Authorization Request


Now that we have the necessary variables set up, let’s start the OAuth process.

The first thing we’ll have people do is visit this page with ?action=login in the query string to kick off the process.

Note that scopes in this request are now OpenID Connect scopes, “openid email”, indicating that we are not requesting access to the user’s Google data, just wanting to know who they are.

Also note that we are using the response_type=code parameter to indicate that we want Google to return an authorization code that we’ll exchange for the id_token later.

// Start the login process by sending the user
// to Google's authorization page
if(isset($_GET['action']) && $_GET['action'] == 'login') {

  // Generate a random hash and store in the session
  $_SESSION['state'] = bin2hex(random_bytes(16));

  $params = array(
    'response_type' => 'code',
    'client_id' => $googleClientID,
    'redirect_uri' => $baseURL,
    'scope' => 'openid email',
    'state' => $_SESSION['state']

  // Redirect the user to Google's authorization page
  header('Location: '.$authorizeURL.'?'.http_build_query($params));

It’s important to generate a “state” parameter to use to protect the client. This is a random string that the client generates and stores in the session. The app uses the state parameter to verify that it initiated the request when Google sends the user back to the app.

We build up an authorization URL and then send the user there. The URL contains our public client ID, the redirect URL which we previously registered with Google, the scope we’re requesting, and the “state” parameter.

Google’s Authorization Request

If the user is already logged in to Google, they’ll see an account chooser screen as shown above asking them to choose an existing account or use a different account. Notice that this screen does not look like a typical OAuth screen, because the user isn’t granting any permissions to the application, it’s just trying to identify them.

When the user selects an account, they will be redirected back to our page with code and state parameters in the request. The next step is to verify the authorization code with the Google API.