Difference between revisions of "Google OAuth 2.0"

From NovaOrdis Knowledge Base
Jump to: navigation, search
(Authorization Code Grant Type)
(Authorization Code Grant Type)
Line 11: Line 11:
 
<font color=darkgray>Experimental:</font>
 
<font color=darkgray>Experimental:</font>
  
  GET /o/oauth2/iframe
+
  GET accounts.google.com /o/oauth2/iframe
  
 
This returns the JS code that starts the "IDP Frame".
 
This returns the JS code that starts the "IDP Frame".
  
  GET /o/oauth2/iframerpc?action=checkOrigin&
+
  GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
 
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com
Line 41: Line 41:
 
If the client is deemed valid:
 
If the client is deemed valid:
  
  GET /o/oauth2/iframerpc?action=listSessions&
+
  GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 
   client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 
   origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
Line 50: Line 50:
 
Upon clicking on "Sign in ..."
 
Upon clicking on "Sign in ..."
  
  GET /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
+
  GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 
   response_type=code%20permission%20id_token&
 
   response_type=code%20permission%20id_token&
 
   scope=openid%20profile%20email&openid.realm=&
 
   scope=openid%20profile%20email&openid.realm=&
Line 61: Line 61:
 
   gsiwebsdk=2
 
   gsiwebsdk=2
  
  GET /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
+
  GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 
   as=K7777777777WNlU0OQ&
 
   as=K7777777777WNlU0OQ&
 
   destination=http://testclient.novaordis.s3.amazonaws.com&
 
   destination=http://testclient.novaordis.s3.amazonaws.com&
Line 69: Line 69:
  
 
This is where the account pop-up shows.
 
This is where the account pop-up shows.
 +
 +
This is a sign in:
 +
 +
POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j
 +
 +
Upon successful authentication:
 +
 +
GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 +
  response_type=token%20id_token&
 +
  login_hint=A7...777&
 +
  client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 +
  origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 +
  scope=openid%20profile%20email&
 +
  ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com
 +
 +
and the response is:
 +
 +
<syntaxhighlight lang='json'>
 +
 +
{
 +
  "token_type":"Bearer",
 +
  "access_token":"ka2...76O",
 +
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
 +
  "login_hint":"7hD...Yb",
 +
  "session_state":{"extraQueryParams":{"authuser":"0"}}
 +
}
 +
</syntaxhighlight>

Revision as of 00:34, 17 May 2019

Internal

Overview

Call Sequences

Authorization Code Grant Type

Experimental:

GET accounts.google.com /o/oauth2/iframe

This returns the JS code that starts the "IDP Frame".

GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com

client_id value is hardcoded in the client application (js/gutil.js).

Response:

:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"

{"valid":true}

If the client is deemed valid:

GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

At this point we get "Sign in with Google" and the browser waits.

Upon clicking on "Sign in ..."

GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 response_type=code%20permission%20id_token&
 scope=openid%20profile%20email&openid.realm=&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 access_type=offline&
 include_granted_scopes=true&
 prompt=consent&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 as=K7777777777WNlU0OQ&
 destination=http://testclient.novaordis.s3.amazonaws.com&
 approval_state=!dfeereSU5....3NofFSA&
 oauthgdpr=1&
 xsrfsig=Me...34B

This is where the account pop-up shows.

This is a sign in:

POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j

Upon successful authentication:

GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 response_type=token%20id_token&
 login_hint=A7...777&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

and the response is:

{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}