Home > Uncategorized > Integrating #OpenYolo into a existing username/password login

Integrating #OpenYolo into a existing username/password login


When you first develop a website, everyone starts from the premise that the user creates an account and stores it in your own database, the idea of OAuth logins from Google / Facebook – only come as an afterthought as you start getting more users.

But then you have an issue, you have existing users that are authenticated against your own database, and other users that are going to be authenticated against Google YOLO.

I had the same issue with httpsImage.com where I just added OpenYOLO.

What I did was, when a signin happens with OpenYolo, I pass the response (email, name, token) back to the server. Which records the email address, and a random guid as the password, and returns the user account back to the client.

If the user is already registered, then it looks for a matching email address, and returns that account, without checking the password.

This now opens a serious security hole. If someone fakes the response from OpenYolo and includes an email address of another user, then they can become any user on the system.

This is where token validataion comes in, and it’s really important, since without it, you don’t know if your website is really talking to Google, or a hacker.

Where idToken is in the response from Google’s OpenYolo, now jCredential is as follows;
         "aud": "xxxx.apps.googleusercontent.com",
         "sub": "xxxx",
         "email": "xxx.xxx@gmail.com",
         "email_verified": "true",
         "azp": "xxxx-.apps.googleusercontent.com",
         "exp": "xxx",
         "iss": "https://accounts.google.com",
         "jti": "xxx",
         "iat": "xxx",
         "nbf": "xx",
         "name": "xxx xxxx",
         "picture": "https://lh5.googleusercontent.com/xxxc/photo.jpg",
         "given_name": "xxx",
         "family_name": "xxx",
         "alg": "xxx",
         "kid": "xxxx"

Importantly, you can now be sure that the information is definitely from Google, and you should expect the email field to match the email field in the request. Otherwise you should fail silently,  since it’s probably a hacker.

I did find that OpenYolo doesn’t work with IE11, since it uses promises, but hey, you’ve always got your origional login system.


Categories: Uncategorized
  1. May 22, 2018 at 9:31 am

    Update: you now have to apply for access before use; see here for access: https://docs.google.com/forms/d/e/1FAIpQLSdJkBth-e-62wQ7eYNy12rWOhYBMACChmC_w_CiwbzmcgEGDw/viewform


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: