3. Redirecting the user to authentication server
Your web
app
Browser
Google
Redirect to:
https://auth.google.com
http://localhost/myapp
https://auth.google.com
https://auth.google.com
Redirect the user to Google,
Facebook, etc.
4. User logging in and granting permission to the app
Google
Grant permission to
app 123?
Browser
OK
Your web
app
http://localhost/myapp
Redirect to:
http://localhost/myapp/resume?
access_token=abc
Using the access token, the
web app can do things as the
user.
Redirect the browser
to the web app.
...
access_token=abc
5. But wait!
Google
Grant permission to
app 123?
Browser
OK
Your web
app
http://localhost/myapp
Redirect to:
http://localhost/myapp/resume?
access_token=abc
How does Google
know the URL of
your web app?
How does Google know
the name of your web app
(app 123)?
6. Your web app needs to tell Google its name &
resume URL at the beginning
Your web
app
Browser
Google
Redirect to:
https://auth.google.com ?
client_id=app123&
redirect_url=http://localhost/myapp/resume
http://localhost/myapp
https://auth.google.com ?
client_id=...&
redirect_url=...
Your web app provides
its name and resume
URL to Google via the
browser.
7. User logging in and granting permission to the app
Google
https://auth.google.com
Grant permission to
app 123?
Browser
OK
Your web
app
http://localhost/myapp
Redirect to:
http://localhost/myapp/resume?
access_token=abc
...
access_token=abc
8. Acting as the user to do things (e.g., retrieve his
profile info)
Google
https://profile.google.com
Your web
app
https://profile.google.com?
clientId=app123&
access_token=abc
{
"user_name":"kent",
...
}
May be a dedicated server
for retrieving user profile.
9. However, the token is for the web app but handed to
the browser
Google
Grant permission to
app 123?
Browser
OK
Redirect to:
http://localhost/myapp/resume?
access_token=abc
If the browser has been hacked, the
hacker can use the access token and
pretend to be your web app.
Your web
app
...
access_token=abc
10. Sending an authorization code instead of the access
token
Google
Grant permission to
app 123?
Browser
OK
Your web
app
Redirect to:
http://localhost/myapp/resume? code=xyz
...?code=xyz
11. The authorization code CANNOT be used to do
things as the user
Google
https://profile.google.com
Browser or
hacker
https://profile.google.com?
clientId=app123&
access_token=xyz
"invalid access
token"
12. The app can get an access token with the
authorization code
Google
https://token.google.com
Grant permission to
app 123?
Browser
OK
Your web
app
...?code=xyz
https://token.google.com?
client_id=app123&
client_secret=aaa
code=xyz
{
"access_token":"abc",
...
}
Google Only the web app and Google
know this client secret.
Allow?
Redirect.
May be a dedicated
server for getting an
access token.
13. Acting as the user to do things
Google
https://profile.google.com
Your web
app
http://localhost/myapp
https://profile.google.com?
clientId=app123&
access_token=abc
{
"user_name":"kent",
...
}
14. The app wants everything or just simple things like
email?
Your web
app
Browser
Google
Redirect to:
https://auth.google.com?
client_id=app123&
scope=public_info&
redirect_url=http://localhost/myapp/resume
https://auth.google.comhttps://auth.google.com?
client_id=app123&
scope=public_info&
...
The available scope
values and meanings
are decided by the
auth server.
15. app wants everything or just simple things like
email?
Google
https://auth.google.com
Grant permission to
read your public
info to app 123?
Browser
OK
Your web
app
Redirect