OAuth2 Authorization Framework

Signing service allows you to use the user's existing credentials with other providers in your application. You often see the following when logging in to your account with a service:

You will utilize what is called the OAuth2 authorization flow. OAuth2 is an authorization mechanism. It allows a web application such as yours to gain limited access to user accounts in various HTTP services (Microsoft, Google, etc). So strictly speaking, OAuth2 is more about authorization than authentication.

The basic flow (for a Google account) is like this:

• Your web application redirects the browser to Google OAuth2's login form, specifying your application URL (redirect URL) where the login form would redirect to when it has completed the authentication.

• The end-user fills up their username & password in that Google login form.

• The Google login form gets submitted to Google server.

• Google validates the provided username & password.

• If all OK, Google redirects the browser back to your web application, passing (in the URL's query string) what's called an authorization code.

• The authorization code gets passed to your server program.

• Your server program sends the authorization code to the Google server, and it should get an access token back.

• If an access token can be obtained successfully, the user has been successfully authenticated.

• Note that an access token contains an absolute authorization in its body. It does have an expiry date/time imbedded in the body, however there is no way to cancel an access token. Access tokens must be kept secret, and it should never leave your server (that is, do not send access tokens to the browser).

Next: Generating OAuth2 Client Secret and Client ID