Add documentation for alternates to Hybrid Authentication

[michaelhays]

Like many, I struggled to get the Hybrid Authentication working with this library, due to several errors, before finally giving up on the redirect_uri_mismatch error (relevant issues: 181, 250, 281, and a bunch of StackOverflow posts like this one and this one).

The proposed solution for most of these was to fix the version of a different gem:

'omniauth-oauth2', '~> 1.3.1'

This wasn't an option for me, so I dove into the omniauth-google-oauth2 code and found this:

elsif verify_token(request.params['access_token'])
  ::OAuth2::AccessToken.from_hash(client, request.params.dup)

Using this, I was able to follow Google's documentation using the access_token of a user (instead of a one-time code) and POST that to the /auth/google/callback endpoint:

const googleAuth = window.gapi.auth2.getAuthInstance();
const googleUser = await googleAuth.signIn();
const { access_token } = googleUser.getAuthResponse();

const data = new FormData();
data.append('access_token', access_token);

api.post('/auth/google/callback', data)
  .then(response => console.log(response));
},

This ended up being a lot simpler for me, and I really think it would help other people if this were documented somewhere.

Does this all make sense, and do you agree? If so, I'm happy to write it up and make a pull request with that documentation when I have the time (a bit busy right now).

[zquestz]

This would be great to document! If you could add this to an example file or the README it would be awesome.

[jasperduane77]

Hello. Do you guys still want to add this to the README? 😄

[michaelhays]

Yes! Just made a PR. Thanks for the reminder :)

[pacarvalho]

Is the access_token referred to here actually the id_token (the signed JWT from Google with information on the user)?