Google has a huge user base and hence it provides an authentication service for third party service to integrate with them so that people can sign in with Google in their services. Google also adopts OAuth 2 to provide this kind of Open ID connect service.
This post will introduce how to integrate with sign in with Google functionality in your PHP website.
Create a client app on Google
The first step you should follow is to create a Google app, you can follow the post here to create the project. Once the project is created, you will get a client id and client secret, these will be used later to get the access token to access the profile information.
In this step, you will also be asked to enter the redirect url so that Google knows where to redirect for further operations. This redirect url should be the page you handle the logic to get the access token and profile information.
Create the PHP redirect page
Since you have provided the redirect url in above step, now you need to create such a page on your server. This page will be used to get the access token and user profile information once the authentication and authorization is done.
Let's assume the page is named signin_google.php. So the redirect url you should put in above step would be [you_host_name]/sigin_google.php.
Add logic for getting the user authentication popup
Create two constants to store the client id and client secret.
define('CLIENT_ID','xxxxxxx.apps.googleusercontent.com');
define('CLIENT_SECRET','xxxxxxxxxxxx');Next construct the Google user authentication page so that the user can be redirected to Google to authenticate himself. But before redirection, you need to check whether the user is already authenticated.
if(!isset($_REQUEST["code"])||empty($_REQUEST["code"])) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialogUrl = "https://accounts.google.com/o/oauth2/v2/auth?client_id="
.CLIENT_ID. "&redirect_uri=" . $redirectURL . "&state="
. $_SESSION['state'] ."&response_type=code&scope=openid%20email%20profile";
echo("");
}This redirection URL will tell Google that you want the user to authenticate and also your app wants to access the email and profile information(defined in scope parameter).
Get access token and user information
Once Google has done the authentication and authorization, it will redirect to the redirect URL specified in the first step which is signin_google.php, now you can use the code returned by Google and your client secret to access the user data.
if(isset($_SESSION['state'])&&isset($_REQUEST['state'])&&($_SESSION['state'] === $_REQUEST['state'])) {
$code = $_REQUEST["code"];
if(!isset($_SESSION['access_token'])){
//Exchange for access token
$tokenUrl = "https://www.googleapis.com/oauth2/v4/token";
$requestBody = [
'client_id' => CLIENT_ID,
'client_secret' => CLIENT_SECRET,
'redirect_uri' => urlencode($redirectURL),
'code' => $code,
'grant_type' => "authorization_code"
];
$response = CURL::post($tokenUrl, $requestBody, array(
"Accept: application/json",
"Content-Type: application/x-www-form-urlencoded"
));
$responseObj = json_decode($response);
$idTokenStr = $responseObj->id_token;
$idTokens = explode(".", $idTokenStr);
$idTokenObj = std::class;
if(count($idTokens) > 2){
$idToken = base64_decode($idTokens[1]);
$idTokenObj = json_decode($idToken);
}
$_SESSION['access_token'] = $responseObj->access_token;
$_SESSION['id_token'] = $idTokenObj;
}
}Basically this step is to send a POST request to Google to retrieve the user data, among the response, there will be a field called id_token, this token is a JWT token and its payload contains the user name, email, picture etc. So you can easily retrieve user information and store them in your system.
The JWT token is a . delimited string which contains three segments(base64 encoded) in general: header, payload and signature. Normally you should validate this id_token before use it, but if you think you really trust it, you can just use its payload directly without validating the token.
Once the data is retrieved and stored in your system, you can create a login session for this user and s/he can start to navigate through your website as a normal registered user. The sign in with Google process is completed.
The complete code example may look like:
//Define app key and app secret
define('CLIENT_ID','xxxxx.apps.googleusercontent.com');
define('CLIENT_SECRET','xxxxxxxxxxxxxx');
//Define callback URL
$redirectURL = 'https://'.$_SERVER["HTTP_HOST"].$_SERVER["PHP_SELF"];
$apiHost = 'https://accounts.google.com/o';
//Start the oauth process
if(!isset($_REQUEST["code"])||empty($_REQUEST["code"])) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialogUrl = $apiHost."/oauth2/v2/auth?client_id="
.CLIENT_ID. "&redirect_uri=" . $redirectURL. "&state="
. $_SESSION['state'] ."&response_type=code&scope=openid%20email%20profile";
echo("");
}else{
if(isset($_SESSION['state'])&&isset($_REQUEST['state'])&&($_SESSION['state'] === $_REQUEST['state'])) {
$code = $_REQUEST["code"];
if(!isset($_SESSION['access_token'])){
//Exchange for access token
$tokenUrl = "https://www.googleapis.com/oauth2/v4/token";
$requestBody = [
'client_id' => CLIENT_ID,
'client_secret' => CLIENT_SECRET,
'redirect_uri' => urlencode($redirectURL),
'code' => $code,
'grant_type' => "authorization_code"
];
$response = CURL::post($tokenUrl, $requestBody, array(
"Accept: application/json",
"Content-Type: application/x-www-form-urlencoded"
));
$responseObj = json_decode($response);
$idTokenStr = $responseObj->id_token;
$idTokens = explode(".", $idTokenStr);
$idTokenObj = std::class;
if(count($idTokens) > 2){
$idToken = base64_decode($idTokens[1]);
$idTokenObj = json_decode($idToken);
}
$_SESSION['access_token'] = $responseObj->access_token;
$_SESSION['id_token'] = $idTokenObj;
}
$userObj = $_SESSION["id_token"];
// process userObj and store the info in database and create user session
// and redirect user to homepage
}Hope this helps you who want to integrate with Google in your websites.
