How to make a pure JavaScript based Google or Facebook OAuth 2.0 secure to spoofing?

Question

I am implementing JavaScript based Google or Facebook OAuth for a client login system, where I hope to use the Access Token and Email Id combination returned from Google/Facebook after successful authentication of the user to create session on the Server. I have a .NET based server application. I am hoping to send this Access Token and Email Id combination using some AJAX methods like $.ajax and creating a session for this email id on the server end.

Now I have a limitation, my server is behind a firewall and it cannot contact Google/Facebook to validate the access token.

One of my colleague pointed me out that as there is no communication between my Server and Google/Facebook, any malicious user can send me user A's email id with any random access token, and I have no way to check the validity of this token whether it actually belongs to User A.

My server is using SSL communication. So, how can I make this scenario secure.

Answer 1

I don’t think you should use a token you can’t validate. I don’t think your app can be run if you can’t contact IDPs to validate tokens. It’s a bit surprising, most firewalls let you call out, they don’t let others call in.

Answer 2

You could request an ID token as described here Cloud endpoints oauth2 error

This contains a signed user ID and email in a JWT.

This article might help https://support.zendesk.com/entries/23675367-Setting-up-single-sign-on-with-JWT-JSON-Web-Token-

disclaimer: I haven't tried any of this personally. Also, as Tim says, are you sure you can't call out from behind your firewall?