Search code examples
oauthoauth-2.0openidgmail-api

How does Gmail login work

I am trying to answer the question

"You put in your username and password into your Gmail login page and press enter… What happens next?"

I am a bit confused answering this question.

I've searched on Google and found out that OAuth is the way that web apps can authenticate users. However, it seems like OAuth is more for third-party apps who want to use Google login on their website.

So I'm a little confused, what are the steps that Gmail uses to log their users in? Should I be looking more into encryption or something else which I have not yet come across? Or is OAuth the thing I should be looking at?

I couldn't really find anything which answered the question I'm trying to answer. So could anyone please point me out in the right direction.

Solution

  • I think you are mixing a few things up Authentication and Authorization.

    • Authentication: Jane was born in 2000 (Jane is 18 in 2018)
    • Authorization: Jane can drive in the United states, Jane can not drink in the United states.

    When you type in your login and password to a website you are Authenticating check out something called Open ID connect if you like its technically built on top of OAuth2. All authentication does is say who is sitting behind the machine? The person with access to the login and password. Note not all sites use open id connect. I am just using this example because Google does and your question was about GMail.

    Oauth2 Authorization states what data you have access to.

    With regard to the Gmail api. If you want to use my application to access gmail api the first thing that will happen you will be promoted to enter your login and password there by authenticating that you are you. Then you will be promoted for consent

    enter image description here

    In this picture you are being asked to grant the application permission to access your Google Analytics data. This is Authorization you the application now has your permission to access your data.

    Logging into a website using OpenId is different then logging into an application using Oauth2. The website is normally created by the company that owns the data there for they dont need your Authorization. But third party apps created to access that companies data will need your Authorization.