. Public-Client Provider</strong></td> <td>Auth0, Azure AD, etc.</td> <td>Front-end only</td> <td>Google not supported</td> </tr> <tr> <td><strong>D. Implicit Flow</strong></td> <td>Legacy grant</td> <td>No server</td> <td>Weaker security</td> </tr> </tbody> </table></div> <p>We implement <strong>A: CSR with a tiny Express (Spring works too)</strong>.</p> <h3> 2.1 Other approaches </h3> <ul> <li> <strong>Spring Boot + <code>spring-boot-starter-oauth2-client</code></strong> Spring Security can perform the exchange for Java back-ends, but introduces provider-specific dependencies—skipped here.</li> </ul> <h2> 3. Implementation Steps </h2> <h3> 3.1 Configure Google Cloud </h3> <ol> <li> <strong>OAuth consent screen</strong> – set app name &amp; domain. </li> <li> <strong>Credentials → OAuth 2.0 Client ID</strong> <ul> <li>Application type: <em>Web application</em> </li> <li>Authorized JS origins: <code>http://localhost:3000</code> </li> <li>Redirect URI: <code>http://localhost:3000/auth/callback</code> </li> </ul> </li> <li>Copy <code>client_id</code> and <code>client_secret</code>.</li> </ol> <h3> 3.2 Express BFF (<code>server/</code>) </h3> <p>Dependencies: <code>express cors dotenv node-fetch qs</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">code_verifier</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">conf</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OIDC_WELL_KNOWN</span><span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">conf</span><span class="p">.</span><span class="nx">token_endpoint</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">qs</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authorization_code</span><span class="dl">'</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OIDC_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OIDC_CLIENT_SECRET</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OIDC_REDIRECT_URI</span><span class="p">,</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">code_verifier</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> 3.3 Nuxt 3 CSR (<code>client/</code>) </h3> <ul> <li>Dependencies: <code>@pinia/nuxt</code>, <code>oidc-client-ts</code> </li> <li>Override <code>token_endpoint</code> to your BFF: <code>apiBase + '/auth/exchange'</code>.</li> <li>Handle the callback: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">handleCallback</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">signinCallback</span><span class="p">();</span> <span class="nx">store</span><span class="p">.</span><span class="nf">setTokens</span><span class="p">({</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">access_token</span> <span class="p">});</span> <span class="nx">store</span><span class="p">.</span><span class="nf">setUser</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">);</span> <span class="k">await</span> <span class="nf">navigateTo</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h3> 3.4 Run locally </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># server npm run dev # client npm run dev </code></pre> </div> <h2> Appendix A. Deploy &amp; Serverless Tips </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Example platform</th> <th>Key points</th> </tr> </thead> <tbody> <tr> <td>Front-end</td> <td>Netlify / Vercel / Cloudflare Pages</td> <td>Deploy <code>nuxt generate</code> output as-is</td> </tr> <tr> <td>BFF</td> <td>Vercel Functions / Cloudflare Workers / AWS Lambda</td> <td>Store <code>.env</code> secrets in platform settings</td> </tr> </tbody> </table></div> <h2> 4. Conclusions &amp; Next Steps </h2> <ul> <li>Refresh-token handling: httpOnly cookies + rotation</li> <li>Security hardening: <code>express-rate-limit</code>, Helmet, strict CORS</li> <li>Other IdPs: Microsoft identity platform lets you stay front-end-only</li> <li>SSR/BFF migration: integrate with Nuxt Nitro if you ever need a unified origin</li> </ul> <h2> 5. Source Code </h2> <blockquote> <p>All code shown here:<br> <a href="https://github.com/RuumaLilja/nuxt3-google-oauth-pkce-sample" rel="noopener noreferrer">https://github.com/RuumaLilja/nuxt3-google-oauth-pkce-sample</a></p> </blockquote> <p><em>Hope this saves you from falling into Google OAuth’s “client_secret” pit!</em></p> nuxt vue oauth googlecloud