stevaidis/dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dev/OAuth2.md
Ste Vaidis 6ef8e13c70 Update OAuth2.md
2024-12-15 09:54:22 +02:00

2.8 KiB
Raw Blame History

1. Authorization Request (User Initiates Login)

A user clicks on the Login with Google button on the the app xorismesiti.gr.

The app request permission to access certain Google APIs (like the user's email, profile, etc.).

GET https://accounts.google.com/o/oauth2/v2/auth?
    response_type=code&
    client_id=YOUR_GOOGLE_CLIENT_ID&
    redirect_uri=https://xorismesiti.gr/callback&
    scope=email%20profile&
    state=xyz123
  • response_type=code: This indicates you're using the "authorization code" flow.
  • client_id: Your Google API client ID.
  • redirect_uri: The URI Google will redirect to after the user consents.
  • scope: The permissions you're requesting (e.g., email, profile).
  • state: A random string to protect against CSRF attacks.

2. User Login and Consent

  • The user is redirected to Google's login page.

  • If they're not already logged in, they will be prompted to enter their Google credentials.

  • After successful login, the user will be shown a consent screen where they can grant or deny permission for your app to access their Google account (e.g., email and profile information).

User Action: The user clicks "Allow" to grant access.

3. Authorization Code Response (Google Redirects to Your Platform)

Google redirects the user back to your platform's redirect_uri https://xorismesiti.gr/callback with an authorization_code in the query parameters.

GET https://xorismesiti.gr/callback?
    code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q&
    state=xyz123
  • HTTP Method: GET
  • URL: https://xorismesiti.gr/callback
  • Parameters:
    • code: The authorization code sent by Google.
    • state: The same state value sent in the original request (for CSRF protection).

4. Access Token Request (Exchange Authorization Code for Token)

Now that your platform has the authorization code,

it sends a POST request to Google's token endpoint

to exchange the authorization code for an access token and refresh token.

  • HTTP Method: POST
  • URL: https://oauth2.googleapis.com/token
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • grant_type=authorization_code: This specifies the grant type.
    • code: The authorization code you received in the previous step.
    • redirect_uri: The same redirect URI used in the authorization request.
    • client_id: Your Google API client ID.
    • client_secret: Your Google API client secret (which should be kept secure).
POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q&
redirect_uri=https://xorismesiti.gr/callback&
client_id=YOUR_GOOGLE_CLIENT_ID&
client_secret=YOUR_GOOGLE_CLIENT_SECRET