Menu
I'm getting started using OAuth 2.0 with Google for authentication. I'm using Google's Using OAuth 2.0 for Login document, and everything is working great. I have a question about the verified_email field. It is documented like this:
verified_email : A flag that indicates whether or not Google has been able to verify the email address.
But what does that mean, exactly? Is it considered best practice to make sure the email is verified when authenticating in this way, or is the fact that we've gotten back a response with the correct email proof enough that the user is the owner of said email account?
681
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
Using OAuth 2.0, it is possible for the application to access the user's data without the disclosure of the user's credentials to the application. The API will grant access only when it receives a valid access token from the application.
OAuth is a standard authorization protocol that provides delegated access to a protected resource using web tokens instead of passwords.
It means different things whether the mail is hosted by google, or not.
-If the user has an email address @gmail.com or @hosted-example.com, where hosted-example.com is a domain using Google apps (and in particular hosted Gmail), then Google accounts also implement access control/login to the email account. In this case, the verified_email bit is always 'true', but in fact the guarantee is stronger than "Google has been able to verify the email address".
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
