This is my first blog for year 2022. I was working on a mobile app which has Google Single Sign On enabled. The mobile app is developed in Android and IOS native and APIs are written in Node.js.
I was assigned a task to write base framework for API testing using Jest.js. I am not a fan of writing separate code to handle authentication for API testing. I wanted to replicated the same authentication mechanism as mobile app use to connect with backend using google sso auth token. After spending days, I ended up finding, with help of Google service account, I can replicate the same behaviour of mobile app google sso and pass the auth token to server for authentication.
So today, I am going to share, how to create google service account and use in Node.js to generate auth token.
Follow the steps to create google service account:
2. Select a project, or create a new one.
3. Click + CREATE SERVICE ACCOUNT
4. Enter name, id, description and click CREATE AND CONTINUE
5. Next, (optional) select a role for this service account, if you are unsure, go with Owner role and click CONTINUE
6. (Optional)Under Grant users access to this service account, add the users or groups that are allowed to use and manage the service account and click DONE
7. You will be redirected to Service accounts page. See your newly created service and click on Actions (3dots) and select Manage Keys option
8. Next, click on ADD KEY and select Create new Key
9. A pop-up will appear, choose JSON and click CREATE . This will create service account key and json file will get downloaded.
We are done creating google service account for server to server authentication. Refer this page if you have any doubts creating service account.
Next step is using this serviceaccount.json file in node.js script to generate auth token. This auth token can be used for verifying google oauth2 sso authentication.
Follow this github repo to generate auth token by running generateAuthToken.js script
ServiceAccount.json
{"type": "service_account","project_id": "service-project","private_key_id": "12345678901234567890","private_key": "-----BEGIN PRIVATE KEY-----\n==\n-----END PRIVATE KEY-----\n","client_email": "api-service-account@sample-account-123.iam.gserviceaccount.com","client_id": "1234567890","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/api-service-account%40sample-account-123.iam.gserviceaccount.com"}
Here is the sample auth token
ya29.c.b0AXv0zTNglPt9uo6eMdWF12345upclbNh5A-Keyo0JVk5BL-LjOnyjI4d3IqWFrZW3daUeXZrB-FeH-Q485ggXKSzhILjkabcdxDm_mJEEw9kciy4JFtNMteOHS3-wcaqFDU-kRNbeMMTlzYyNh03jW2tZEphDxyzjw0-kM116mFDwKFYX3H1234565768-HqZwWi4XsQNdu2s6UCdXlCO5rMz8......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................generateAuthToken.js
const { google } = require("googleapis");const auth = new google.auth.GoogleAuth({keyFile: "./serviceaccount.json",scopes:"https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",});auth.getAccessToken().then((token) => console.log("token...", token)).catch((err) => console.log("err...", err));
To use auth token, remove the dots from token and use for google Oauth2 SSO.
ya29.c.b0AXv0zTNglPt9uo6eMdWF12345upclbNh5A-Keyo0JVk5BL-LjOnyjI4d3IqWFrZW3daUeXZrB-FeH-Q485ggXKSzhILjkabcdxDm_mJEEw9kciy4JFtNMteOHS3-wcaqFDU-kRNbeMMTlzYyNh03jW2tZEphDxyzjw0-kM116mFDwKFYX3H1234565768-HqZwWi4XsQNdu2s6UCdXlCO5rMz8Scopes are used to access data of that google account. Follow this link to understand better and use more appropriate scopes.
Initially, I thought I can use a google account and pass typical username/password for successful oauth2 sso. But, that was not the case. I nearly spent 3–4 days to figure out that google offers server to server authentication via Service account for google Oauth2 SSO. If you want to crack it, don’t give it up.