cjmling / findings

Notes on stuff i finds worth keeping for quick reference later on.
2 stars 0 forks source link

Google Oauth Simple Explained #247

Open cjmling opened 4 years ago

cjmling commented 4 years ago

Full Documentation : https://developers.google.com/identity/protocols/OAuth2

Quick explanation

  1. We need to create client_id and client_secret from the google developer console. Which will be used to get the code.

  2. After we get client_id and client_secret we will use it to get code. Tha code which will be used to get access_token and refresh_token.

As we will be doing this authorization thing on server side. The documention for it can be read here ( https://developers.google.com/identity/protocols/OAuth2WebServer ) but a quick explanation of it is

We will redirect user to url https://accounts.google.com/o/oauth2/v2/auth with required params such as client_id , client_secret , scope ( what api of the user we want to access ), and few others, read the doc for more detail.

You can build this url using google libraries or just append the param to the url. Nothing fancy.

User will be prompted with concent screen that do you want to allow this app to access specific info. If user click allow google will redirect back to our website with a code.

  1. Once we got code we will use this code to send request to https://accounts.google.com/o/oauth2/v2/auth with required params. You can use this using library or just use axios is fine too.

Now google will response back with access_token and refresh_token. We should store this both token into database to use later.

access_token = will expired every hour. can live for 3600 seconds. This is the token we will use to do api request to get data refresh_token = will not expire and this is the code we will use to get access_token again once expired.

NOTE: we will get refresh_token only the first time user allow us. Next time when we use code to get access_token, we won't get refresh_token again.

While during development process , we might want to still get refresh_token again and again which seems to be able to be done by 3 ways

  1. Once we have access_token we will use it make request to get data from selected api

SEO: google authentication to use api

cjmling commented 4 years ago

Once access token is expired we will need to recreate it by #250 Google Oauth create new access_toke