Google OAuth 2.0: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
<font color=darkgray>Experimental:</font> | <font color=darkgray>Experimental:</font> | ||
GET /o/oauth2/iframe | GET accounts.google.com /o/oauth2/iframe | ||
GET /o/oauth2/iframerpc?action=checkOrigin&origin=http%3A%2F% | This returns the JS code that starts the "IDP Frame". | ||
GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin& | |||
origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& | |||
client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com | |||
client_id value is hardcoded in the client application (js/gutil.js). | client_id value is hardcoded in the client application (js/gutil.js). | ||
| Line 32: | Line 36: | ||
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39" | alt-svc: quic=":443"; ma=2592000; v="46,44,43,39" | ||
{"valid": | {"valid":true} | ||
</syntaxhighlight> | </syntaxhighlight> | ||
If the client is deemed valid: | If the client is deemed valid: | ||
GET /o/oauth2/iframerpc?action=listSessions&client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&origin=http%3A%2F% | GET accounts.google.com /o/oauth2/iframerpc?action=listSessions& | ||
client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& | |||
origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& | |||
scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com | |||
At this point we get "Sign in with Google" and the browser waits. | |||
Upon clicking on "Sign in ..." | |||
GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777& | |||
response_type=code%20permission%20id_token& | |||
scope=openid%20profile%20email&openid.realm=& | |||
client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& | |||
ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& | |||
access_type=offline& | |||
include_granted_scopes=true& | |||
prompt=consent& | |||
origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& | |||
gsiwebsdk=2 | |||
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& | |||
as=K7777777777WNlU0OQ& | |||
destination=http://testclient.novaordis.s3.amazonaws.com& | |||
approval_state=!dfeereSU5....3NofFSA& | |||
oauthgdpr=1& | |||
xsrfsig=Me...34B | |||
This is where the account pop-up shows. | |||
This is a sign in: | |||
POST accounts.google.com /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j | |||
Upon successful authentication: | |||
GET accounts.google.com /o/oauth2/iframerpc?action=issueToken& | |||
response_type=token%20id_token& | |||
login_hint=A7...777& | |||
client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& | |||
origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& | |||
scope=openid%20profile%20email& | |||
ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com | |||
and the response is: | |||
<syntaxhighlight lang='json'> | |||
{ | |||
"token_type":"Bearer", | |||
"access_token":"ka2...76O", | |||
"scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email", | |||
"login_hint":"7hD...Yb", | |||
"session_state":{"extraQueryParams":{"authuser":"0"}} | |||
} | |||
</syntaxhighlight> | |||
After this, the client calls into the Protected Resource: | |||
POST /.../oauth | |||
and it gets a "JWT". | |||
Latest revision as of 00:35, 17 May 2019
Internal
Overview
Call Sequences
Authorization Code Grant Type
Experimental:
GET accounts.google.com /o/oauth2/iframe
This returns the JS code that starts the "IDP Frame".
GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin& origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
client_id value is hardcoded in the client application (js/gutil.js).
Response:
:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
{"valid":true}
If the client is deemed valid:
GET accounts.google.com /o/oauth2/iframerpc?action=listSessions& client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
At this point we get "Sign in with Google" and the browser waits.
Upon clicking on "Sign in ..."
GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777& response_type=code%20permission%20id_token& scope=openid%20profile%20email&openid.realm=& client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& access_type=offline& include_granted_scopes=true& prompt=consent& origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& as=K7777777777WNlU0OQ& destination=http://testclient.novaordis.s3.amazonaws.com& approval_state=!dfeereSU5....3NofFSA& oauthgdpr=1& xsrfsig=Me...34B
This is where the account pop-up shows.
This is a sign in:
POST accounts.google.com /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j
Upon successful authentication:
GET accounts.google.com /o/oauth2/iframerpc?action=issueToken& response_type=token%20id_token& login_hint=A7...777& client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com& origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com& scope=openid%20profile%20email& ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
and the response is:
{
"token_type":"Bearer",
"access_token":"ka2...76O",
"scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
"login_hint":"7hD...Yb",
"session_state":{"extraQueryParams":{"authuser":"0"}}
}
After this, the client calls into the Protected Resource:
POST /.../oauth
and it gets a "JWT".