From 9b2981fabeb42b8c83151fbf1cf261b7b29e40b0 Mon Sep 17 00:00:00 2001
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 27 Apr 2018 08:21:26 -0700
Subject: [PATCH] add sample app of signing in with google
---
README.md | 7 ++-
google.php | 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 129 insertions(+), 2 deletions(-)
create mode 100644 google.php
diff --git a/README.md b/README.md
index 9265cee..6045fc3 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,5 @@
-# sample-oauth2-client
-Sample OAuth2 client using the GitHub API
+# Sample OAuth 2.0 Clients
+
+Sample OAuth 2.0 clients using the GitHub and Google APIs
+
+Read more info in the book [https://oauth2simplified.com OAuth 2.0 Simplified]
diff --git a/google.php b/google.php
new file mode 100644
index 0000000..9429c4b
--- /dev/null
+++ b/google.php
@@ -0,0 +1,124 @@
+<?php
+// Fill these out with the values you got from Google
+$googleClientID = '';
+$googleClientSecret = '';
+
+// This is the URL we'll send the user to first to get their authorization
+$authorizeURL = 'https://accounts.google.com/o/oauth2/v2/auth';
+
+// This is Google's OpenID Connect token endpoint
+$tokenURL = 'https://www.googleapis.com/oauth2/v4/token';
+
+// The URL for this script, used as the redirect URL
+$baseURL = 'https://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];
+
+// Start a session so we have a place to store things between redirects
+session_start();
+
+
+
+// Start the login process by sending the user
+// to Google's authorization page
+if(isset($_GET['action']) && $_GET['action'] == 'login') {
+ unset($_SESSION['user_id']);
+
+ // Generate a random hash and store in the session
+ $_SESSION['state'] = bin2hex(random_bytes(16));
+
+ $params = array(
+ 'response_type' => 'code',
+ 'client_id' => $googleClientID,
+ 'redirect_uri' => $baseURL,
+ 'scope' => 'openid email https://www.googleapis.com/auth/userinfo.profile',
+ 'state' => $_SESSION['state']
+ );
+
+ // Redirect the user to Google's authorization page
+ header('Location: ' . $authorizeURL . '?' . http_build_query($params));
+ die();
+}
+
+if(isset($_GET['action']) && $_GET['action'] == 'logout') {
+ unset($_SESSION['user_id']);
+ header('Location: '.$baseURL);
+ die();
+}
+
+// When Google redirects the user back here, there will be a "code" and "state"
+// parameter in the query string
+if(isset($_GET['code'])) {
+ // Verify the state matches our stored state
+ if(!isset($_GET['state']) || $_SESSION['state'] != $_GET['state']) {
+ header('Location: ' . $baseURL . '?error=invalid_state');
+ die();
+ }
+
+ // Exchange the auth code for a token
+ $ch = curl_init($tokenURL);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
+ 'grant_type' => 'authorization_code',
+ 'client_id' => $googleClientID,
+ 'client_secret' => $googleClientSecret,
+ 'redirect_uri' => $baseURL,
+ 'code' => $_GET['code']
+ ]));
+ $response = curl_exec($ch);
+ $data = json_decode($response, true);
+
+ // Note: You'd probably want to use a real JWT library
+ // but this will do in a pinch. This is only safe to do
+ // because the ID token came from the https connection
+ // from Google rather than an untrusted browser redirect
+
+ // Split the JWT string into three parts
+ $jwt = explode('.', $data['id_token']);
+
+ // Extract the middle part, base64 decode it, then json_decode it
+ $userinfo = json_decode(base64_decode($jwt[1]), true);
+
+ $_SESSION['user_id'] = $userinfo['sub'];
+ $_SESSION['email'] = $userinfo['email'];
+
+ // While we're at it, let's store the access token and id token
+ // so we can use them later
+ $_SESSION['access_token'] = $data['access_token'];
+ $_SESSION['id_token'] = $data['id_token'];
+ $_SESSION['userinfo'] = $userinfo;
+
+ header('Location: ' . $baseURL);
+ die();
+}
+
+
+
+// If there is a user ID in the session
+// the user is already logged in
+if(!isset($_GET['action'])) {
+ if(!empty($_SESSION['user_id'])) {
+ echo '<h3>Logged In</h3>';
+ echo '<p>User ID: '.$_SESSION['user_id'].'</p>';
+ echo '<p>Email: '.$_SESSION['email'].'</p>';
+ echo '<p><a href="?action=logout">Log Out</a></p>';
+
+ echo '<h3>ID Token</h3>';
+ echo '<pre>';
+ print_r($_SESSION['userinfo']);
+ echo '</pre>';
+
+ echo '<h3>User Info</h3>';
+ echo '<pre>';
+ $ch = curl_init('https://www.googleapis.com/oauth2/v3/userinfo');
+ curl_setopt($ch, CURLOPT_HTTPHEADER, [
+ 'Authorization: Bearer '.$_SESSION['access_token']
+ ]);
+ curl_exec($ch);
+ echo '</pre>';
+
+ } else {
+ echo '<h3>Not logged in</h3>';
+ echo '<p><a href="?action=login">Log In</a></p>';
+ }
+ die();
+}
+
--
GitLab