Google OAuth 2.0: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 11: Line 11:
<font color=darkgray>Experimental:</font>
<font color=darkgray>Experimental:</font>


  GET /o/oauth2/iframe
  GET accounts.google.com /o/oauth2/iframe


This returns the JS code that starts the "IDP Frame".
This returns the JS code that starts the "IDP Frame".


  GET /o/oauth2/iframerpc?action=checkOrigin&
  GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
Line 41: Line 41:
If the client is deemed valid:
If the client is deemed valid:


  GET /o/oauth2/iframerpc?action=listSessions&
  GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
Line 50: Line 50:
Upon clicking on "Sign in ..."
Upon clicking on "Sign in ..."


  GET /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
  GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
   response_type=code%20permission%20id_token&
   response_type=code%20permission%20id_token&
   scope=openid%20profile%20email&openid.realm=&
   scope=openid%20profile%20email&openid.realm=&
Line 61: Line 61:
   gsiwebsdk=2
   gsiwebsdk=2


  GET /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
   as=K7777777777WNlU0OQ&
   as=K7777777777WNlU0OQ&
   destination=http://testclient.novaordis.s3.amazonaws.com&
   destination=http://testclient.novaordis.s3.amazonaws.com&
Line 67: Line 67:
   oauthgdpr=1&
   oauthgdpr=1&
   xsrfsig=Me...34B
   xsrfsig=Me...34B
This is where the account pop-up shows.
This is a sign in:
POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j
Upon successful authentication:
GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
  response_type=token%20id_token&
  login_hint=A7...777&
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
  scope=openid%20profile%20email&
  ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
and the response is:
<syntaxhighlight lang='json'>
{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}
</syntaxhighlight>
After this, the client calls into the Protected Resource:
POST /.../oauth
and it gets a "JWT".

Latest revision as of 00:35, 17 May 2019

Internal

Overview

Call Sequences

Authorization Code Grant Type

Experimental:

GET accounts.google.com /o/oauth2/iframe

This returns the JS code that starts the "IDP Frame".

GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com

client_id value is hardcoded in the client application (js/gutil.js).

Response:

:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"

{"valid":true}

If the client is deemed valid:

GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

At this point we get "Sign in with Google" and the browser waits.

Upon clicking on "Sign in ..."

GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 response_type=code%20permission%20id_token&
 scope=openid%20profile%20email&openid.realm=&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 access_type=offline&
 include_granted_scopes=true&
 prompt=consent&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 as=K7777777777WNlU0OQ&
 destination=http://testclient.novaordis.s3.amazonaws.com&
 approval_state=!dfeereSU5....3NofFSA&
 oauthgdpr=1&
 xsrfsig=Me...34B

This is where the account pop-up shows.

This is a sign in:

POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j

Upon successful authentication:

GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 response_type=token%20id_token&
 login_hint=A7...777&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

and the response is:

{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}

After this, the client calls into the Protected Resource:

POST /.../oauth 

and it gets a "JWT".