So when Joe Soap clicks on the relevant button in the SoftwareInc app, it visits the google authorisation server/ authentication server and enters its credentials and the customer's email, e.g.
joesoap@gmail.com.
Google gives back a unique url which the SoftwareInc app now opens in a browser for Joe Soap.
This is a google sign in page and if Joe signs in and agrees then google returns a success message to the SoftwareInc app.
This is some json which contains four fields:
{
"access_token": "xxxxxxxxxxxxx",
"expires_in": 3599,
"refresh_token": "yyyyyyyyyyyyyyy",
"scope": "
https://mail.google.com/",
"token_type": "Bearer"
}
Now when signing into gmail SoftwareInc uses the username (as normal) and the access_token in place of a password
The access token above expires in just under an hour (3600 seconds).
When that happens SoftwareInc will use the refresh token above to request a new one.
Refresh tokens never expire (but I think are single use only)
After authorization is granted in this way the user will get a notification on their phone as well as an email about it.