General - Initiate Google OpenID Connect Authentication Request

Initiate Google OpenID Connect Authentication Request

Q

How to initiate Google OpenID Connect Authentication Request?

✍: FYIcenter.com

A

The Google OpenID Connect v1.0 Authentication Request must be initiated from the end user's Web browser, because the Google OpenID Connect service needs to communicate with the Web browser to make sure that the end user is signed on to a Google account and has a valid browser session.

There are a number of options to initiate Google OpenID Connect Authentication Request:

1. Using HTML "form" POST method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:

<p>Please click the button flow to sign-on:</p>
<form method="POST" 
   action="https://accounts.google.com/o/oauth2/v2/auth">
<input type="hidden" name="client_id"
   value="9150833677096-...apps.googleusercontent.com">
...
<input type="Submit" name="Submit" value="Sign-On"><br/>
</form>

The main risk of this option is that your end user can view HTML source to see your "client_id" value and other request parameters.

2. Using HTML "form" GET method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:

<p>Please click the button flow to sign-on:</p>
<form method="GET" 
   action="https://accounts.google.com/o/oauth2/v2/auth">
<input type="hidden" name="client_id"
   value="9150833677096-...apps.googleusercontent.com">
...
<input type="Submit" name="Submit" value="Sign-On"><br/>
</form>

This option is not as good as the first option, because all parameters show up in the browser's Web address area for a short period of time before Google OpenID Connect service redirects the browser to the sign-on page or your application page.

Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.

3. Use a server side script to return a HTTP 302 redirect response. All request parameters are coded as the query string of the redirect URL. For example:

In the HTML document: 
<p>Click hereto sign-on</p>

In the service side script, Azure-AD-Redirect.php:
$url = "https://accounts.google.com/o/oauth2/v2/auth".
   "?client_id=9150833677096-...apps.googleusercontent.com".
   "&...";
header("Location: $url");

When the Web receives the HTTP 302 redirect response, it will automatically call the URL given in the "Location" response header.

This option is does not leave your client_id value in the HTML source code. But all parameters show up in the browser's Web address area for a short period of time before Google OpenID Connect redirects the browser the sign-on page or your application page.

Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.

Compare to other options, option 3 might be the best option.

⇒ Process Google OpenID Connect Authentication Request

⇐ Google OpenID Connect Authentication Request

⇑ Google OpenID Connect Integration

⇑⇑ OpenID Tutorials

2019-02-11, 439👍, 0💬