[wp_ad_camp_3]
Are you in the process of developing an application designed to incorporate one one or more of the Google APIs? Do you already have an application and want to add Google data to it? Before you can access most of the Google APIs you must register your project on Google Developers console.
This post number five in my six part beginning Google Development series, which started with the post Google Development for beginners and continued with registering a project with Google, Google Developers console APIs and then we created public API key credentials. Now we are going to build upon our new project on Google Developers console by adding Oauth2 credentials.
In this post we will discuss when we would want to use Oauth2 and how to add it to our project on Google Developers console.
Let us get started ….
When to use Oauth2
In the previous post we created public API key credentials we looked at the difference between public and private data. We used an API key to access public data.
Now its time to look at one of the ways to access private data.
Private data is data that is owned by a user we use Oauth2 to access private data.
If your application needs to access a users Google drive data then you will need to ask there permission to access it. If you want to be able to upload videos to a users YouTube account you will need there permission and use Oauth2.
What Oauth isnt
Before Oauth we are talking pre 2006 if you wanted to access an API on behalf of a user, the user had to give you there login and password. We would send requests something like.
http:\\awsom.webapi.com\getcooluserdata?login=superman&password=god
While this worked fine it wasn’t exactly secure was it. If I wanted to grant a third party application access to my twitter account I had to give them my twitter login and password. The third party application would then have full access to my twitter account, and there was really no way for twitter to even know that it wasn’t me. Also what happens in 6 months when I change my password? When I changed my password the third party application will no longer work unless I remember to give them the new password. Using a login and password to access data though an API was called client login.
May 2015 Google shut down the client login servers you can no longer user a login and password to access any of the Google APIs.
What is Oauth2?
I am sure you have seen this window before. This is simply OAuth2 in action.
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, installed, and client-side applications.
To begin, obtain OAuth 2.0 client credentials from the Google Developers Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access. For an interactive demonstration of using OAuth 2.0 with Google (including the option to use your own client credentials), experiment with the OAuth 2.0 Playground.
Oh my did I just copy that from the Using OAuth 2.0 to Access Google APIs sorry but it needed to be done. Now Let me try and explain what it says in ungeek English.
Open authentication comes in three steps.
- The consent screen request access from the user. (the picture above)
- Server returns an authentication code
- Exchange the authentication code for access.
There is also a forth step where we refresh access after it has expired.
3-legged Oauth2 code
The code used to authenticate using Oauth2 is slightly technical but you are in luck I have a post for that as well. In my Google 3 legged Oauth2 post I show you each of the steps in how to get access to Google using Oauth2 with simple HTTP Post and HTTP Gets. I strongly recommend you use one of Googles client libraries and not code all this yourself but if you need to it can be done.
Createing OAuth2 credentials
In the Google Developers console under APIs & auths menu you will find the credentials screen. From credentials screen click the Add credentials button. You will have a choice as to which type of credential you would like to create. Select OAuth 2.0 client ID
As it says OAuth 2.0 – Requests user consent so your app can access the user’s data for APIs like Google Calendar.
Using Oauth 2.0 credentials identifies your project not only to Google but to the user you are trying to get access from. If you look at the first picture the consent form, its telling you that the application Google Analytics for windows would like permission to view your Google Analytics Data. If the user clicks accept Google will make sure that you only are allowed to View there Google Analytics data you wont be allowed to make any changes to there Google Analytics account for example.
Type of OAuth2 credentials
The next step will be to choose the Type of OAuth2 Credentials will need. You have several choices I am only going talk about Web application and other. I have no experience with the others so I don’t want to give you invalid information.
Like the API key the main difference here is where the information is coming from, is your application running on a web server or is it a native installed application?
Type web applcation
When creating web application credentials you will need to supply the website where the authentication is returned to. This is sometimes called the redirect URI. Googles authentication server needs to know where to return the authentication to once the user clicked accept on the conceit form above. If the redirect URI in this field is incorrect when you try and authenticate a user you will get
Error: redirect_uri_mismatch
The redirect URI in the request: {Redirect URI sent with authencation} did not match a registered redirect URI
The easiest thing to do in this instances is to copy what ever URI it says you sent it from and add it to the Oauth2 web credentials. You can have more then one just put them on separate lines. I normally have one for http://localhost and one for https://daimto.com/index.php. Just make sure where ever you set it to there is a file there ready to handle the authentication.
Type other
Other is used for native applications, or when web credentials are not working with your redirect URI on localhost.
If you have an installed windows application you wont know what the users IP address is so you create client ID of type other. There is no need to set up anything for this.
Redirect URI error issues with web application credentials. On several occasions I have had issues with Visual studio, I have also heard of people with Java ides who also have the same problem. When you run in debug mode the ide has a habit of adding a random port on the end making it impossible to guess what the redirect URI is because it changes every time you try and debug the application.
The easiest solution I have found for this currently is to just create a client id of type other. This removes the redirect URI issue, when I release the application to the production webs server I change it back to a web application client id. A slight hack I know but it works.
The key created
Once you have click create on either of those above you will see a new window with your client Id and client secret.
The client id identifies your application, client secret is like a password to it, as a pair they are needed for authentication.
It is very important to keep these keys secret and secure. Do not posted it to open source projects, do not share it with other users, do not release it in your code if a user could view the source and see it. This includes PHP projects such as WordPress plugins, you will have to tell your user how to create their own API key.
On November 5, 2014 Google made a change to the terms of use you can find that change here.
The important thing to remember about it is:
- Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.
You can read my post about my discussion with the author of the change in the Terms of service about how this will affect open source projects. Changes to the Google API terms of service.
If you are wondering the ones in these pictures have all been deleted 🙂
OAuth2 Credentials
You can create as many credentials as you want as far as I know there is no limit to the number of credentials per project. In my opinion though there is no need to create more then one of each type, assuming you need more then one type. Even if you have 3 web credentials they will be sharing the same quota and a user authenticated with one client ID will not be authenticated for the other client ID.
Note: The Android client library is some how able to identify that a user has been authenticated with one client ID in a project and give them access using another client id. I have not been able to figure out how this works or get it to work with any other client library. I suspect that this is internal Google magic that we do not have access to. It is called cross-client identity if anyone gets this working please let me know.
FAQ
[wp_ad_camp_3]
The following is a list of questions I have answered for people over the years about OAuth2.
When a user authenticates your application a refresh token is returned to you. You can use the refresh token to get a new access token to access the API. Access tokens expire after about an hour.
Refresh tokens will not expire except under:
- A refresh token not used for 6 months will also expire.
- users can go to App settings on there google account and revoke your access at anytime.
If a user changes there password you will still have access to their data using the refresh token
A user can re-authenticate your application 26 times giving you 26 different refresh tokens, after number 26 the first refresh token will then stop working. You can only have 26 working refresh tokens for a single user.
There is no limit to the number of users who can authenticate your application.
Conclusion
We use an OAuth 2.0 client id when we want to access data owned by another user. We looked at creating a web application credentials for use with websites and the type called other which is used for native applications and when IDEs are being a pain. It is very important to keep your client id and secret secure so that no one else can use your quota. If someone does start using your quota and spams Googles server not only will your project be shut down but your account on Google Developers console.
Join me in the next post in my beginning Google development series, where we look at service accounts. With a service account you can access private data without the consent screen step. Service accounts are used to access data you as a developer own.
hello.. i have one question … i am developing a package for my clients and i want few files to be sync with google drive… please tell me if i can create google developers console project from my .net application ? as when my clients will install the application , it will ask for google account and i want the app to auto create google console project and allow google apis and download the client secret json file…
please help me for this…
thanks in advance.
There is no way to programmaticly create projects on Google Developers console. That has to be done manually though the website.
Awesome!
p.s. some minor typos here and there – I guess you meant “their” permission, “their” login” instead of “there”… 🙂
I have a question. I know how to get access to Goolgle API by access token.
In this case my web application can get any authorized by user Google application.
How can my web appication authenticate user by access token and redirect him to Google application?
For example if user click link on my web site to Google Drive (https://drive.google.com/drive/my-drive) how authenticate user to Google by access token that user no need to enter his user name and password if cookies deleted or user logged out?
You cant authenticate a user by access token. Access tokens are used to access google APIs.
Once the user authenticates your system you should be saving their refresh token to your system when they log back into your system you will have the refresh token needed to get a new access token to access their data.
Hello,
I want to create Google Drive Sync client for sync local directory with Google Drive using C#. How can I do that?
Hello,
thanks for this article. I found it very useful. I would like to ask you if there is a similar article for a different use case, which is when you need to connect to your own google API server-side, without user interactions.
In my situation I want a script to read analytics data from YouTube Analytics API, for a list of youtube accounts.
Is it possible to have my app authorised by each of the youtube account owners once, and then store a token that does not expire moving forward and that does not require user interaction every time the script runs?
Thanks
G
normally I would say look into service accounts. however YouTube analytics dosent support services account authentication.
you should authenticate your application once request offline access then save the refresh token. you will be able to user the refresh token to request a new access token whenever you need.