SSO & OAuth
You clicked "Sign in with Google." Five redirects, one authorization code, a token exchange, and a signed JWT later, BlogApp knows you are you. Without ever seeing your password. Watch it happen, step by step.
Scenario
HTTP exchange
ID Token decoded
Signed JWT from accounts.google.com
Three base64url pieces, separated by dots, signed with Google's RS256 key
What just happened
Nerd tip
PKCE killed the client secret for SPAs and mobile. A single-page app running in the browser has nowhere safe to store a client secret. Someone can always open DevTools and read the source. PKCE (Proof Key for Code Exchange, RFC 7636) replaced the secret with a one-time code_verifier: a random string the app generates, hashes into a code_challenge, sends the challenge with the auth request, then sends the plaintext verifier when exchanging the code for tokens. The IdP checks the hash matches. If an attacker intercepts the code, they do not have the verifier, so they cannot redeem it.
Nerd tip
OAuth is authorization. OIDC is authentication. OAuth 2.0 alone answers "can this app call the Google Calendar API on your behalf?" It does not answer "who is the user?" OIDC is a thin layer that adds exactly that: a standardized ID Token (JWT) with iss, sub, aud, and optional profile claims. When you click "Sign in with Google" you are using OIDC, not raw OAuth. People say OAuth but almost always mean OIDC.
Nerd tip
The state parameter prevents CSRF. Before redirecting you to Google, the app generates a random state and stores it in your session. Google echoes it back in the callback URL. The app checks the callback's state matches the stored one. Without this, an attacker could craft a malicious callback link and make your browser complete their login instead of yours. Missing state validation is one of the most common OAuth CVEs of the last decade.