On my webpage i have simple login system (PHP). You provide mail and password, system create _SESSION and you are logged.
I want to add option for login with google oAuth 2.0.
I created index.php file:
require_once("vendor/autoload.php");
$client = new Google_Client();
$client->addScope(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile'));
$redirect_uri = '/login.php';
$client->setRedirectUri($redirect_uri);
<a href="<?=$client->createAuthUrl()?>">LOGIN WITH GOOGLE</a>
User will click on link, after choose a google account he is redirected to:
login.php file:
if(isset($_GET['code'])) {
try {
$token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
}catch (Exception $e){
//redirect to login.php - invalid login
exit();
}
try {
$pay_load = $client->verifyIdToken();
}catch (Exception $e) {
//redirect to login.php - invalid login
exit();
}
//NOW I KNOW USER IS VALID,
//create my own _SESSION and redirect to index.php as logged user (i will use mail and name of user from google).
// i am managing _SESSION so if user logOut i will just destroy session, or will be destroyed after few minutes of inactivity
}
Is this approach good?
Do i need use
setAccessToken($token);
verifyIdToken();
Thank you for answer.
I think you are miss understanding the difference between Authorization and authentication .
Oauth2 grants you authorization to access a users data is denoted by an access token and a refresh token.
Refresh tokens allow you to access a users data when the user is offline by requesting a new access token. Using Oauth2 does not garentee that there is a user behind the calls being made.
OpenId connect Authenticates is a user logging in and authenticating using a login and password or google login that this is the user.
This is denoted by an Id token. There will always be the actual user behind a login to open id connect.
On my webpage i have simple login system (PHP). You provide mail and password, system create _SESSION and you are logged.
If you are working with a login system then you should be using openid connect which does not really need a refresh token to access the user data when the user is offline. The user will always be present in a login system.
If the main question here is, "will I need the refresh token?" the answer to that is... the access token will expire. Once it expires you will have two options:
The sole purpose of refresh tokens is to obtain fresh access tokens after expiry, without having to redirect a user to google and back again. If you don't mind doing that, or if you only need access to their accounts for a short time, you will not really need to use the refresh token.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.