Google OAuth 2.0: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 3: Line 3:
* [[OAuth_2.0#Subjects|OAuth 2.0]]
* [[OAuth_2.0#Subjects|OAuth 2.0]]


=Call Sequence=
=Overview=
 
=Call Sequences=
 
==Authorization Code Grant Type==


<font color=darkgray>Experimental:</font>
<font color=darkgray>Experimental:</font>


  GET /o/oauth2/iframe
  GET accounts.google.com /o/oauth2/iframe
 
This returns the JS code that starts the "IDP Frame".


  GET /o/oauth2/iframerpc?action=checkOrigin&origin=http%3A%2F%2Fnombp3.local%3A3002&client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
  GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com


client_id value is hardcoded in the client application (js/gutil.js).
client_id value is hardcoded in the client application (js/gutil.js).
Response:
<syntaxhighlight lang='json'>
:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
{"valid":true}
</syntaxhighlight>
If the client is deemed valid:
GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
At this point we get "Sign in with Google" and the browser waits.
Upon clicking on "Sign in ..."
GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
  response_type=code%20permission%20id_token&
  scope=openid%20profile%20email&openid.realm=&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  access_type=offline&
  include_granted_scopes=true&
  prompt=consent&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  as=K7777777777WNlU0OQ&
  destination=http://testclient.novaordis.s3.amazonaws.com&
  approval_state=!dfeereSU5....3NofFSA&
  oauthgdpr=1&
  xsrfsig=Me...34B
This is where the account pop-up shows.
This is a sign in:
POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j
Upon successful authentication:
GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
  response_type=token%20id_token&
  login_hint=A7...777&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  scope=openid%20profile%20email&
  ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
and the response is:
<syntaxhighlight lang='json'>
{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}
</syntaxhighlight>
After this, the client calls into the Protected Resource:
POST /.../oauth
and it gets a "JWT".

Latest revision as of 00:35, 17 May 2019

Internal

Overview

Call Sequences

Authorization Code Grant Type

Experimental:

GET accounts.google.com /o/oauth2/iframe

This returns the JS code that starts the "IDP Frame".

GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com

client_id value is hardcoded in the client application (js/gutil.js).

Response:

:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"

{"valid":true}

If the client is deemed valid:

GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

At this point we get "Sign in with Google" and the browser waits.

Upon clicking on "Sign in ..."

GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 response_type=code%20permission%20id_token&
 scope=openid%20profile%20email&openid.realm=&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 access_type=offline&
 include_granted_scopes=true&
 prompt=consent&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 as=K7777777777WNlU0OQ&
 destination=http://testclient.novaordis.s3.amazonaws.com&
 approval_state=!dfeereSU5....3NofFSA&
 oauthgdpr=1&
 xsrfsig=Me...34B

This is where the account pop-up shows.

This is a sign in:

POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j

Upon successful authentication:

GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 response_type=token%20id_token&
 login_hint=A7...777&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

and the response is:

{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}

After this, the client calls into the Protected Resource:

POST /.../oauth 

and it gets a "JWT".