Skip to main content
HashnodeRahul's Log

Command Palette

Search for a command to run...

"Login with Google": A Beginner’s Guide to OAuth

Published
4 min read
R
Rahul Choudhary

We have all done it. You visit a new website—maybe a cool new productivity tool or a shopping site—and instead of creating a whole new username and password, you just click that convenient “Sign in with Google” button.

It feels like magic. You click, you say "Yes," and suddenly you are logged in.

But behind the scenes, a very specific, secure "digital handshake" is happening. This process is called OAuth (specifically the Authorization Code Flow).

If you are just starting your tech journey, the distinction between the Frontend (what the user sees), the Backend (the server), and Google can get blurry. Let’s break down exactly what happens in that split second, using the steps you provided.

The Cast of Characters

Before we start the story, let's identify the players:

  • The User: You, sitting at your computer.

  • The Frontend: The website in your browser (React, Vue, plain HTML).

  • The Backend: The server ensuring security (Node.js, Python, Java).

  • The Authority: Google (the one holding your identity).

The 8-Step Handshake

Imagine this scenario like entering an exclusive club. The club (your app) wants to let you in, but they don't want to manage their own ID cards. They trust the ID cards issued by the government (Google).

Phase 1: The Setup

1. The Click You click "Login with Google" on the Frontend. You are telling the app, "I want to come in, but I want Google to vouch for me."

2. Asking for Directions The Frontend hits pause. It doesn't know exactly how to talk to Google securely yet. So, it sends a message to its own Backend asking, "Hey, the user wants to log in. Where do I send them?"

3. Constructing the Link The Backend is the smart coordinator. It builds a very specific URL. It’s like writing a formal letter of introduction. This URL includes:

  • Client ID: The app's ID badge (so Google knows who is asking).

  • Redirect URI: This is crucial. It tells Google, "Once the user is done, send them specifically to this callback endpoint on our backend."

  • Scope: What info do we want? (e.g., just email and profile).

  • Response Type: We ask for a "code" (more on this later!).

The Backend sends this long, complex URL back to the Frontend.

Phase 2: The Trip to Google

4. The Redirection The Frontend receives the URL and immediately redirects your browser to it. You leave the application's website and land on Google's server.

5. The Consent

You are now talking directly to Google. You enter your password (or use FaceID) and see that consent screen: "ExampleApp wants to view your email address." You click Allow.

Note: The application never sees your Google password. That stays between you and Google.

Phase 3: The "Ticket" Exchange (The Tricky Part)

6. The Temporary Code This is where beginners often get confused. Google does not send your ID badge (Token) back to the browser immediately. That would be unsafe because browsers can be insecure.

Instead, Google generates a short-lived Authorization Code. Think of this like a Claim Ticket at a coat check. It proves you approved the login, but it isn't the key itself.

Google redirects your browser back to that redirect_uri (the Backend's callback endpoint) and attaches this code to the URL (e.g., www.myapp.com/callback?code=abc123XYZ).

7. Passing the Ticket Your browser automatically follows that link, effectively handing that "Claim Ticket" (Code) to the Backend.

Phase 4: The Secure Swap

8. Server-to-Server Exchange Now the Backend takes over. It has the Claim Ticket. It calls Google directly (server-to-server, behind the scenes). The Backend says: "Hey Google, I have this code from the user, and here is my Client Secret (password) to prove I am the real app. Can I have the keys now?"

9. The Access Token Google verifies the code and the secret. If everything matches, Google replies with the Access Token (and usually an ID Token).

  • Access Token: The actual key used to fetch your data.

  • ID Token: A badge that confirms "This is definitely John Doe."

Now, the Backend logs you in, creates a session, and tells the Frontend, "They are good to go!"

Why do we do the "Code" swap?

You might wonder: Why didn't Google just send the Access Token to the browser in Step 6? Why the extra step with the code?

Security. If Google sent the powerful Access Token to your browser URL, it could be leaked in browser history or stolen by malicious scripts. By sending a Code instead, we force the final exchange to happen on the Backend, where we can hide our "Client Secret" and ensure that only our server gets the keys to your data.

#programming-blogs

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

R

Rahul's Log

8 posts