I'm currently implementing a JSON API for Rails to serve an Android mobile app, which requires Google authentication.
The flow I'm hoping for is Google API OAuth2's One-time Code Flow (Hybrid Authentication), as explained in the omniauth-google-oauth gem. Put simply, the Android app obtains a one-time-code from the Google accounts' server and hands it over to the Rails API action, which converts it into an access token and then uses it to fetch the user's profile info.
With this in mind I have two questions regarding the Devise omniauth implementation in Rails:
I see that the one-time-code client flow implementation for Javascript is already described in omniauth-google-oauth gem's documention. However, Devise handles failure of the authorization by redirecting the user to the new registrations page and the callback phase requires a set of parameters to which I have no documention for. Does Devise support this type of flow for JSON APIs? And if so, how should it be processed?
I noticed that there is some kind of trigger that initiates omniauth's callback phase as presented below. The problem is that when I change the path_prefix for omniauth to something other that /users/auth/, this is not triggered when I do a POST request to the callback URL. What criteria does Devise/Omniauth use for this trigger?
INFO -- omniauth: (google_oauth2) Callback phase initiated.
For reference, I'm using Rails 4.1.6 with Ruby 2.1.3 and Devise 3.2.4.
I deeply appreciate your assistance!
