OpenID Connect with Google code flow

Google OpenId Connect manual

Code flow:

1. Create a State Token (Cross Site Request Forgery, CSRF token)

A string of 30+ characters constructed with a random generator OR a hash of state variables with a secret back end key.

2. Send a request to Identity Provider with the CSRF

 client_id=424911365001.apps.googleusercontent.com&
 response_type=code&
 scope=openid%20email&
 redirect_uri=https://oa2cb.example.com/&
 state=security_token%3D138r5719ru3e1%26url%3Dhttps://oa2cb.example.com/myHome&
 login_hint=jsmith@example.com&
 openid.realm=example.com&
 hd=example.com

1. Login request -- shall include parameters specifying the permissions the application is requesting:

• scope: a concatenated list of requested permissions (https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile)
• state: /
• redirect_uri: shall be registered with the Authorization server (https://oauthssodemo.appspot.com/oauthcallback)
• response_type: indicates if a token or code (token)
• client_id: registered with Google client_id

https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&state=%2F&redirect_uri=https%3A%2F%2Foauthssodemo.appspot.com%2Foauthcallback&response_type=token&client_id=8819981768.apps.googleusercontent.com

2. Retrieve token -- the authorization server will send an access token after the user has been authenticated. The access token is returned to the redirect_uri.

3. Validate token -- to validate a token, it must be sent to Google endpoing located at https://accounts.google.com/o/oauth2/tokeninfo. The endpoint responds with a JSON object that contains the following info:

• issued_to: application
• scope: list of requested scopes
• audience: the projected resource the token may be sent to
• user_id: the identifier of the user
• expires_in: the remining lifetime of the token in seconds

4. Get userinfo -- after token has been validated, we can retrieve user info by calling the endpoint located at https://www.googleapis.com/oauth2/v1/userinfo. The request must include the access token in the query string or in the Authorization header. The Google endpoint responds with a JSON object that contains the following fields:

• id: the ID of the user
• email: the email of the user
• verified_email: whether the emails has been verified
• name: the identifier of the user
• given_name: the first name of the user
• family_name: the last name of the user
• link: a link to the user's profile
• picture: a pitcure of the user
• gender: the gender of the user