< Blogs
Elliott

Elliott

April 6, 2023

OAuth2: Authenticating users made secure

For anyone who has ever been curious about building an application that embeds other services inside would probably have come across this term: OAuth2 (Open Authentication 2). For instance, if you were creating an app and want to allow your users to log in through Google, Facebook, or even maybe Twitter, you will need to use each of these companies' respective OAuth2 systems to "authenticate" your users.

What is OAuth2

OAuth2 is a set of rules that allow users to authenticate to third-party apps (in this case your app is the app they are using and perhaps Google is the third-party app) without exposing their credentials or identity to you. This is how it works:

  • You first have to receive a set of credentials to use a third-party app's OAuth2 system commonly called: client id and client secret
  • When creating this, you will need to fill out your app's information such as name, company name, website, address and etc. One of which would likely be a callback URL. This is the endpoint you must set in your app to allow the third-party app to redirect your user upon logging in

Typically, after authentication, you should be able to request a token, normally called access_token that is used in every request to retrieve data for the user.

For example, a typical OAuth2 Session will go as follows:

Every app will implement it ever so slightly different from one another. Keep an eye on the documentation to see what they need!

Let's try one

Let us try to implement Google's OAuth2 authentication as an example. Go ahead and create an app on google's developer console:

On the left, go to "OAuth Consent Screen" and fill out the details there. As for testing, we can leave basically everything blank except for the email and app name.

In the scopes section, you can select as many scopes as you want (these are essentially permissions that you will request from your users). For now, we will use profile one for testing:

Next, add your own email address as a testing user and finish the setup!

After completing the OAuth Screen setup, you can create an (OAuth2 Client) app on the project in the Credentials Tab:

For now, we will use a local host server at port 8088 for the callback URL (they call it to redirect URI here).

This will create a set of keys:

Save this somewhere so that no one can see it!

Now that the app is set up, we can use it to authenticate a new Google user into our app. For this, we will be programming in python for simplicity using Flask.

We can create a simple web server with Flask at port 8088 running on a local host using the following script to be our "app".

First, we must redirect the user to Google for authentication. This can be done by generating an authentication url according to OAuth2 specifications. We can easily do this using a library in python:

This function would return an authentication URL that would look similar to this: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=138037670983-5l4jg8utussuo13tvq1im8cn2v0c99rs.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8088&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&state=Xduz6uV1SwvzJ4jxsosn7MkrNlojAJ&prompt=consent&access_type=offline

Going to this URL will prompt the user to log in and accept permissions. After logging in, Google will automatically redirect the user to the flask server at http://localhost:8088 (our redirect URL) with a few query parameters, namely:

These are all the information you need to retrieve what is called an access token from Google for the user. To get the token, we will need to make a request to Google according to their docs:

The response object will look like this:

{
  "access_token": "ya29.a0Ael9sCP9uHr_k6QpdKeezmBi--gT8AuEdD3F8zqi8EgzpCwD0HU0bCepxyde0fpud5ev4pnx5fchVoa1bo1CjUli7jlky_p5iHPcgmCMMXS51FueSPv_PTmvrP5udP89n3n3Kb1flfIHSfY18Fp2X40xYSnxaCgYKAVISARESFQF4udJhjKerSxzFbDOgqnd-MA5Oog0163",
  "expires_in": 3599,
  "refresh_token": "1//03zBC4HVy3AgjCgYIARAAGAMSNwF-L9IrPoBvLSJC_-nyVvcOD7hnRgZM5Xu79ATdgFkGCSv_DaPMYqfeJoy9iDzQ9m1TT1p18yY",
  "scope": "https://www.googleapis.com/auth/userinfo.profile",
  "token_type": "Bearer",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFhYWU4ZDdjOTIwNThiNWVlYTQ1Njg5NWJmODkwODQ1NzFlMzA2ZjMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIxMzgwMzc2NzA5ODMtNWw0amc4dXR1c3N1bzEzdHZxMWltOGNuMnYwYzk5cnMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIxMzgwMzc2NzA5ODMtNWw0amc4dXR1c3N1bzEzdHZxMWltOGNuMnYwYzk5cnMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDQ2MzYxOTAwODU0MjY4MTE5NjYiLCJhdF9oYXNoIjoiZU0zVUxGeGhfcXc3ZE9FejNRQzdndyIsIm5hbWUiOiJFbGxpb3R0IFl1IiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FHTm15eFpzaWFjZHZJWFdUSlBNbWgyQlQ5NTZiZDZKbXZGY3hZakVpYnR6bmc9czk2LWMiLCJnaXZlbl9uYW1lIjoiRWxsaW90dCIsImZhbWlseV9uYW1lIjoiWXUiLCJsb2NhbGUiOiJlbiIsImlhdCI6MTY4MDAwNTAyNiwiZXhwIjoxNjgwMDA4NjI2fQ.B-BzE-5V8IDJDSN30vNUKJ4AD2L0X0bHAJc1CxvogBqCyN3i2pZdLCcLqa98pgcUzpm6g6EaIys4I-GfVEkaj4nFoxzpeQMvyqmtbgPxMXoeQqb3b7hUwl2xMVFqKgL0J7dSw0m4FQdy14hfLUkuWCxua9dYkhWchIJkXpncmMfNEZINEPQDbrp1TUrU70hMH4650a4IK4Z1soK5JW7d1deD5XIHjSk55B_AD2IH6pd57cI_4qVB4j6FCxBFBviZPu3_RHsHfHsTVDp58oKIwZ28kCEwCX1O8HXLfka-yYhXx-Rg0xh7WJgv68tEcZo3jgjIfkR7XAeO_-Giz8BkBg"
}

That's it! It would be best if you now stored this payload somewhere (ideally in a database) and you can now access this user's "profile" data.

Other things to note

The example above shows how to specifically authenticate users through Google for your app. Each app would do something slightly different (for example, they might require you to post a JSON data object to request the access token rather than doing it in the query parameters. However, generally speaking, the flows are always the same as the OAuth2 protocol is an international standard, and if you follow the general steps above, you should be able to implement any OAuth2 systems into your app!

More Topics

All Blogs
Team Spotlight
Startup Spotlight
How To
Blog
Podcast
Product Updates
Wearables
See All >
CEO and Co-Founder of Veri - Anttoni Aniebonam

CEO and Co-Founder of Veri - Anttoni Aniebonam

In this podcast with Kyriakos the CEO of Terra, Anttoni Aniebonam shares his journey founding Veri, and his decision in the acquisition by Oura to further his vision.

Terra APITerra API
September 27, 2024
CEO and Founder of Prenuvo - Andrew Lacy

CEO and Founder of Prenuvo - Andrew Lacy

In this podcast with Kyriakos the CEO of Terra, Andrew Lacy shares his journey with Prenuvo which began from a personal health crisis.

Terra APITerra API
August 28, 2024
MedHacks: Using Wearables To Predict Heart Attacks

MedHacks: Using Wearables To Predict Heart Attacks

A few weeks ago we met Vishal, a recent engineering graduate who wanted to use Terra API as part of his MedHacks hackathon project, Cardio Clarity.

Gursukh SembiGursukh Sembi
August 19, 2024
July 2024 updates

July 2024 updates

Teams API adds Kinexon integration & new webhooks. Terra Health Scores now include Respiratory & Stress metrics. Eight Sleep integration returns with enhanced data.

Alex VenetidisAlex Venetidis
August 2, 2024
Vice President of Teamworks - Sean Harrington

Vice President of Teamworks - Sean Harrington

In this podcast with Kyriakos the CEO of Terra, Sean Harrington shares his journey from founding NoteMeal to becoming the VP of Teamworks.

Terra APITerra API
August 2, 2024
next ventures
pioneer fund
samsung next
y combinator
general catalyst

Cookie Preferences

Essential CookiesAlways On
Advertisement Cookies
Analytics Cookies

Crunch Time: Embrace the Cookie Monster Within!

We use cookies to enhance your browsing experience and analyse our traffic. By clicking “Accept All”, you consent to our use of cookies according to our Cookie Policy. You can change your mind any time by visiting out cookie policy.