How to implement the OpenID Authorization Code Flow with Google OpenID Connect service?

If you want to implement the OpenID Authorization Code Flow (also called the Server Flow) in your Web application to use Google OpenID Connect service, you should follow these steps:

1. Building the Google OpenID Connect Sign-on authentication request:

• Register your Web application to your Google account.
• Add the URL where your server script is located to the above registration as a "Reply URL". This URL will be used as the "redirect_uri" in the authentication request.
• Take the "Client ID" from above registration and use it as the "client_id" in the authentication request.
• Set "scope=openid", and "response_type=code" in the authentication request.
• Set "nonce" to a random number and cache it in your application. So you can use it to validate the response later.
• Set "state" to the current session id of your application, So you can resume the session after the response is validated.

2. Triggering the end user browser to fire the authentication request to https://accounts.google.com/o/oauth2/auth.

• Create a login page, login.html, to display a login button.
• When the button is clicked, call a server side script, login.php.
• Create the server side script, login.php, to return a direct HTTP response with the location of https://accounts.google.com/o/oauth2/auth?... containing all request parameters in the URL as the query string.

3. Letting the end user sign on to the Active Directory - This is controlled by the Google OpenID Connect service. Your application is not involved in this step.

4. Validating the authentication response:

• Scan the response body for 2 possible parameters: "code" and "state" in your server side script, which you provided as the "redirect_uri" in the authentication request.
• Implement some logic to analyze the error and display some error message page back to the end user, if "error" found.
• Verify "state" value, it must be a valid session id in your application. Otherwise, display some error message page back to the end user.
• Take "code" and use it to make the access token request.

5. Building the Google OpenID Connect access token request:

• Set "code" to the "code" value received from the authentication request call.
• Set "client_id" to the same "client_id" value as the authentication request call. This is the application id you got when you register your Web application in Google OpenID Connect.
• Set "redirect_uri" to the same "redirect_uri" value as the authentication request call.
• Set "grant_type" to "authorization_code".
• Set "client_secret" to the secret key you created in your application registration in Google OpenID Connect.

6. Calling the access token request to https://oauth2.googleapis.com/token with the POST method.

7. Validating the access token response:

• Scan the response body for 2 possible parameters: "id_token" and "access_token",
• Decode "id_token" and perform validation. See other tutorials on how to validate "id_token".

5. Letting the end user to use your application:

• Take the user name, email address, and other profile information decoded from the "id_token" as trusted information.
• Record or update the end user profile in your application, if you maintain user profile in database.
• Let the end user to use your application.

Here is a diagram that shows the Google OpenID Connect OpenID Authentication Code Flow:

⇒ Integration with Azure Active Directory

⇐ Google OpenID Connect Access Token Request Test Page

⇑ Google OpenID Connect Integration

⇑⇑ OpenID Tutorials