Skip to main content

GCP Login Flow

The GCP login endpoint initiates an OAuth 2.0 authorization flow with Google accounts. Upon successful authentication, the user is redirected to the dashboard with an active session containing GCP account details and access tokens.

Authentication Endpoint

Response

Redirects to Google OAuth authorization page with the following parameters:

Query Parameters (Auto-generated)

client_id
string
required
Google OAuth client ID from environment configuration
redirect_uri
string
required
Callback URL configured in environment: GOOGLE_REDIRECT_URI
response_type
string
required
Always “code” for authorization code flow
scope
string
required
Requested permissions:
  • openid - OpenID Connect authentication
  • email - User’s email address
  • profile - User’s basic profile info
  • https://www.googleapis.com/auth/cloud-platform - Full GCP access
access_type
string
required
Set to “offline” to receive refresh token
prompt
string
required
Set to “consent select_account” to force account selection and consent screen
Example redirect URL: 
https://accounts.google.com/o/oauth2/v2/auth?
  client_id={client_id}
  &redirect_uri={redirect_uri}
  &response_type=code
  &scope=openid%20email%20profile%20https://www.googleapis.com/auth/cloud-platform
  &access_type=offline
  &prompt=consent%20select_account

Callback Endpoint

Query Parameters

code
string
required
Authorization code returned by Google OAuth

Response

Redirects to http://localhost:3000/dashboard after successful authentication.

Token Exchange Request

POST to https://oauth2.googleapis.com/token:
code
string
required
Authorization code from callback
client_id
string
required
Google OAuth client ID
client_secret
string
required
Google OAuth client secret
redirect_uri
string
required
Same redirect URI used in authorization request
grant_type
string
required
Always “authorization_code”

Session Data Created

user
object
Contains verified ID token information
email
string
User’s Google email address
name
string
User’s full name from Google profile
sub
string
User’s unique Google subject identifier
picture
string
URL to user’s profile picture
access_token
string
Google Cloud Platform access token for API calls
accounts
array
Array of connected cloud provider accounts
provider
string
Always “gcp” for Google Cloud accounts
email
string
User’s Google email (unique identifier)
displayName
string
User’s display name from Google profile
access_token
string
GCP API access token
refresh_token
string
Refresh token for obtaining new access tokens (only provided on first authorization)

Error Responses

401 Unauthorized - Missing Code 
{
  "error": "Brak kodu autoryzacyjnego Google w odpowiedzi"
}
500 Internal Server Error - Token Exchange Failed 
{
  "error": "Błąd wymiany kodu na token",
  "details": {
    "error": "invalid_grant",
    "error_description": "Bad Request"
  }
}
401 Unauthorized - Token Verification Failed 
{
  "error": "Błąd weryfikacji tokenu ID",
  "details": "Token verification error message"
}

Authentication Flow Details

Step 1: Initiate Login

User navigates to /api/login/google, which redirects to Google OAuth authorization endpoint.

Step 2: User Authenticates

User selects Google account and grants permissions for:
  • OpenID authentication
  • Email and profile access
  • Full Google Cloud Platform access

Step 3: Callback Processing

Google redirects back to /google/callback with authorization code:
  1. Exchange code for tokens via POST to Google’s token endpoint: 
    token_res = http_requests.post(TOKEN_URI, data={
    "code": code,
    "client_id": GOOGLE_CLIENT_ID,
    "client_secret": GOOGLE_CLIENT_SECRET,
    "redirect_uri": GOOGLE_REDIRECT_URI,
    "grant_type": "authorization_code"
})
  2. Verify ID token using Google’s verification library: 
    idinfo = id_token.verify_oauth2_token(
    id_token_str, 
    google_requests.Request(), 
    GOOGLE_CLIENT_ID, 
    clock_skew_in_seconds=10
)
  3. Store user info and tokens in session
  4. Create GCP account object with email, display name, and tokens
  5. Update session accounts:
    • If account with same email exists, replace it (update tokens)
    • Otherwise, append new account to list
  6. Redirect to dashboard at http://localhost:3000/dashboard

Account Management

The GCP authentication automatically manages accounts in the session: Duplicate Prevention: If a GCP account with the same email already exists, it will be updated with new tokens instead of creating a duplicate entry. Token Refresh: Access tokens expire after 1 hour. The refresh token can be used to obtain new access tokens without requiring the user to re-authenticate.

Environment Configuration

The following environment variables must be configured:
GOOGLE_CLIENT_ID
string
required
Google OAuth 2.0 client ID from Google Cloud Console
GOOGLE_CLIENT_SECRET
string
required
Google OAuth 2.0 client secret
GOOGLE_REDIRECT_URI
string
required
OAuth callback URL (e.g., http://localhost:5000/google/callback)

Code Reference

Implementation in backend/auth/gcp_auth.py:15-84 Token Exchange: 
token_res = http_requests.post(TOKEN_URI, data={
    "code": code,
    "client_id": GOOGLE_CLIENT_ID,
    "client_secret": GOOGLE_CLIENT_SECRET,
    "redirect_uri": GOOGLE_REDIRECT_URI,
    "grant_type": "authorization_code"
})
ID Token Verification: 
idinfo = id_token.verify_oauth2_token(
    id_token_str, 
    google_requests.Request(), 
    GOOGLE_CLIENT_ID, 
    clock_skew_in_seconds=10
)

Build docs developers (and LLMs) love

Get started for freeTalk to us