I can't find anywhere how should look authentication in Google OAuth from start to end, what should I store in database and how.
I'm working on application which let user to log in using Google account and grant permission to his Gmail account and I'm not quite sure how does everything should work step by step. I have 2 ideas:
#1
- User click on "Google sign in" button
- Application asks for permission to
https://www.googleapis.com/auth/userinfo.email
and other services (gmail etc.) - In response I get
access_token
,refresh_token
andid_token
- I store
refresh_token
andid_token
in database - I generate PHPSESSID and store it in database
- Everytime user visit my website I check in database for PHPSESSID and verify
id_token
- And here I have problems...
What if user will try to log in from other browser or other PC? I'll need to update refresh_token
and id_token
everytime user log in to my application. Is it a good solution?
#2
- User click on "Google sign in" button
- Application asks only for permission to
https://www.googleapis.com
- In response I get
id_token
- I store
id_token
in database - I generate PHPSESSID and store it in database
- Everytime user visit my website I check in database for PHPSESSID and verify
id_token
- After user is logged in I ask him for permissions to other Google services (gmail etc.)
- In response I get
refresh_token
and store it in database
First of all. Is it possible to ask twice for permissions for same domain? In this solution I'll need update only id_token
everytime user log in to application.
Or maybe there is a better way for such authentication?