Video Tutorial Understanding OAUTH 2.0, Connecting via Google


In this tutorial I propose to discover part of the Oauth 2.0 protocol by setting up a connection system via Google SignIn

The goal of the OAuth 2.0 protocol

The Oauth protocol is an authorization protocol that allows users to give a site access to data hosted on another site. This mechanism is used by companies like Google, Facebook, Twitter and others to allow users to share their information with third-party applications. It is found very often used to set up a system of "Connection via X".

Step 1: Obtaining the authorization

The first step is to ask the user for the necessary access permissions in order to access the data / actions that interest us.
For this we direct the user to theauthorization url accompanied by specific parameters.

?
 scope = email &
 access_type = online &
 redirect_uri =&
 response_type = code &
 client_id =
  • The authorization URL can be obtained by consulting the documentation or by querying a discovery file, as is the case for Google for example).
  • The CLIENT_ID can be obtained by creating an application with the service concerned. The creation of the application also allows to customize the appearance of the authorization screen that will be presented to the user.
  • The scope will depend on the services and allows to define the information that one wishes to obtain or the actions that one wishes with the user.
  • The redirect_uri allows to define the URL to which the user will be redirected when he has accepted the permissions. This URL will be responsible for processing authorization information.
  • The access_type allows to define the type of token that one wishes to obtain. "offline" will get a refresh_token that can be used to regenerate an access_token later and thus access the API well after the user acceptance phase.

Step 2: The user accepts the permissions

If the user accepts the permissions, it is automatically redirected to the path defined in parameter with an authorization code.
This authorization code is only valid for a short time and allows to obtain an access token from the service concerned.

curl --request POST 
  --url  
  --header 'content-type: application / x-www-form-urlencoded'
  --data client_id = 
  --data client_secret = 
  --data code =
  --data redirect_uri = 
  --data grant_type = authorization_code

In exchange for this request we will obtain the access code which will then allow us to access the various APIs of the third party service.

{
  "access_token": "yaz / eaze.azrjpazroijznfazkvhjzabvkjzbfk",
  "expires_in": 3600,
  "refresh_token": "az / Ezjo.123I21H3INaoeaze123", // if access_type = offline ",
  "token_type": "Bearer",
}

Step 3: We use the access token

Now that we have the access token it is possible to join it in the header Authorization of our queries in order to access certain API entry points.
For example to retrieve the personal information of the user:

curl --request GET 
  --url  
  --header 'authorization: Bearer '

Step 4 (in the offline case): Refresh the token

If, during the authorization, you have requested an offline access token you will be able to regenerate a new access token when you wish (This will require using the refresh_token obtained in step 2).

curl --request POST 
  --url  
  --header 'content-type: application / x-www-form-urlencoded'
  --data client_id = 
  --data client_secret = 
  --data refresh_token = 
  --data grant_type = refresh_token

This allows you to obtain a new access token without having to request the user's authorization again.

Links mentioned in the video