The following is a quick reference example of three legged OAuth2 request to Google.
Note: client_id, redirect_uri, client_secret are all values that you have set up for your app in Google Developers Console. Scope will depend upon which Google Api you would like to access, more then one can be separated by a comma. I will be using the scope for Google Analytics in this example.
The initial URL to request that the user give you access to there account should look like this: Note: response_type=code
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
If you open that link in a browser you will see this.:
Once they click Accept you will see:
That is the Authentication Code, it is used to request a refresh token. It is displayed to the user in the body of the html as well as in the title of the page. To get a Refresh Token you POST the Authentication code back to Google. Note: This is a HTTP Post you cant just place it in a browser that would be a HTTP Get. Note: grant_type=authorization_code
https://accounts.google.com/o/oauth2/token
code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
This is the response:
{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}
The access_token you get from the above request is what you will be using to make requests to the service. After one hour your access token will have expired you will need to request a new access_token you take the refresh_token that you got above and HTTP Post it to: Note: grant_type=refresh_token
https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token
This is the response:
{
"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600
}
How you send a HTTP get and HTTP post depends upon which language you are doing this in. But the above links should help you create the urls correctly.
Great article, but…
There is option without show/open Google Analytics Window for accepting? I would like show stats from my Analytics for my visitors (e.g. show charts).
I think you need to look into a service account. Once you have created a service account you can add the service account email address like you would any other user to the Google analytics account it will then be able to access your data.
I don’t have a standard example for this yet, its on my list which gets longer every day.
Hi,
Great article, but I would like ask about approve window.
There is some solution to show stats for my visitors.
Something like autologin by my account?
Thanks, bye!
If you want to change something on the consent screen its done in the Developer console. It is very limited what you can change, the consent screen is basically something that is created for us by Googles Authentication server we don’t get to change to much of it.
hi
here after access_token expires when we request for the refresh access_token actually it is not refreshing that token and expires in 1 hour.
pls give me some solution
If you send the refresh token you will get a new access token which will again work for only an hour. You need to keep refreshing your access token.
I am using an installApplication ( WordPress Plugin ),setting redirect URI
$client = new Google_Client();
$client->setRedirectUri( admin_url( ‘admin.php?page=analytica-admin-settings’, ‘http’ ) );
in localhost It is working, but in server it is showing error redirect URI mismatch.
if I change the URI to “urn:ietf:wg:oauth:2.0:oob” with a popup, It shows and “Once they click Accept you will see:” this portion and it works fine, but I do not want to use that, I want to use the admin page url as redirect uri and want it to work as, it is working on localhost, Can you help me on this. I have posted a question on stackoverflow http://stackoverflow.com/questions/34316162/installed-application-redirect-uri-mismatch-when-site-is-online but not getting any response, please help me.
Word press plugins are PHP you should be using a browser client id not an installed application client id. Anyone that downloads your plugin to install it is going to have to create there own client anyway as you cant release your own.
Hi – Thankyou for this post, it got me going forward with my own project. Could you please add the type of Authorization used in these post-requests? It would make the thing even clearer.
What do you mean by type of Authorization?
Hi your tutorial is great. I need some help while making by using url : https://accounts.google.com/o/oauth2/auth? + ‘scope=’ + SCOPE + ‘&client_id=’ + CLIENTID + ‘&client_secret’ + CLIENTSEC +’&redirect_uri=’ + REDIRECT + ‘&response_type=’ + TYPE; —- I got 1). access_token 2). token_type 3). expires_in. But How to get the refresh_token.
ANd when I use the url : https://accounts.google.com/o/oauth2/token+ ‘code’ + CODE + ‘&client_id=’ + CLIENTID + ‘&client_secret=’ + secKey + ‘&redirect_uri=’ + REDIRECT + ‘&grant_type=authorization_code’;
I got the Code.
I just need to allow my app user to see their drive files without login. After first time authentication (with google login password). I need your help. I has used all the tutorial and google guid but cant find the solution. Please help.
You cant authenticate with login and password.
Hey Linda,
Great tutorial! However, I’m not sure how you were able to retrieve the authorization code from the URL after the Google user has given the application permission.
You mention that we are required to copy the authorization code, paste it in the application so the second call to the token endpoint can be made. Is there a workaround to retrieve this authorization code programmatically so the end-user has to just click “Accept” and the application can then go ahead with making the call to the token endpoint for the access and refresh tokens?
To my knowledge this still works but its been a while since i have tested it. I recommend looking for a client library in the language of your choice most of them handle grabbing the authentication code for you.
Wow. it’s very useful for me. THANKS Linda.
Thank you! I have used this post (and others) to retrieve an access token using the refresh token. I am however unclear how to use it. Do you know of any examples/direction for the next step i.e. using the retrieved token to access api functionality e.g.
In my case I will try to use python and the google youtube data api to refresh (delete and upload new) a video to my channel hourly.
once you have an access token you can either send it as access_token=XXXXX with any Google Api Request. Or you can use the authorization header and send the access token as a bearer token.
If you are using python you should consider using the Google python client library it will make this easier for you.
Thanks, I am trying that now, i.e. posting to google apis a youtube “part”, and other arguments from samples along with the access code, client ID etc. but haven’t found the proper mixture.
Again thanks as I’ve gotten nothing back from Stack Overflow.
You dont send the client id when calling the API you only send The access token using either &access_token=XXX or adding it as a authorization header of type bearer token
what is the link to your question on stackoverflow?
I am working with these examples https://stackoverflow.com/questions/48243959/how-do-i-use-the-oauth2-access-token-with-the-youtube-data-api
And getting these results: https://stackoverflow.com/questions/48290978/another-daily-limit-for-unauthenticated-use-exceeded-continued-use-requires-si
I have “signed up” but from other posts you’ve done on registering and using the apis I don’t know that it is required for what I want to do i.e. periodically, say each (daylight) hour delete an existing youtube video and upload a new one to replace it.
The videos are of the last hour’s from a digital camera and are linked to my weather website.
hi linda, i want to request article/tutorial regarding WCF service for google+(without using browser) like this link. By using this link (http://qaru.site/questions/1274790/wpf-application-authentication-with-google), i have try to move and implement the function and try make it as a WCF service interface. This is difficult for me to do it and become problematic. Can you teach the same thing the project done in wcf service.
Google+ data is private user data your going to have to login using the browser window. Google+ doesn’t support service accounts so you cant go that route.
Hi
Do you reckon Google still not supporting Service accounts for implementing same in WCF services?
It depends upon the API really more then what language you are using. Not all APIs support service accounts.
Hey
Great post. When I try with google directory, with redirect uri as localhost, I get error “Site cant be reached. Localhost refused to connect”. Can you please help
Thank you
where are you running the code from? You can only use localhost if its your own machine.
Always like your posts, I think this one is now officially outdated as google have blocked the OOB method for Oauth2. Not sure if this should be marked as deprecated?
Cheers
Stevie
You just need to send the redirect uri of https ://127.0.0.1 instead of urn:ietf:wg:oauth:2.0:oob.
It will display a 404 error but the code will be in the url bar.