Oauth flow for google
https://stackoverflow.com/questions/8229752
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am trying to impliment Oauth for my webapplication for google.I am worked upon a POC and it working fine but i have a confusion and not sure how best it can be achieved.
I am using scribe java API for Oauth.
here are the steps i am performing.
- Getting request token from Google.
- Redirecting user to Google to authenticate them self and authorize my serivice to access his/her few details.
- get Access Toekn from google by providing request token and verification code given by google.
- Accessing user info once google provide Access token.
now my main confusion is at step no 3, since i am working on a web-application so it will be a 2 step process.
- Redirecting user to google
- Handling back google redirect.
In order to get an Access token i need to provide same request token which i got at step1 else my request being rejected by the user. The request token contains 2 things
- Toekn -->which is based on the registered application so not an issue
- Secret-->This is always being a random string so it should be same when asking for access token
that means i need to store this secret either in my session or some where so that i can access this secret when user is being redirected back to my application.
My confusion is,since in order to save it in session i have to create a unique key and some way to access it in the other action class which will handle Google Redirect back how can i achieve this since at a given time so many user can ask to login using google.
any help in this regard will be much appriciated.
Thanks in advance
Solution
When you receive the request token + token secret, use the request token as the unique key of your session to store the token information. After the authorization process, in the callback url, you have access to the request token (it's one of the parameters passed to the callback url). Using this parameter as the session key, you can restore the token information from session, including the token secret, and use it to sign your request for changing the request token for access token. After receiving the access token, a new token secret is returned to you and you can delete the old one from session.
how can i achieve this since at a given time so many user can ask to login using google
This is not of any problem because for every single user on your site, you are given a different request token.
