Google OAuth for Ruby implementation

In my Security course, we need to implement Google OAuth SSO for our website. However, the google-api-client gem has been deprecated (which Google Identity Document mentioned)(Noted: There is still one gem called google-api-ruby-client can be used, but this article will ONLY focus on pure HTTP/HTTPS Request construction).

Step1: Setting up Google Credentials (refer article)

1. Enter Google API Console
2. Set up OAuth agreement page, you don’t need to specify anything special except setting User Type for External Usage. You can just follow up the default for other settings.

OAuth Agreement Page

3. Create an OAuth Client ID (If you need different keys for different environments, you can set two or three for testing and production environment) You should set your application type to Web application, enter your application name and your redirect callback URI.

OAuth Client Creation

4. Save your Client ID and Client Secret for further usage in next steps.

Getting Client Credentials Info

Step2: Getting short-term authorization code

1. Refer documents: Document 1, Document 2
2. The URL Path of getting code is : https://accounts.google.com/o/oauth2/v2/auth
3. You can use Postman to test your request. Use GET method, following the example below (copied from the refered document). Requirement params: client_id, response_type=code, scope=openid%20profile%20email, redirect_uri

Postman setting for getting code

https://accounts.google.com/o/oauth2/v2/auth?
 scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly&
 access_type=offline&
 include_granted_scopes=true&
 response_type=code&
 state=state_parameter_passthrough_value&
 redirect_uri=https%3A//oauth2.example.com/code&
 client_id=client_id

4. Other params that I put in case: access_type=offline, include_granted_scopes=true

5. Remember to fill in your call back uri into the redirect_uri param

Step3: Getting long-term token

1. Refer documents: Document 1, Document 2 (but I didn’t use refresh token)
2. The URL Path of getting token is : https://oauth2.googleapis.com/token
3. Use POST method, and set type to x-www-url-encoded. Requirement params: code, client_id, client_secret, redirect_uri, grant_type=authorization_code

Postman setting for getting token

4. Remember that your redirect_uri must be the same with Step2’s redirect_uri path

Step4: Getting users’ profiles and emails

1. After Step3, you will get several tokens. By following the tutorial from this document, I use id_token.
2. Use ruby gem google-id-token to verify the id_token (send yourid_token from your Web App [browser side], and verify the id_token on your Web Api side [api server side])
3. Remindment: The word aud in google-id-token gem means GOOGLE_CLIENT_ID, so I also send GOOGLE_CLIENT_ID as a param from Web app to Web api. Remember to keep your Client ID as your environment variable in both Api & App side.

Step5: Users can log in happily with their Google Accounts!

Something else:

Tips for using Ruby httprb/http Gem:

If you want to set your HTTP post request type to x-www-url-encoded, you can use HTTP::URI.form_encode fucntion to change ruby hash to string then the string can be eaten by post method (with type set to body). You can see the example below:

HTTP gem usage for x-www-url-encoded