https://developers.google.com/identity/protocols/oauth2#libraries
- 先请求google 接口 跳转到Google 认证框,会带上自己的redirect 链接
- 在google 同意框 里 确认后, 会重定向 自己的页面 而且url 会带有 访问 token 的code
- 在页面url里拿到code 再次请求 Google 接口 获取 token
{
"access_token": "HbkBrQ5TAJFYUeLWsjhgWZ1Qt-ov9F0_B0S92aDhCMTQ",
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjZmY2Y0MTMyMjQ3NjUxNTZiNDg3NjhhNDJmYWMwNjQ5NmEzMGZmNWEiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0MDc0MDg3MTgx",
"expires_in": 3599,
"token_type": "Bearer",
"scope": "https://www.googleapis.com/auth/userinfo.profile",
"refresh_token": "1//KCgYIARAAGAQSNwF-L9IEcbqfjUdRQuK1y01gl2m4"
}
- 然后拿着access_token 去请求 Google 接口用户数据
https://developers.google.com/accounts/images/webflow.png
Using OAuth 2.0 for Web Server Applications
https://developers.google.com/identity/protocols/oauth2/web-server
Service accounts
Google API(例如Prediction API和Google Cloud Storage)可以代表您的应用程序运行,而无需访问用户信息。在这些情况下,您的应用程序需要向API证明自己的身份,但无需用户同意。同样,在企业方案中,您的应用程序可以请求委派对某些资源的访问
您从Google API控制台获得的服务帐户的凭据, include a generated email address that is unique, a client ID, and at least one public/private key pair. You use the client ID and one private key to create a signed JWT and construct an access-token request in the appropriate format. 然后,您的应用程序将令牌请求发送到Google OAuth 2.0授权服务器,该服务器会返回access token。该应用程序使用access token访问Google API。当令牌过期时,应用程序将重复该过程。
Using OAuth 2.0 for Server to Server Applications
https://developers.google.com/identity/protocols/oauth2/service-account