Google OAuth 2.0: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 11: Line 11:
<font color=darkgray>Experimental:</font>
<font color=darkgray>Experimental:</font>


  GET /o/oauth2/iframe
  GET accounts.google.com /o/oauth2/iframe


This returns the JS code that starts the "IDP Frame".
This returns the JS code that starts the "IDP Frame".


  GET /o/oauth2/iframerpc?action=checkOrigin&origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
  GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com


client_id value is hardcoded in the client application (js/gutil.js).
client_id value is hardcoded in the client application (js/gutil.js).
Line 39: Line 41:
If the client is deemed valid:
If the client is deemed valid:


  GET /o/oauth2/iframerpc?action=listSessions&client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
  GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com


At this point we get "Sign in with Google" and the browser waits.
At this point we get "Sign in with Google" and the browser waits.
Upon clicking on "Sign in ..."
GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
  response_type=code%20permission%20id_token&
  scope=openid%20profile%20email&openid.realm=&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  access_type=offline&
  include_granted_scopes=true&
  prompt=consent&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  as=K7777777777WNlU0OQ&
  destination=http://testclient.novaordis.s3.amazonaws.com&
  approval_state=!dfeereSU5....3NofFSA&
  oauthgdpr=1&
  xsrfsig=Me...34B
This is where the account pop-up shows.
This is a sign in:
POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j
Upon successful authentication:
GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
  response_type=token%20id_token&
  login_hint=A7...777&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  scope=openid%20profile%20email&
  ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
and the response is:
<syntaxhighlight lang='json'>
{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}
</syntaxhighlight>
After this, the client calls into the Protected Resource:
POST /.../oauth
and it gets a "JWT".

Latest revision as of 00:35, 17 May 2019

Internal

Overview

Call Sequences

Authorization Code Grant Type

Experimental:

GET accounts.google.com /o/oauth2/iframe

This returns the JS code that starts the "IDP Frame".

GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com

client_id value is hardcoded in the client application (js/gutil.js).

Response:

:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"

{"valid":true}

If the client is deemed valid:

GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

At this point we get "Sign in with Google" and the browser waits.

Upon clicking on "Sign in ..."

GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 response_type=code%20permission%20id_token&
 scope=openid%20profile%20email&openid.realm=&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 access_type=offline&
 include_granted_scopes=true&
 prompt=consent&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 as=K7777777777WNlU0OQ&
 destination=http://testclient.novaordis.s3.amazonaws.com&
 approval_state=!dfeereSU5....3NofFSA&
 oauthgdpr=1&
 xsrfsig=Me...34B

This is where the account pop-up shows.

This is a sign in:

POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j

Upon successful authentication:

GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 response_type=token%20id_token&
 login_hint=A7...777&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

and the response is:

{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}

After this, the client calls into the Protected Resource:

POST /.../oauth 

and it gets a "JWT".