3-legged OAuth in Google Workspace

One-time per application
1. User wants to access web application.
2. Web application redirects user to a Google page asking the user to give access to the application.
3. User tells Google they give the web application access to their Google Workspace data (like contacts or Google Calendar events).
4. Google sends web application an authorization code.
5. The web app sends the authorization code and client credentials to Google and receives a new token.
6. Google records this web app has access by the token issued. The admin or user can later revoke this token. As well, when the user's password is changed, this token will be revoked automatically.

Ongoing
User: OAuth requires no further information from user.
Note: User or admin can revoke authorization to web app at any time.
7. Web application requests access to user's data and presents token as authorization. If token is expired, the web app requests Google to refresh its token.
8. Google checks the token for authenticity. If it checks out, Google returns the data.

2-legged OAuth

One-time set up
1. Admin installs web application and gives it 2-legged OAth access. This defines the scope of what user data the web app can access for the domain (like contacts or Google Calendar events).
2. The web application authenticates to Google and is issued an access token by Google.

Ongoing (each time the application needs to access Google Workspace data)
3. Web app sends authentication token to Google, requesting the user's data (like contacts or Google Calendar events).
4. Google checks if application has access to the requested data for that user. If the application has access, Google makes any requested updates and returns requested data.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
14330538726822130039
true
Search Help Center
true
true
true
true
true
73010
false
false