• https://fusionauth.io/community/forum/topic/2659/access-google-calendars-of-multiple-google-accounts-with-user-permission/2
• https://fusionauth.io/community/forum/topic/2569/how-do-i-call-a-google-api-or-retrieve-the-google-credentials

"The brief says "that button uses the identity provider login OIDC API to complete the login. That is, the dev starts the OIDC process but FA completes it and holds the token. After the user connects Google, the application then calls into FA to get the refresh token. Then it can call the Google API to get the contacts"

There are some parts I'm confused about. Please clarify the best approach if you can:

1. I assume the user logs in to the app with FA with a username like richard@example.com, but connects to Google with an email like richard@gmail.com. So the user is not logging in to FA with Google at first. If I'm wrong, please let me know.
2. What benefit does the app getting Google contacts with FA have? Why shouldn't the app call Google directly through their API, or with custom code?
3. I assume the app will log the user in to Google by calling https://fusionauth.io/docs/apis/identity-providers/openid-connect#complete-an-openid-connect-login, with a linking strategy in the OpenId provider created in settings of "Pending Link". The Response of this API is a User object. But shouldn't it return a Google token? How do we use a User object to call Google here? Also, this doesn't seem like the app "starting" the OIDC process, it seems like FA does all of it. Have I picked the wrong API call? How do we link the current FA user to their Google email?
4. As I understand Google sign in, you have to use a snippet of Google JS in your app, which shows a UI form to the user. Which you can't do if calling an API programmatically only. What am I misunderstanding here?
5. "calls into FA to get the refresh token" - Which API allows this, and what parameters should be passed in?

Thanks.

PS. I wanted to my improve my knowledge of OAuth significantly for this article, but the "form" on this page to get your ebooks is just a grey line I can't interact with - https://fusionauth.io/ebooks/modern-guide-to-oauth

UPDATE WHILE WAITING FOR FORUM APPROVAL:

• I added an href in my app pointing to https://accounts.google.com/o/oauth2/v2/auth?client_id=535042435541-eridnie9d09pa69dsq1hh066ushvp4e0.apps.googleusercontent.com&redirect_uri=http://localhost:9011/api/identity-provider/login&response_type=code&scope=openid%20email%20profile%20https://www.googleapis.com/auth/contacts.readonly&state=STATE&idp_hint=26481189-e3f7-433f-804b-9643a025806a. That successfully directs the user to google, gets consent for contacts, and redirects the user back to http://localhost:9011/api/identity-provider/login?state=STATE&code=4/0AVG7fiTXd3CnD-ff3ga7Zs5BXgHoUbvnPw&scope=email%20profile%20https://www.googleapis.com/auth/contacts.readonly%20openid%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&authuser=1&hd=ritza.co&prompt=consent. That doesn't seem to do anything though. I realised I'm supposed to redirect the user back to the app, then call the FusionAuth API from the server. Making progress here slowly...