Geek Answers Handbook

Google server account, a way to encrypt / decrypt data using secrets managed by Google?

It is quite simple to use the server-side login library of Google and access the GoogleIdToken for user authentication. However, I would like to encrypt the data for each user in my database with a secret that is unique to each user. Is there an easy way to do this? If you do not use Google Sign-in, you can get the keys for the user's password, but this is obviously not possible here.

+7
authentication oauth encryption google-signin
source share
2 answers

Well, firstly, you draw a parallel using the user password to get the encryption key, but since you are talking about it as an alternative, if you are not using Google Sign-On, this means you are talking about using a password with which users will authenticate . It is a bad idea.

Users should be able to change their password for authentication, and this will be a big problem for you if you encrypt it. This will require that you decrypt everything with the old password, and then encrypt it again using the new one.

So, you need to find something that you can pull from the GoogleIdToken, which will never change. Change email addresses, so I will not use this. Perhaps the user ID that you can get with GoogleIdToken.getPayload (). GetSubject () is what you want. Then what you would like to do is to extract the key from this. I would be looking for ways to combine it with other information that the user gives you, which is really a secret.

0
source share

The information you receive when you sign in to Google is for authentication purposes. The identifier token is encoded as a Json Web token. There is nothing secret in JWT.

The information is cryptographically signed by the authentication provider, so you can verify the information. However, this does not help in secrets.

Looks like you have to find another way.

0
source share

More articles:


All Articles