It's rather straightforward to use the Google Sign-In library on the server side and attain a GoogleIdToken to validate a user's identity. However, I'd like to encrypt per-user data in my database with a secret that's unique to every user. Is there an easy way to do this? If not using Google Sign-in, you can derive keys from a user's password, but that's obviously not possible here.
3 Answers
Answers 1
Well, first of all, you're drawing a parallel to using the user's password to derive an encryption key, but since you're talking about that as an alternative if you weren't using Google Sign-On, that implies your talking about using the password that users would authenticate with. That's a bad idea.
Users need to be able to change their authentication password, and that will be a major hassle for you if you're encrypting with it. It will require you to decrypt everything with the old password and then re-encrypt it with the new one.
So what you need to find is something that you can pull out of the GoogleIdToken that will never change. Email addresses change, so I wouldn't use that. Perhaps the user id, which you can get with GoogleIdToken.getPayload().getSubject() is what you want. Then what you would want to do is derive a key from that. I would look for ways to combine it with other information that the user gives you that really is secret, though.
Answers 2
I really don't know anything about this, so I'm kinda just thinking out loud.
To get some idea as to the general process for using Google Sign In I've been looking over the following guides found at the Google Sign-in for Websites page
- Integrate Google Sign-In
- Authenticate with a Backend Server
- Google Sign-In for Server-Side Apps
Anyway, it seemes like it should be possible to use some combination of immutable characteristics of the users GoogleIdToken like their email, user id, etc in combination with some immutable characteristics of your app or web site, such as the app id or some other secret and create a hash value from that. Use that as your encryption key, or maybe send that thru OpenSSH or something for a stronger encryption hash.
Seems like in interesting problem, wish I had some insight into solving it. Perhaps I will research this more as I have a few interesting side projects I'm tinkering on.
Answers 3
The information you receive during a Google sign on is intended for authentication purposes. The id token is encoded as a Json Web Token. There is nothing secret in a JWT.
The information is cryptographically signed by the authentication provider, so you can verify the information. This is of no help for deriving secrets, though.
Looks like you'll have to find another way.
0 comments:
Post a Comment