| One-time per application | |||
| User wants to access web application. | |||
| Web application redirects user to a Google page asking the user to give access to the application. | |||
| User tells Google they give the web application access to their Google Workspace data (like contacts or Google Calendar events). | |||
| Google sends web application an authorization code. | |||
| The web app sends the authorization code and client credentials to Google and receives a new token. | |||
| Google records this web app has access by the token issued. The admin or user can later revoke this token. As well, when the user's password is changed, this token will be revoked automatically. | |||
Ongoing |
|||
| User: OAuth requires no further information from user. Note: User or admin can revoke authorization to web app at any time. |
|||
| Web application requests access to user's data and presents token as authorization. If token is expired, the web app requests Google to refresh its token. | |||
| Google checks the token for authenticity. If it checks out, Google returns the data. | |||
2-legged OAuth
| One-time set up | |||
| Admin installs web application and gives it 2-legged OAth access. This defines the scope of what user data the web app can access for the domain (like contacts or Google Calendar events). | |||
| The web application authenticates to Google and is issued an access token by Google. | |||
Ongoing (each time the application needs to access Google Workspace data) |
|||
| Web app sends authentication token to Google, requesting the user's data (like contacts or Google Calendar events). | |||
| Google checks if application has access to the requested data for that user. If the application has access, Google makes any requested updates and returns requested data. | |||
