These are the steps ...
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login the and (if the first time through) authorisation dialogues
- Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
- Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
- Store the user ID in your session so you can identify the user subsequently
- Persist the refresh token alongside the google user id in a database
On subsequent visits...
- If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
- If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
- user declines permission
- user withdraws permission
- google expired the refresh token (happens a lot) so you need to re-auth
- timeouts