0

I am facing an issue understanding the oauth2 flow. A user(identified by a user_id) initiates the GoogleAccounts connection in the browser.The request is passed to Servlet that sends Redirect String To Client (Javascript), which in turn redirects user to that Auth URL. On User Consent, the response is returned to callback url (mapped to a servlet). My Confusion here is when callback servlet is called,how do i identify to which user(user_id) does this authCode belong to? Do i have to use state param of oAuth2 ?

Please help.

zee
  • 502
  • 8
  • 28
  • This can be hard easiest way I know of is to use the Google plus api. Http://developers.google.com/+/web/api/rest/latest/people/get send me will get some information on the current authenticated user. Sending the access token to the token verify end point can also work but depending upon the scope you are requesting – Linda Lawton - DaImTo Jan 21 '17 at 17:00
  • @DalmTo i may have not put my question properly.here is more detail In my webapplication,(authenticated) user identified by a unique id, tries to connect his (one or more) google account at browser end . Server side (java) initiates oauth flow redirects user to authurl. After user consent, on my callback servlet i want to identify which user (identified by unique id) of my application had initiated to connect this google account so i can store this google authorization against that user. Please help,should i use State paran – zee Jan 22 '17 at 07:03
  • I think you can try state parameter as it will carry user_id in response. Its description says : Provides any state that might be useful to your application upon receipt of the response. The Google Authorization Server round-trips this parameter, so your application receives the same value it sent. Possible uses include redirecting the user to the correct resource in your site, and cross-site-request-forgery mitigations. https://developers.google.com/identity/protocols/OAuth2UserAgent – Abhishek Jan 22 '17 at 12:20
  • Yes i think that is the way to go actually..i wanted someone to vet my thinking..wanted some answers from Google Devs. See noone here – zee Jan 22 '17 at 17:30
  • I am currently working with the Sheets API, and having trouble in the authorization process when I deploy the app on web server. Can you share some code how you are doing it ? – Abhishek Jan 22 '17 at 18:52

1 Answers1

0

As the comments suggest, the state param is your friend. The simplest way would be to simply set state=user_id. An alternate approach would be to start a server session and store the user ID in the session object. This latter approach assumes you have a relatively simple server, or your cluster supports shared sessions.

pinoyyid
  • 21,499
  • 14
  • 64
  • 115