in this scenario thus would be http://googleapis.com/oau-
2. You enter your username and password on Google's login page. You then are asked if
you will grant CNN access to your personal information.
3. If you say yes, Google generates an access code and remembers the client_id and
redirect_uri that was sent in the original browser redirect.
4. Google redirects back to CNN.com using the redirect_uri sent by CNN's initial re-
direct. The redirect URL contains the original state parameter you forwarded along
with a code parameter that contains the access code: http://cnn.com/
5. With this redirection, CNN will also get the value of the special cookie that it set in
step 1. It checks the value of this cookie with the state query parameter to see if they
match. It does this check to make sure that it initiated the request and not some rogue
6. The CNN server then extracts the code query parameter from the redirect URL. In a
separate authenticated HTTP request to Google, it posts this access code. Google.com
authenticates that CNN is sending the request and looks up the access code that was
sent. If everything matches up, it sends back an access token in the HTTP response.
7. CNN can now make HTTP requests to other Google services to obtain information it
wants. It does this by passing the token in an Authorization header with a value of
Bearer plus the access token. For example:
GET / contacts ? user = billburke
Host: contacts . google . com
Authorization: Bearer 2 a2345234236122342341bc234123612341234123412adf
In reality, sites like Google, Facebook, and Twitter don't use this protocol exactly. They all
put their own spin on it and all have a little bit different way of implementing this protocol.
The same is true of OAuth libraries. While the core of what they do will follow the protocol,
there will be many custom attributes to each library. This is because the OAuth specification
is more a set of detailed guidelines rather than a specific protocol set in stone. It leaves out
details like how a user or OAuth client authenticates or what additional parameters must be
sent. So using OAuth may take a bunch of integration work on your part.
There are many different Java frameworks out there that can help you turn your applications
into OAuth providers or help you integrate with servers that support OAuth authentication.
This is where I make my own personal plug. In 2013, I started a new project at Red Hat
called Keycloak. It is a complete end-to-end solution for OAuth and SSO. It can also act as a
social broker with social media sites like Google and Facebook to make leveraging social