DEV Community

NestJS Authentication with OAuth2.0: Adding External Providers

Afonso Barracha on April 14, 2023

Series Intro This series will cover the full implementation of OAuth2.0 Authentication in NestJS for the following types of APIs: Exp...

Read full post

Enzo Frias Borda • Aug 19

Hi, excellent article, it helped me a lot!
I have a question...
Is this flow still recommended or is it better for the backend to just redirect with the code, then the front end in another call to the API with the code asks for the access token so that the token does not travel in the URL?

Afonso Barracha • Aug 20 • Edited

So this is outdated, and for the upcoming OAuth 2.1 standard you shouldn't use the implicit flow.

I may have to revisit these articles and fix a lot of the recommendations.

Afonso Barracha • Aug 20

In hingsight I should've followed standards more, but I cut some corners since it was purely educational

Enzo Frias Borda • Aug 20

Thank you very much for the quick response!

Just to confirm, the flow should be:

Frontend: generate code_verifier and code_challenge, call Nest to get the authorization URL, and Nest redirects the user to Google using the frontend's code_challenge.
The user logs into a provider's account.
The provider redirects to the backend with the code.
The backend redirects to the frontend using the URL with a code generated in the backend !== provider_code.
The frontend executes the post method to the backend with the code and the code_verifier.
The backend passes the code_verifier to Google to generate the token and retrieve the data.
The backend responds with its own token and everything else?

Afonso Barracha • Aug 21

Personally since the call to google is made by the server, I keep them separate. I normally do something like this in production:

Front-end: generates code_verifier, code_challenge and state, caches the code_verifier and state in localstorage (web) or secure storage (native);
Pass google as a client_id query parameters instead of the url params, this will allow you to add Dynamic Registration in the future, which is used in the new Model Context Protocol server apps (if AI is something important in your company);
On the IDP server you generate a new state, code_verifier and code_challenge, make sure to use S256 if you want extra security. Cache both the user state and the server state, with all the user code_challenge and the IDP code_verifier. I normally use the IDP state as the Key;
With the server state and code_challenge call google;
On the server callback check the state, and call token endpoint with the server code_verifier;
Cache the user data and generate a code (remeber to hash it with SHA256 or HMAC SHA256) and cache it, returning the plain text code and the current user state in the FOUND redirect. I normally use two Base62 uuids joined by a hyphen as the code, sha256 each part, I use the first UUID as the cache key.
The front-end gets the code, checks the state, then calls the server token endpoint with the code and the code_verifier.
The server does the code exchange, uses the user data to create or retreive a user from the persistant DB.
The server returns to the front-end the access and refresh tokens.

Enzo Frias Borda • Aug 21

Thank you so much again!

Afonso Barracha • Aug 10 '24

Just noticed this morning there was a major bug on the tutorial, just fixed it after one year, sorry for the inconvenience.

I left the state static, but it actually should be cached and new on every request

Abdul Sami Haroon • Sep 8 '23

thanks a ton, this have been super helpful, I've been looking to work on a POC with fastify + external authentication and this has done the job for me.
Also the code quality is super!

much love <3

Comment deleted

Afonso Barracha • Jun 24 '23

The way it is set up, if the user does not exists it will just create a new account with the external provider. You could add a third and forth endpoints for registration if you deem that as necessary.

Edric Galentino • Jul 13 '24

You are hero bro. Thanks a lot