Awesome question! It’s super easy to mix up OAuth (the system third-party apps use to access Google services) with Google’s own first-party authentication flow for Gmail and other core Google products. Let’s break down exactly what happens when you hit enter after typing your username and password on the Gmail login page, step by step:

First, a quick clarification: OAuth is for when an external app (like a project management tool that needs to pull your Gmail messages) wants to access your Google data without seeing your password. Gmail’s own login is a direct, internal flow where Google acts as both the identity checker and the service provider.

Step 1: Frontend Checks & Initial Request #

• Before anything hits Google’s servers, your browser runs basic validation: it checks that your username looks like a valid Gmail address, and that you’ve actually entered a password (no empty fields). This avoids sending unnecessary, invalid requests.
• Once validated, your browser sends an encrypted HTTPS POST request to Google’s authentication servers. The password isn’t sent as plain text — it’s hashed locally first, and the request also includes metadata like your browser’s user agent, IP address, and a temporary session token to flag suspicious activity early.

Step 2: Server-Side Credential Verification #

• Google’s auth servers first validate the request’s integrity: they check that it came from the official Gmail domain, hasn’t been tampered with, and that your IP/device isn’t listed in their database of known malicious actors.
• Next, they verify your password. Google never stores plaintext passwords — instead, it stores salted, hashed versions of your password. The server compares the hashed password you sent with the stored hash. If this is your first time logging in on this device, or if Google detects unusual activity (like a login from a new country), it’ll trigger a second factor authentication (2FA) check (e.g., a code sent to your phone, or a prompt in the Google Authenticator app).
• The server also checks your account status: is it active? Do you need to reset your password? Are there any pending security alerts?

Step 3: Session Tokens & Cookie Generation #

• If all checks pass, Google generates several critical tokens to manage your login session:
  • Session Cookie: This is stored in your browser, marked as HttpOnly and Secure to prevent XSS or cookie theft. It’s what tells Google’s servers you’re logged in on subsequent visits to Gmail, YouTube, or any other Google service.
  • ID Token: A JWT (JSON Web Token) that contains basic user info (your email, user ID, profile details). This is used internally between Google’s services to confirm your identity without rechecking your password every time.
  • Refresh Token (optional): If you checked “Stay signed in,” Google generates a long-lived refresh token. Next time you open your browser, this token lets you get a new session cookie and ID token without retyping your password — until you explicitly sign out or revoke the token.

Step 4: Redirect to Your Inbox #

• The auth server sends a redirect response to your browser, pointing you to the Gmail inbox page.
• When the inbox loads, it sends a request to Google’s user data servers to fetch your emails, settings, and other personal info. It uses your session cookie or ID token to prove you’re the rightful owner of the account, so only you can access your data.

Step 5: Ongoing Session Management #

• While you’re using Gmail, Google’s servers periodically check your session: if you’re inactive for too long, or if a new login attempt is detected from a different device, it’ll prompt you to re-authenticate.
• When you click “Sign out,” your browser deletes the session cookie, and Google’s servers invalidate the corresponding session records — locking your account until you log back in.

内容的提问来源于stack exchange，提问作者Nipoon Patel