There are several ways. Before, let's go to the questions:
In theory, would not it be Google (serve-oauth) itself that should manage the session instead of the WEB application that used OAuth to authenticate the user?
No. Google is responsible for authenticating the user and checking the validity of user information requests made by web applications.
As a web application that uses OAuth for authentication, can you manage the session and identify the user that is logged in, or know if it is logged in?
She herself would manage the sessions; the OAuth provider only validates access to the information of its registered users.
What data types does a WEB application that uses OAuth for authentication receive as a response from the OAuth server when the user is authenticated?
There are several formats, but in general the flow is designed to segregate layers - via the web the user validates, and the application receives a token that must be re-validated directly by the server - and only then the backend of the application will get the data of the user that is logging in.
I think the stream can be best viewed if the steps are listed in sequence:
- Your web application is registered with the OAuth provider. This will generate a secret key, which you will use in the future:
- User connects to your web application. Without active session, you offer a page containing a list of OAuth providers that the user can use. The user selects, for example, Google.
- The browser is redirected to the Google OAuth2 provider, along with a valid return URL (previously registered - in the above image,
http://localhost
was used).
- User authenticates.
- Google redirects back, along with a request token.
- Your server receives a request from the browser that contains the request token - something like
http://localhost/?token=1234567
.
- The server establishes a direct connection to the back-end of Google, passing both the token and its secret key (for example,
https://oauth.google.com/validate/?token=1234567&secret-key=abcdefgh
.)
- The Oauth provider validates whether token, secret key, and source URL are valid. If so, a payload is returned containing user data (JSON:
{'email': '[email protected]'}
, for example.)
- Your application creates its own session, based on the information returned by Google's Oauth2 backend.
Two important points:
- Your web application never receives credentials (email + password) directly - these are validated on Google's servers.
- Your end-end never receives the secret key, as this should only be used by the backend.