OpenID Connect Authentication Flow

The following diagram shows the standard flow for OpenID Connect.

Note: This diagram is essentially the same exact diagram as OAuth 2.0, with the exception of the scope being set to: "openid profile" and there is an additional step of resolving the userinfo against google's userinfo service.
OpenID Connect Diagram
  1. First, the User Agent makes a request to the authorization server
  2. The IDP first checks to make sure that the user has been authenticated. There may be some back and forth with the user agent and the IDP to achieve authentication
  3. The IDP then checks with the resource owner (accounts.google.com) to request consent to share "profile contact" data with the client.
  4. The user agent is then redirected back to yoursite.com/callback with an authorization code.
  5. This authorization code is exchanged via a back channel for an access token. This access token is then used to get data directly from the resource owner (accounts.google.com)
  6. Get the user info with the access token. This will be returned as JSON.