Great question! The good news is that yes, you absolutely can implement Google Sign-In without any JavaScript—using the server-side OAuth 2.0 Authorization Code Flow, which avoids all client-side JS dependencies entirely. This fits perfectly with your requirement of keeping core functionality independent of JS.

Here's a step-by-step breakdown of how to implement it:

1. Set up your Google Cloud Project & OAuth Credentials #

First, you'll need to configure your project in the Google Cloud Console:

• Create a new project (or use an existing one)
• Enable the Google Identity API
• Set up OAuth 2.0 credentials (select "Web application" as the application type)
• Add your app's redirect URI—this is the endpoint on your server where Google will send the authorization code after the user logs in.

2. Create a plain HTML sign-in trigger #

Instead of Google's JavaScript-powered sign-in button, use a regular HTML link or form to redirect users to Google's authorization endpoint. The URL needs to include these required parameters:

https://accounts.google.com/o/oauth2/v2/auth?
client_id=YOUR_CLIENT_ID
&response_type=code
&scope=openid%20email%20profile
&redirect_uri=YOUR_REDIRECT_URI
&state=YOUR_RANDOM_SECRET_VALUE

• state: Generate a unique, random value for each user session (store it in a cookie or server-side session). This prevents CSRF attacks—you'll verify this value matches when Google redirects back to your app.
• scope: Adjust this based on the user data you need; openid email profile is a minimal set for basic sign-in.

You can wrap this URL in a simple anchor tag:

<a href="https://accounts.google.com/o/oauth2/v2/auth?client_id=YOUR_CLIENT_ID&response_type=code&scope=openid%20email%20profile&redirect_uri=YOUR_REDIRECT_URI&state=YOUR_RANDOM_SECRET_VALUE">Sign in with Google</a>

3. Handle the authorization code on your backend #

After the user logs in successfully, Google will redirect them back to your redirect_uri with a code parameter in the URL (e.g., https://your-app.com/callback?code=AUTH_CODE&state=YOUR_RANDOM_SECRET_VALUE).

On your backend:

1. First, verify that the state parameter matches the one you stored for the user's session. If it doesn't, reject the request—this is a critical CSRF protection step.
2. Send a POST request to Google's token endpoint (https://oauth2.googleapis.com/token) with these form-encoded parameters:

   code=AUTHORIZATION_CODE_FROM_GOOGLE
   &client_id=YOUR_CLIENT_ID
   &client_secret=YOUR_CLIENT_SECRET
   &redirect_uri=YOUR_REDIRECT_URI
   &grant_type=authorization_code
   

3. Google will respond with an access token, ID token, and refresh token (if requested).

4. Validate and use the ID token #

The ID token is a JSON Web Token (JWT) containing the user's core information (email, name, Google user ID, etc.). You must validate it to ensure it's authentic and intended for your app:

• Use Google's official validation libraries for your backend language (they handle checks for signature validity, expiration, audience, and issuer automatically).
• Once validated, extract the user's data from the JWT payload and create a server-side session for the user in your app.

5. Implement sign-out #

For sign-out:

• Redirect the user to Google's sign-out endpoint: https://accounts.google.com/logout
• After that, redirect them back to your app's homepage, and invalidate the user's session on your backend to fully log them out.

Key Security Notes #

• Always use HTTPS for all endpoints to protect the authorization code and tokens from interception.
• Never expose your client secret in client-side code (since this is a server-side flow, the secret stays safely on your backend).
• The state parameter is non-negotiable for security—don't skip validating it.

内容的提问来源于stack exchange，提问作者Christopher Schultz