# 1. Authorization Request (User Initiates Login) A user clicks on the **Login with Google** button on the the app `xorismesiti.gr`. The app request permission to access certain Google APIs (like the user's email, profile, etc.). ```sh GET https://accounts.google.com/o/oauth2/v2/auth? response_type=code& client_id=YOUR_GOOGLE_CLIENT_ID& redirect_uri=https://xorismesiti.gr/callback& scope=email%20profile& state=xyz123 ``` - `response_type=code`: This indicates you're using the "authorization code" flow. - `client_id`: Your Google API client ID. - `redirect_uri`: The URI Google will redirect to after the user consents. - `scope`: The permissions you're requesting (e.g., email, profile). - `state`: A random string to protect against CSRF attacks. # 2. User Login and Consent - The user is redirected to Google's login page. - If they're not already logged in, they will be prompted to enter their Google credentials. - After successful login, the user will be shown a consent screen where they can grant or deny permission for your app to access their Google account (e.g., email and profile information). **User Action**: The user clicks "Allow" to grant access. # 3. Authorization Code Response (Google Redirects to Your Platform) Google redirects the user back to your platform's redirect_uri `https://xorismesiti.gr/callback` with an authorization_code in the query parameters. ```sh GET https://xorismesiti.gr/callback? code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q& state=xyz123 ``` - `HTTP` Method: GET - `URL`: https://xorismesiti.gr/callback - `Parameters`: - `code`: The authorization code sent by Google. - `state`: The same state value sent in the original request (for CSRF protection). # 4. Access Token Request (Exchange Authorization Code for Token) Now that your platform has the authorization code, it sends a POST request to Google's token endpoint to exchange the authorization code for an access token and refresh token. - `HTTP` Method: POST - `URL`: https://oauth2.googleapis.com/token - `Headers`: - `Content`-Type: application/x-www-form-urlencoded - `Body` Parameters: - `grant_type`=authorization_code: This specifies the grant type. - `code`: The authorization code you received in the previous step. - `redirect_uri`: The same redirect URI used in the authorization request. - `client_id`: Your Google API client ID. - `client_secret`: Your Google API client secret (which should be kept secure). ```sh POST https://oauth2.googleapis.com/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q& redirect_uri=https://xorismesiti.gr/callback& client_id=YOUR_GOOGLE_CLIENT_ID& client_secret=YOUR_GOOGLE_CLIENT_SECRET ``` # 5. Access Token Response (Google Returns Tokens) Google validates the request and returns a response with the access token (which can be used to access the user's Google resources) and optionally, a refresh token (which can be used to refresh the access token when it expires). ```json { "access_token": "ya29.a0AfH6SMC8Op6zXZkHi2XITkDoOVzYXt3hTY6sny54UlWlxrnKlX5Xv78is7BEHekVX-VoA", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "1//04d5XHqmn6Hdy3wTf5OYDP1SyBa74zEFURjddQ2A1cFw78PY13pQyWhlD2A6XhDQtKlrjAqU4kS3vGdMvckw", "scope": "email profile" } ``` - HTTP Method: 200 OK - Response Body: - access_token: The access token used for accessing the user's resources (e.g., profile, email). - token_type: Usually Bearer, indicating the type of token. - expires_in: The lifetime of the access token in seconds (e.g., 3600 seconds = 1 hour). - refresh_token: (Optional) The refresh token used to obtain a new access token when the current one expires. - scope: The scope of access granted (e.g., email, profile).