Authorization with ClientLogin involves a sequence of interactions between three entities: the installed application, Google services, and the user. This diagram illustrates the sequence:
- When the third-party application needs to access a user's Google service, it retrieves the user's login name and password.
- The third-party application then makes a ClientLogin call to Google's Authorization service.
- If the Google Authorization service decides additional vetting is necessary, it returns failure response with a CAPTCHA token and challenge, in the form of a URL for a CAPTCHA image.
- If a CAPTCHA challenge is received, the third-party application displays the CAPTCHA image for the user and solicits an answer from the user.
- If requested, the user submits an answer to the CAPTCHA challenge.
- The third-party application makes a new ClientLogin call, this time including the CAPTCHA answer and token (received with the failure response).
- On a successful login attempt (with or without CAPTCHA challenge), the Google Authorization service returns a token to the application.
- The application contacts the Google service with a request for data access, referencing the token received from the Google Authorization service.
- If the Google service recognizes the token, it supplies the requested data access.