OAuth 2.0 is a protocol that lets a user grant your app limited access to their data at another service (Google, GitHub, etc.) without giving your app their password. “Login with Google” uses OAuth 2.0 so the user signs in at Google, and Google gives your app a token to act on their behalf (within agreed scopes).
Roles
flowchart LR
RO[Resource Owner\nUser] --> C[Client\nYour App]
C --> AS[Authorization Server\nGoogle/GitHub]
AS --> RS[Resource Server\nGoogle APIs]
C --> RS
Authorization Code flow (web “Login with Google”)
sequenceDiagram
participant U as User
participant C as Your App (Client)
participant AS as Auth Server (Google)
participant RS as Resource Server
U->>C: Click "Login with Google"
C->>U: Redirect to Google (client_id, redirect_uri, scope)
U->>AS: Signs in at Google
AS->>U: Redirect back with ?code=...
U->>C: Browser hits your redirect_uri?code=...
C->>AS: POST token endpoint (code, client_secret)
AS-->>C: access_token (+ optional refresh_token)
C->>RS: API call with access_token
RS-->>C: User profile / data
C->>U: Logged in
Key concepts
Authorization code — Short-lived code exchanged for tokens; keeps secret in server-to-server call.
Access token — Used to call the provider’s API (e.g. get email). Short-lived.
Refresh token — Used to get new access tokens without re-login (if granted).
For “Login with Google/GitHub,” you use the Authorization Code flow (with PKCE for public clients like SPAs). The provider’s Authorization Server issues tokens; you use the access token to fetch user info and create or match a user in your system.