Cloud Identity Platform OAuth2 Flows

[Nick G]

Does GCP Cloud Identity Platform support traditional OAuth2 flows for applications? For instance, is it possible to authenticate with Identity Platform using an Authorization Code Flow?

To be more specific about the reasoning, our team is trying to use the GCP Cloud Identity Platform as our identity provider for a mobile app. The mobile app was initially developed for use with AWS Cognito, but our goal is to update the application to use Cloud Identity Platform instead, with minimal changes to the initial app.

The current flow the application uses to login is the Authorization Code Flow using AWS Cognito as the OAuth2 server. The documentation for that process can be found here, under the "Authorization code grant" heading:

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

Is there any way to accomplish a similar Authorization Code Flow login process using GCP Identity Platform? I'm aware there's a WebUI library that can be used to create a login portal, but would this webui support the authorization code flow? I see there's support for overwriting the sign-in redirect url, which could possibly be combined with the signInSuccessWithAuthResult callback to some success? But it seems at that point we'd be implementing the authorization code flow ourselves manually, which doesn't seem like the greatest idea.

[Elliott (Google Cloud Platform Support)]

Hello Nick,

Looking at the AWS document you provided, it appears to me that the process will provide an authorization code to an end user to change for a token.

I was able to find publicly facing documentation[1] for Cloud Identity Platform, which mentions how to enable authorization code flow. So to answer your question, Cloud Identity Platform offers authorization code flow. It appears that this is something similar to what you would like to do.

[1] https://cloud.google.com/identity-platform/docs/web/oidc#authorization_code_flow

[Nick G]

Thanks for your response.

Please correct me if I'm wrong, but my understanding, from the documentation you linked, is that Cloud Identity Platform (CIP) supports adding other OpenID Connect (OIDC) compatible OAuth services (like AWS Cognito, Auth0, etc.) as an identity provider, similar to Google/Facebook/Apple/etc. When you're adding a custom OIDC provider, it seems like CIP allows you to specify whether the Authorization Code Flow or the Implicit OAuth flow is followed on the backend.

Our goal is to login to CIP directly, using the Authorization Code Flow, without having to add an outside OAuth2 provider (Cognito/Auth0). I'm still not seeing how that would be possible, based on the documentation you linked. I have been unable to find any documentation stating that CIP hosts the necessary endpoints for OAuth2 flows themselves, which would be an  /authorize endpoint and a /token endpoint.

It seems like the closest option for using the Authorization Code Flow to login to Cloud Identity Platform directly, again based off your linked documentation, would be to spin up another 3rd party OAuth2 OIDC service, link it as a provider inside Cloud Identity Platform specifying the Code Authorization Flow, then sign in using OAuth from inside the app, but still having to do so by calling it with the Firebase SDK, rather than simply redirecting to a URL?

[Lluis Munoz Ladron de Guevara]

Hello, 

Thank you for your question.

I understand that you would like to login to Cloud Identity Platform using the Authorization Code Flow, so that the token is never exposed to the end user like it happens in Cognito.

I discussed this topic with some colleagues. We think it's possible if you implement it on your end. 

However currently there is no supported way to do this, if you'd like GCP to have this feature I encourage you to create a feature request, you can do so here, please make sure to add as many details as possible.

Lastly, if you'd like help implementing this on your end please create a question in Stackoverflow.