Google OAuth 2.0

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Internal

Overview

Call Sequences

Authorization Code Grant Type

Experimental:

GET accounts.google.com /o/oauth2/iframe

This returns the JS code that starts the "IDP Frame".

GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com

client_id value is hardcoded in the client application (js/gutil.js).

Response:

:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"

{"valid":true}

If the client is deemed valid:

GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

At this point we get "Sign in with Google" and the browser waits.

Upon clicking on "Sign in ..."

GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 response_type=code%20permission%20id_token&
 scope=openid%20profile%20email&openid.realm=&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 access_type=offline&
 include_granted_scopes=true&
 prompt=consent&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 as=K7777777777WNlU0OQ&
 destination=http://testclient.novaordis.s3.amazonaws.com&
 approval_state=!dfeereSU5....3NofFSA&
 oauthgdpr=1&
 xsrfsig=Me...34B

This is where the account pop-up shows.

This is a sign in:

POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j

Upon successful authentication:

GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 response_type=token%20id_token&
 login_hint=A7...777&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

and the response is:

{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}

After this, the client calls into the Protected Resource:

POST /.../oauth 

and it gets a "JWT".