How Google OAuth Works: Understanding Login with Google
Discover how Google OAuth authentication works behind the scenes. Learn about authorization codes, access tokens, refresh tokens, and the complete OAuth 2.0 flow.
How Google OAuth Works: Understanding Login with Google
When we visit a website, we often use the "Login with Google" button to login or signup on the website. But have you ever wondered how the underlying technology works that allows us to login or signup on the website with just a few clicks?
Let's understand how the underlying technology of Google OAuth works.
The OAuth Flow: Step by Step
1. User Initiates Login
The process starts when the user clicks on the "Login with Google" button on the website, which redirects the user to the Google Authentication server.
2. Consent Screen
After redirecting, Google presents you with the consent screen asking for permission to share certain information with the website.
3. Authorization Code
If you grant the permissions, you're redirected back to the original website with an authorization code in the website's URL.
4. Backend Processing
After getting this authorization code, it is sent to the backend server of the application.
5. Token Exchange
The server makes a request to get the Access Token and Refresh Token by providing the authorization code to the Google server. If the code is valid, we get both the tokens.
What is a Refresh Token?
Refresh tokens allow websites to maintain the user's login status by obtaining new access tokens without requiring the user to re-authenticate, thus extending their session duration.
6. Fetching User Information
The server uses the access token to get the user information from the Google server.
7. Login or Signup Decision
After getting the user information, two things can happen:
i. Login Flow
The user information already exists in the database, so the user logs in to the website.
ii. Signup Flow
If the user doesn't exist in our database, we create an entry for the user in our database and sign up the user on the website.
8. Token Storage
The access token and refresh token are stored carefully in the backend server of the application.
Visual Representation
Google OAuth workflow
This whole process works when we click on the Login with Google button!
Key Security Features
- Authorization codes are single-use and expire quickly
- Access tokens have limited lifetime
- Refresh tokens enable seamless session management
- User data is never directly shared without explicit consent