sarahwalters/Understanding OAuth

## Understanding OAuth
1. When you set up MyApp, you register it with Google. Google gives MyApp an APP_ID and an APP_SECRET, which you store in a credentials file (not in version control!)

2. Alice wants to use MyApp & clicks your "Log in using Google" button.

3. MyApp responds REDIRECT google.com/oauth2/auth?client_id=APP_ID&redirect_uri=myapp.com/oauth_response
- MyApp was given an APP_ID when you registered it with Google
- You specified the redirect uri myapp.com/oauth_response & you wrote a route at /oauth_response to be called once the OAuth process is complete
- Sometimes this REDIRECT link also includes "scopes" -- limits to the information MyApp wants to access from Google

4. When Google receives that REDIRECT, it looks MyApp up by its APP_ID and makes a session linking MyApp to your redirect_uri myapp.com/oauth_response.
- The session is to persist the information about MyApp through the next login step

5. If Alice isn't logged into Google, Google responds REDIRECT google.com/login -- displays a login form where Alice logs in. If Alice is already logged in, Google skips this step.

6. Once Alice is logged in, Google shows a page saying "MyApp wants to access information about your Google account. Do you authorize?" Alice clicks "yes".

7. Google generates a one-time-use code that it associates with Alice & MyApp and redirects to the MyApp redirect_uri with the one-time-use code: REDIRECT myapp.com/oauth_response?code=big_long_thing
- This code is NOT the AccessToken for Alice's Google information -- MyApp hasn't provided its app secret yet, so Google can't safely make Alice's information available to MyApp yet.

8. When MyApp receives GET myapp.com/oauth_response?code=big_long_thing, it makes a server-to-server request (not a browser REDIRECT) with both its APP_ID and its APP_SECRET, to prove its identity: GET google.com/oauth2/token?client_id=APP_ID&client_secret=APP_SECRET&code=big_long_thing

9. Google verifies & invalidates the one-time-use code and responds with an AccessToken for Alice's Google information, which MyApp can use to make Google API requests on Alice's behalf (to get information about Alice or to take actions within Google services on Alice's behalf -- anything that was part of the scope of the arrangement)
	1. When you set up MyApp, you register it with Google. Google gives MyApp an APP_ID and an APP_SECRET, which you store in a credentials file (not in version control!)

	2. Alice wants to use MyApp & clicks your "Log in using Google" button.

	3. MyApp responds REDIRECT google.com/oauth2/auth?client_id=APP_ID&redirect_uri=myapp.com/oauth_response
	- MyApp was given an APP_ID when you registered it with Google
	- You specified the redirect uri myapp.com/oauth_response & you wrote a route at /oauth_response to be called once the OAuth process is complete
	- Sometimes this REDIRECT link also includes "scopes" -- limits to the information MyApp wants to access from Google

	4. When Google receives that REDIRECT, it looks MyApp up by its APP_ID and makes a session linking MyApp to your redirect_uri myapp.com/oauth_response.
	- The session is to persist the information about MyApp through the next login step

	5. If Alice isn't logged into Google, Google responds REDIRECT google.com/login -- displays a login form where Alice logs in. If Alice is already logged in, Google skips this step.

	6. Once Alice is logged in, Google shows a page saying "MyApp wants to access information about your Google account. Do you authorize?" Alice clicks "yes".

	7. Google generates a one-time-use code that it associates with Alice & MyApp and redirects to the MyApp redirect_uri with the one-time-use code: REDIRECT myapp.com/oauth_response?code=big_long_thing
	- This code is NOT the AccessToken for Alice's Google information -- MyApp hasn't provided its app secret yet, so Google can't safely make Alice's information available to MyApp yet.

	8. When MyApp receives GET myapp.com/oauth_response?code=big_long_thing, it makes a server-to-server request (not a browser REDIRECT) with both its APP_ID and its APP_SECRET, to prove its identity: GET google.com/oauth2/token?client_id=APP_ID&client_secret=APP_SECRET&code=big_long_thing

	9. Google verifies & invalidates the one-time-use code and responds with an AccessToken for Alice's Google information, which MyApp can use to make Google API requests on Alice's behalf (to get information about Alice or to take actions within Google services on Alice's behalf -- anything that was part of the scope of the arrangement)