How the “Log in with Google” Actually Works
By:Aarjit
I know for a fact you’ve gone to some website, and you were too lazy to make and remember a username and password, so you just hit that “Log in with Google” or “Sign up with Google” button, and boom, you’re already logged in/created an account.
But what’s actually happening behind the scenes? How does the app know it's you without you just handing over your Google password?
The system running the show is called OAuth (It stands for Open Authorization).
Think of OAuth like a valet key for your car (I’ve never really seen these outside of movies, but the analogy still stands). A valet key lets the driver park your car, but it doesn't let them open the locked glovebox or the trunk. You’re giving limited access to someone without handing over the actual main keys.
Here is the quick play-by-play of what happens when you click that button:
Who This?: You click "Log in with Google." The app basically says, "I don't know who this guy is, let's ask Google." It then takes you to a secure Google login screen.
This Good?: Google asks you, "Hey, this new app wants to see your email address and basic profile info. Is that okay?"
Haha You Can’t Hack Me: When you click "Allow," Google doesn't give the app your password. Instead, it creates a secure, temporary digital ticket called an Access Token (there are different access tokens with different levels of permissions, all of which you can set up when building your auth flow).
You’re Free to Go, Sir: Google sends you back to the app, handing the app this token. The app shows the token to Google's servers to prove you actually gave permission, and Google hands over just your name and email (or access to other permissions if you give them).
That’s pretty much it. The app gets exactly what it needs to create your account, and your password stays (relatively) safely locked away at Google.
The best part is that if you ever decide you don't trust the app anymore, you can go into your Google settings and revoke its access. That digital ticket/token immediately becomes useless, and they can't see or access your data anymore.
So next time you skip creating a new password, you can thank OAuth.