Google OAuth 2.0

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

Call Sequences

Authorization Code Grant Type

Experimental:

GET accounts.google.com /o/oauth2/iframe

This returns the JS code that starts the "IDP Frame".

GET accounts.google.com /o/oauth2/iframerpc?action=checkOrigin&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com

client_id value is hardcoded in the client application (js/gutil.js).

Response:

:status: 200
content-type: application/json; charset=utf-8
x-content-type-options: nosniff
expires: Thu, 16 May 2019 22:30:28 GMT
date: Thu, 16 May 2019 21:30:28 GMT
cache-control: public, max-age=3600
content-language: en-US
content-encoding: gzip
server: ESF
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"

{"valid":true}

If the client is deemed valid:

GET accounts.google.com /o/oauth2/iframerpc?action=listSessions&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

At this point we get "Sign in with Google" and the browser waits.

Upon clicking on "Sign in ..."

GET accounts.google.com /o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2Ftestclient.novaordis.s3.amazonaws.com%3Fid%3Dauth77777&
 response_type=code%20permission%20id_token&
 scope=openid%20profile%20email&openid.realm=&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 access_type=offline&
 include_granted_scopes=true&
 prompt=consent&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 gsiwebsdk=2
GET accounts.google.com /signin/oauth?client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 as=K7777777777WNlU0OQ&
 destination=http://testclient.novaordis.s3.amazonaws.com&
 approval_state=!dfeereSU5....3NofFSA&
 oauthgdpr=1&
 xsrfsig=Me...34B

This is where the account pop-up shows.

This is a sign in:

POST accounts.google.com  /_/signin/oauth?authuser=0&hl=en&_reqid=71777&rt=j

Upon successful authentication:

GET accounts.google.com /o/oauth2/iframerpc?action=issueToken&
 response_type=token%20id_token&
 login_hint=A7...777&
 client_id=7777777777777-a7a7a7a7a7a7a7a7a7a7a7a7a7a7a7a.apps.googleusercontent.com&
 origin=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com&
 scope=openid%20profile%20email&
 ss_domain=http%3A%2F%2Ftestclient.novaordis.s3.amazonaws.com

and the response is:

{
  "token_type":"Bearer",
  "access_token":"ka2...76O",
  "scope":"email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "login_hint":"7hD...Yb",
  "session_state":{"extraQueryParams":{"authuser":"0"}}
}

After this, the client calls into the Protected Resource:

POST /.../oauth 

and it gets a "JWT".