CODEWITHSUNDEEP
phpoauthgoogle-oauth
user1409508
user1409508

Reputation: 623

Google authentication step by step

I can't find anywhere how should look authentication in Google OAuth from start to end, what should I store in database and how.

I'm working on application which let user to log in using Google account and grant permission to his Gmail account and I'm not quite sure how does everything should work step by step. I have 2 ideas:

#1

  1. User click on "Google sign in" button
  2. Application asks for permission to https://www.googleapis.com/auth/userinfo.email and other services (gmail etc.)
  3. In response I get access_token, refresh_token and id_token
  4. I store refresh_token and id_token in database
  5. I generate PHPSESSID and store it in database
  6. Everytime user visit my website I check in database for PHPSESSID and verify id_token
  7. And here I have problems...

What if user will try to log in from other browser or other PC? I'll need to update refresh_token and id_token everytime user log in to my application. Is it a good solution?

#2

  1. User click on "Google sign in" button
  2. Application asks only for permission to https://www.googleapis.com
  3. In response I get id_token
  4. I store id_token in database
  5. I generate PHPSESSID and store it in database
  6. Everytime user visit my website I check in database for PHPSESSID and verify id_token
  7. After user is logged in I ask him for permissions to other Google services (gmail etc.)
  8. In response I get refresh_token and store it in database

First of all. Is it possible to ask twice for permissions for same domain? In this solution I'll need update only id_token everytime user log in to application.

Or maybe there is a better way for such authentication?

Upvotes: 0

Views: 101

Answers (1)

Scarygami
Scarygami

Reputation: 15549

What you would want to do is to store the refresh_token together with a unique identifier for the user (e.g. the Google user id which you can read from the id_token) the first time a user signs in.

You can then use this refresh_token on the server-side to get an access_token whenever you need one to call APIs on behalf of the user.

When a user comes to your site again and signs in (no matter what browser or device they are using) you only need to send the id_token to your server, extract the user id and check your datastore if a refresh_token already exists and use it accordingly.

I've written an article for some possible scenarios with server-side authentication a while ago here: http://codingwithgerwin.blogspot.co.at/2015/04/google-sign-in-20-server-side.html (it's using Python on the server-side but it would be pretty much the same for PHP).

Upvotes: 1

Related Questions