79 lines
2.8 KiB
Markdown
79 lines
2.8 KiB
Markdown
|
|
# 1. Authorization Request (User Initiates Login)
|
|
|
|
A user clicks on the **Login with Google** button on the the app `xorismesiti.gr`.
|
|
|
|
The app request permission to access certain Google APIs (like the user's email, profile, etc.).
|
|
|
|
```sh
|
|
GET https://accounts.google.com/o/oauth2/v2/auth?
|
|
response_type=code&
|
|
client_id=YOUR_GOOGLE_CLIENT_ID&
|
|
redirect_uri=https://xorismesiti.gr/callback&
|
|
scope=email%20profile&
|
|
state=xyz123
|
|
```
|
|
|
|
- `response_type=code`: This indicates you're using the "authorization code" flow.
|
|
- `client_id`: Your Google API client ID.
|
|
- `redirect_uri`: The URI Google will redirect to after the user consents.
|
|
- `scope`: The permissions you're requesting (e.g., email, profile).
|
|
- `state`: A random string to protect against CSRF attacks.
|
|
|
|
# 2. User Login and Consent
|
|
|
|
- The user is redirected to Google's login page.
|
|
|
|
- If they're not already logged in, they will be prompted to enter their Google credentials.
|
|
|
|
- After successful login, the user will be shown a consent screen where they can grant or deny permission for your app to access their Google account (e.g., email and profile information).
|
|
|
|
**User Action**: The user clicks "Allow" to grant access.
|
|
|
|
# 3. Authorization Code Response (Google Redirects to Your Platform)
|
|
|
|
Google redirects the user back to your platform's redirect_uri `https://xorismesiti.gr/callback` with an authorization_code in the query parameters.
|
|
|
|
```sh
|
|
GET https://xorismesiti.gr/callback?
|
|
code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q&
|
|
state=xyz123
|
|
```
|
|
|
|
- `HTTP` Method: GET
|
|
- `URL`: https://xorismesiti.gr/callback
|
|
- `Parameters`:
|
|
- `code`: The authorization code sent by Google.
|
|
- `state`: The same state value sent in the original request (for CSRF protection).
|
|
|
|
|
|
# 4. Access Token Request (Exchange Authorization Code for Token)
|
|
|
|
Now that your platform has the authorization code,
|
|
|
|
it sends a POST request to Google's token endpoint
|
|
|
|
to exchange the authorization code for an access token and refresh token.
|
|
|
|
- `HTTP` Method: POST
|
|
- `URL`: https://oauth2.googleapis.com/token
|
|
- `Headers`:
|
|
- `Content`-Type: application/x-www-form-urlencoded
|
|
- `Body` Parameters:
|
|
- `grant_type`=authorization_code: This specifies the grant type.
|
|
- `code`: The authorization code you received in the previous step.
|
|
- `redirect_uri`: The same redirect URI used in the authorization request.
|
|
- `client_id`: Your Google API client ID.
|
|
- `client_secret`: Your Google API client secret (which should be kept secure).
|
|
|
|
|
|
```sh
|
|
POST https://oauth2.googleapis.com/token
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
grant_type=authorization_code&
|
|
code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q&
|
|
redirect_uri=https://xorismesiti.gr/callback&
|
|
client_id=YOUR_GOOGLE_CLIENT_ID&
|
|
client_secret=YOUR_GOOGLE_CLIENT_SECRET
|
|
``` |