Beginner’s guide to OAuth: Understanding access tokens and authorization codes using Google API

Risa Fujii on August 16, 2019

As a user, it’s easy and convenient to use your Google account (or Facebook, Twitter, etc.) to sign into other services. You click the "Sign in w... [Read Full]
markdown guide

Thanks a lot. That was very informative. Could you perhaps speak of other Oauth flows that exist in an advanced post? The flow you described is suitable for frontend requests, but what about backend requests? I saw that the specification allows that, too, with a different type of flow.


Sounds like a great article idea. I only cover topics I feel comfortable writing about, but I’ll look into it if I have a chance :)


Ha - what a coincidence! I'm currently working through understanding oauth right now, through javascript. This has been helpful, especially since I couldn't figure out the refresh tokens bit and how that component work. Thank you!


Did you figure out with Javascript yet? I am trying to do the same, but there are things I certainly don't quite understand yet. If you have time, would you see if you can answer my question?

I am trying to use Passport JS Google OAuth 2 for authentication. I understand that when using Passport and upon successful login in Google (or Facebook/Twitter), it sends you back a token, user profile, etc. which contains the email address of the user among other things. Now, my Database is set up so that each user has a unique email address. What if the user decides to register for an account in my database with an email address, but decides to use Google to log in (this person has multiple email addresses)? Won’t the email address retrieved by logging into Google not match the other email address which is in my database? How do you handle that?


I haven't got into that use case. I wish I could go technical for you. Sorry.

From a consumer side: I know Patreon and some saas products i use... offer account creation and then Google Oauth. So yes, you can create a account with email, and login with oauth. If you register with oauth, they make me create an account anyways with email.

The unique key will always be the email, and a separate data field is used to store the Google oauth secret. So email/oauth data are completely separate.

Within the login form, it just needs a successful handshake from email or oauth to provide access.

It's not something I've done, and I'm only speaking from how I see it working in other situations. Best of luck!


You were able to simplify the example so much and it is very easy to follow. This can help not only for Google OAuth but as a whole because this is the flow with other libraries as well - or at least LinkedIn, Microsoft Active Directory.


Very nice introduction article Risa!
Most developers are not comfortable with Oauth, it's ticky, complex and yet very powerful, I'm sure this will help.


You broke that down really well -- love the flow of the overview and the code snippets are great. Thank you!


Very helpful and just in right time for me.
Well written, thanks a lot!


I really appreciate comments like this - thanks!


Yes indeed a really good article about OAuth. I have read some articles the past few days about the topic and this one is really easy to understand and well written.

code of conduct - report abuse