Google OAuth2 Testing Guide

1. Gerar URL de redirecionamento e abrir no navegador

https://accounts.google.com/o/oauth2/auth?client_id=SEU_CLIENT_ID&redirect_uri=http://localhost:3000/users/auth/google_oauth2/callback&scope=profile%20email&response_type=code&access_type=offline

2. Copiar o código de autorização, após o login

http://localhost:3000/users/auth/google_oauth2/callback?code=SEU_CODIGO&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=1&prompt=consent

3. Gerar o token de acesso

curl -d "client_id=SEU_CLIENT_ID" \
     -d "client_secret=SEU_SECRET" \
     -d "code=SEU_CODIGO" \
     -d "grant_type=authorization_code" \
     -d "redirect_uri=http://localhost:3000/users/auth/google_oauth2/callback" \
     https://oauth2.googleapis.com/token

4. Validar o token de acesso

curl -H "Authorization: Bearer SEU_ACCESS_TOKEN" \
     https://www.googleapis.com/oauth2/v3/userinfo

5. Gerar outro token através do "refresh token"

curl -d "client_id=SEU_CLIENT_ID" \
     -d "client_secret=SEU_SECRET" \
     -d "refresh_token=SEU_REFRESH_TOKEN" \
     -d "grant_type=refresh_token" \
     https://oauth2.googleapis.com/token

6. Revogar acesso ao token

curl -d "token=SEU_TOKEN" \
     https://oauth2.googleapis.com/revoke

---

┌────────────┐
│   Usuário  │
└─────┬──────┘
      │ clica "Login com Google"
      ▼
┌────────────┐
│  Next.js   │
│ (frontend) │
└─────┬──────┘
      │ redirect OAuth2
      │
      ▼
┌──────────────────────────┐
│        Google OAuth      │
│ accounts.google.com      │
└─────┬────────────────────┘
      │ usuário autentica
      │
      │ redirect_uri + ?code=AUTH_CODE
      ▼
┌────────────────────────────────────────┐
│           Rails API (backend)           │
│ /users/auth/google_oauth2/callback     │
└─────┬──────────────────────────────────┘
      │
      │ 1. recebe AUTH_CODE
      │ 2. troca AUTH_CODE por tokens Google
      │    (OmniAuth faz isso)
      │
      │ 3. extrai email / uid
      │ 4. find_or_create User
      │
      │ 5. gera JWT (devise-jwt)
      │
      ▼
┌────────────────────────────────────────┐
│        Rails responde JSON              │
│  { token: "SEU_JWT" }                   │
└─────┬──────────────────────────────────┘
      │
      │ redirect ou response para o front
      ▼
┌────────────┐
│  Next.js   │
│ (frontend) │
└─────┬──────┘
      │ salva JWT (memory / cookie)
      │
      │ chamadas futuras
      ▼
┌────────────────────────────────────────┐
│        Rails API protegida              │
│ Authorization: Bearer SEU_JWT           │
└────────────────────────────────────────┘

Referência: https://avohq.io/blog/social-login-rails-google-github