stevaidis/dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dev/OAuth2.md
Ste Vaidis abfba4077f Update OAuth2.md
2024-12-15 09:57:39 +02:00

107 lines
3.9 KiB
Markdown
Raw Blame History

# 1. Authorization Request (User Initiates Login)
A user clicks on the **Login with Google** button on the the app `xorismesiti.gr`.
The app request permission to access certain Google APIs (like the user's email, profile, etc.).
```sh
GET https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=YOUR_GOOGLE_CLIENT_ID&
redirect_uri=https://xorismesiti.gr/callback&
scope=email%20profile&
state=xyz123
```
- `response_type=code`: This indicates you're using the "authorization code" flow.
- `client_id`: Your Google API client ID.
- `redirect_uri`: The URI Google will redirect to after the user consents.
- `scope`: The permissions you're requesting (e.g., email, profile).
- `state`: A random string to protect against CSRF attacks.
# 2. User Login and Consent
- The user is redirected to Google's login page.
- If they're not already logged in, they will be prompted to enter their Google credentials.
- After successful login, the user will be shown a consent screen where they can grant or deny permission for your app to access their Google account (e.g., email and profile information).
**User Action**: The user clicks "Allow" to grant access.
# 3. Authorization Code Response (Google Redirects to Your Platform)
Google redirects the user back to your platform's redirect_uri `https://xorismesiti.gr/callback` with an authorization_code in the query parameters.
```sh
GET https://xorismesiti.gr/callback?
code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q&
state=xyz123
```
- `HTTP` Method: GET
- `URL`: https://xorismesiti.gr/callback
- `Parameters`:
- `code`: The authorization code sent by Google.
- `state`: The same state value sent in the original request (for CSRF protection).
# 4. Access Token Request (Exchange Authorization Code for Token)
Now that your platform has the authorization code,
it sends a POST request to Google's token endpoint
to exchange the authorization code for an access token and refresh token.
- `HTTP` Method: POST
- `URL`: https://oauth2.googleapis.com/token
- `Headers`:
- `Content`-Type: application/x-www-form-urlencoded
- `Body` Parameters:
- `grant_type`=authorization_code: This specifies the grant type.
- `code`: The authorization code you received in the previous step.
- `redirect_uri`: The same redirect URI used in the authorization request.
- `client_id`: Your Google API client ID.
- `client_secret`: Your Google API client secret (which should be kept secure).
```sh
POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=4/0AX4XfWgNmGZVbV7Kdr8Q9yVyzIYBnbbBdLfX39ZaE8m0w8zT8jKRLl7w-uT8k7WiyLg0Q&
redirect_uri=https://xorismesiti.gr/callback&
client_id=YOUR_GOOGLE_CLIENT_ID&
client_secret=YOUR_GOOGLE_CLIENT_SECRET
```
# 5. Access Token Response (Google Returns Tokens)
Google validates the request
and returns a response with the access token (which can be used to access the user's Google resources)
and optionally, a refresh token (which can be used to refresh the access token when it expires).
```json
{
"access_token": "ya29.a0AfH6SMC8Op6zXZkHi2XITkDoOVzYXt3hTY6sny54UlWlxrnKlX5Xv78is7BEHekVX-VoA",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "1//04d5XHqmn6Hdy3wTf5OYDP1SyBa74zEFURjddQ2A1cFw78PY13pQyWhlD2A6XhDQtKlrjAqU4kS3vGdMvckw",
"scope": "email profile"
}
```
- HTTP Method: 200 OK
- Response Body:
- access_token: The access token used for accessing the user's resources (e.g., profile, email).
- token_type: Usually Bearer, indicating the type of token.
- expires_in: The lifetime of the access token in seconds (e.g., 3600 seconds = 1 hour).
- refresh_token: (Optional) The refresh token used to obtain a new access token when the current one expires.
- scope: The scope of access granted (e.g., email, profile).
Reference in New Issue View Git Blame Copy Permalink