Manually build a login flow with Google OAuth
High level implementation:
- When a user chooses to login via google, App X browser side redirects the user to a google oauth /auth endpoint, specifying app X's client_id, redirect_uri, and a dynamically generated "state" value. You can also specify a space delimited scope for what permissions you need. You should also include the following parameters with the values in brackets: response_type (code), access_type (offline) include_granted_scopes (true).
- User gets onto Google login page, logs into google (if not already), enables permissions he wants to give to app X.
- Google redirects the user back to app X's redirect URL, with the "state" parameter and a code parameter.
- App X verifies the "state" parameter, sends the code to its server side.
- The server side of App X takes the code, and sends an HTTP POST request to google oauth2 end point oauth2.googleapis.com/token, including code passed from its client side, client_id, client_secret, the same redirect_uri used on its client side, and grant_type (authorization_code)
- Google Oauth will return the requested access token (which you can use right away to access other google API), a refresh token (which is always valid until user decides not to grant App X the permissions anymore, and which App X can use to get a refreshed access token), and expires_in (which indicates the life time of the returned access token).
- App X can start to use the access token to call a google API to get the user's email or other information.
Below is an example redirect call request (scope is readonly google drive and userinfo email). It is an http get redirect:
scope= https%3A//www.googleapis.com/auth/drive.readonly%20https%3A//www.googleapis.com/auth/user.profile%20https%3A//www.googleapis.com/auth/userinfo.email &
Below is an example redirect response if access is denied by the user:
Below is an example redirect response if access is granted by the user:
Below is an example exchange of code for access token request:
POST /token HTTP/1.1
Below is an example exchange of code for access token response:
When you need to refresh your access token, below is a sample request:
POST /token HTTP/1.1
Below is a sample response:
How to get a user's email
Do the following GET request:
With the following http request header:
Authorization": "Bearer <your access token>"
Here is sample response:
"name": "Jimmy Tang",
How to use Google Drive API
If you are accessing a user?s Google Drive on behalf of the user, these are the permissions you need to get, depending on what you want to do: https://developers.google.com/drive/api/v3/about-auth
For example, to be able to download the user?s files on google drive, you will need to have the https%3A//www.googleapis.com/auth/drive.readonly permission (put it in the scope when you are requesting access token).
Reference the Google Drive API reference document: https://developers.google.com/drive/api/v3/reference/files/list