Google is removing old authentication APIs and I have to fix a GitHub login issue on my blog

Issue

From the beginning of creating my blog, I thought about the possibility of readers leaving comments on my posts. Developing a registration/login module was part of the plan. However, instead of adding a registration screen, I spent some time thinking about how to shorten the login process. Because if a user doesn't have an account and wants to discuss immediately, having to enter a lot of information for registration would discourage them. Time is crucial in this situation, the more complicated it is, the more time-consuming it is, and my readers won't bother doing anything else. My target audience is "devs," and if they are devs, they must have a Google or GitHub account.

Both Google and GitHub provide OAuth mechanisms, which allow us to create applications on their platforms and authenticate & authorize users through them. By implementing this method, users only need a minimum of 3 clicks to log in to the website. This is convenient for both parties, as I don't have to add a registration step, and users simply need a Google or GitHub account to log in.

I thought that after writing the code, it would run forever, and this feature worked for a while until I noticed something unusual. Specifically, there was a case where a user commented under the identity of another user!? They were logging in with GitHub account A, but their comments were showing up under the information of account B. Immediately, I temporarily disabled the GitHub login feature and started investigating the cause. After a few days, I seemed to discover an error in my code, and what followed was finding time to fix the issue.

At the same time, Google sent multiple emails notifying account holders using their authentication service that as of March 31, 2023, they would officially stop providing the old way of logging in with Google accounts via APIs. The website administrators were required to switch to a new API to continue using this feature. The deadline was so close that I had to sit down and fix both issues at the same time.

During the process of fixing the error, I learned some lessons and felt that I could share them with my readers. If you are dealing with a similar issue, pay attention, or if you are planning to implement this feature, you can gain some experience in handling it.

OAuth Mechanism

First, let me briefly explain what the OAuth mechanism is. You may have heard or be familiar with the concept of OAuth, or simply understand that any software application that has a "sign in with Google/GitHub" feature already incorporates OAuth. If you click the button, a browser window pops up asking for your permission to allow the ABC application to access your account. If you agree, you can log in; otherwise, nothing will happen.

The OAuth mechanism can be complex, and in this short article, I won't go into detail. Instead, readers can find and read articles describing the flow and operation of OAuth on the internet. But to put it simply, the OAuth process consists of two steps: authentication and authorization.

If you pay attention, whenever you click the "Sign in with Google" button, a screen appears stating that "The ABC application is requesting permission to access your Email/Drive/Docs..." and asks if you allow it. If you choose "yes," it means you have authorized the ABC application with certain permissions, such as reading/writing to the services it asked for. More specifically, at that moment, the developer of the ABC application will obtain your Access Token to call the provided APIs to access them.

Before reaching the authorization screen, there is the authentication process. In simple terms, logging into an account is the authentication process. You authenticate yourself as the account owner by logging in and then authorize by granting permissions.

GitHub Login Issue

The issue I encountered was that I was too hasty and either mistakenly took or couldn't retrieve the email address of the account. Specifically, for GitHub, after obtaining the user's Access Token, I used it to call an API called /user to retrieve user information. In the returned data, in addition to some information such as name, avatar, there was also an email, and without hesitation, I immediately took this email as the user's login email. That was the root cause of the problem.

Because the email returned in this API contains crucial information, in other words, it is not the user's actual email. To retrieve the user's real email, you need to request permission to read their email address during the authorization step. Then, you make another API call to retrieve a list of email addresses, including the primary email and any secondary emails, including unverified ones.

Recently, as concerns about user data leakage have increased, authentication and authorization service providers have become stricter regarding the requirement to read a user's email address.

Similarly, with Google, after receiving the Google ID Token, I authenticate that token and decode it to retrieve the user's email address, including a field indicating whether the email has been verified (email_verified). In reality, I'm not entirely sure about marking an account as being authenticated, but if Google or GitHub marks an account as "not verified," there is clearly an issue that I shouldn't "trust" such accounts. Therefore, I think the best approach is to reject logins in such cases.

Resolution

After discovering the root cause of the issue, we can find ways to fix it. As I mentioned above, it is crucial to carefully review the documentation to understand how to retrieve the user's real email rather than the display email. In addition, I would like to emphasize two notes regarding authentication and authorization.

First and foremost, we must request the correct permissions (scopes), including the permission to read the email address. For example, in GitHub, the email permission is reflected in the login redirection URL. Read more about it in Request a user's GitHub identity.

Secondly, determine the location to retrieve the primary email address. For example, in GitHub, you need to call an API to retrieve a list of email addresses and check which one is the primary email and whether it has been verified or not. Read more about it in List email addresses for the authenticated user.

In the case of Google, they are encouraging us to switch to Sign in with Google for Web, as the old way, Google Sign-In for Web, will be deprecated on March 31st.

Conclusion

OAuth is a quick way for users to log in to your website using their Google or GitHub accounts without going through a complicated registration process. However, when using OAuth, it is important to pay attention to authenticating the user's email address to avoid critical errors like the one described in the article.