#OAuth2

3 messages · Page 1 of 1 (latest)

fallow thunder
#

Can't understand how it works, like I watched lots of videos and still can't understand all process in detail, like I know it help to not write your Gmail into website which u don't believe, but in details how it works, what is code which sends by Google like where it sends, how token system works I don't know.
Help me, please.
How can I learn?

marsh jay
#

oauth is a protocol between three parties.

One is the end-user, another is the consumer app (you in this scenario), and finally you have the provider app (google, facebook, microsoft, github ...).

oauth is used for two main purpose :

  1. as an indentity provider. The consumer app doesn't want to make people sign up, so they use oauth to let people connect with their google account, making the signing up easier. That's what happen when you use the "Sign in with [external service]" on any app
  2. to let the consumer app do actions in the provider app as if they were the end-user. When you give an app access to your google drive for example, you are not sharing your drive like you would share it with another user, you give them access to your drive as if they were you.

When a user want to connect with a provider you've implemented, here is what happens :

  • your app gives the user a link to google's platform. This link contains the identifier of your app in google's system, the authorizations your apps wants, and the url to go back to once the user is authenticated with google and give the google the authorization to give you the permissions you seek.
  • the user goes to this link to google's website, and is asked to sign into their google account if they were not already. Themm, google ask them to click a button confirming they want to give you access to thei account.
  • If the user agree, google generates a temporary token, and gives it to the user
  • the user will go back to your app following the url you gave in step one, giving you the temporary token.
  • with this temporary code, your backend now contacts google's backend directly, with the token, Google will answer with the final access token/refresh token pair that you can store will be able to use henceforth to do all the actions the user allowed you to do on their behalf.
#

Usually, you d'ont implement the whole protocol yourself, you use a library like passportjs that does the heavy lifting for you.
You just have to understand what oauth is used for, to know if you need it or not.