I’m having trouble understanding OAuth2 conceptually. I’ve read about the whole handshake process a hundred times. I can login to my app using a google account, but once that’s done, I need to access Google’s API (read data from a Google Spreadsheet on that same account that I logged into, and whom I included spreadsheets in the :scope as per the strategy readme).
Currently, I’m using Omniauth and the omniauth-google-oauth2 strategy; this works great; it pulls up Google’s authentication/login screen, and when I get back to my callback link, I’m storing [omniauth][credentials][token].
What is the best way to then use that token to do API work with Google Docs?
Is this the right approach?
I think of Oauth2 as a “way to get the user’s password to confirm their existence on my site”.
So instead of your User model having a password column, in essence, it uses Google to say “this guy is cool”.
Now, what does that have to do with API calls, you wonder… me too.
If I recall, there is a Refresh token that lasts for more than the 20 ms of authetication and will allow you to access their Google Docs, if Google’s api allows you to do that.
Having said all that, If google needs their token, plus your API token to access their spreadsheet, I’d stick it into the session.
But if their API said to stick spreadsheet in the scope, then it must say something about how to use it all together too, no?
More Edits
Google Spreadsheets Oauth 2.0 authentication piece is here, with a flow. Notice the part about refresh tokens. I’d look into that.
It says to store it somewhere, which I’d choose the session, or if you are totally paranoid a db column somewhere, but not sure if that is right either. Just spitballing here.
Final Edit
Turns out even the people helping out the Oauth 2.0 don’t agree/get it conceptually either.