Google 3 Legged OAuth2 Flow 12


Please Share

The following is a quick reference example of three legged OAuth2  request to Google.
Note: client_id, redirect_uri, client_secret are all values that you have set up for your app in Google Developers Console. Scope will depend upon which Google Api you would like to access, more then one can be separated by a comma.  I will be using the scope for Google Analytics in this example.

The initial URL to request that the user give you access to there account should look like this: Note: response_type=code

https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code

If you open that link in a browser you will see this.:
Oauth2RequestBrowser

 

Once they click Accept you will see:

Ouath2 Authentication code

That is the Authentication Code, it is used to request a refresh token.   It is displayed to the user in the body of the html as well as in the title of the page. To get a Refresh Token you POST the Authentication code back to Google. Note: This is a HTTP Post you cant just place it in a browser that would be a HTTP Get. Note: grant_type=authorization_code

https://accounts.google.com/o/oauth2/token
code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code

This is the response:

{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}

The access_token you get from the above request is what you will be using to make requests to the service. After one hour your access token will have expired you will need to request a new access_token you take the refresh_token that you got above and HTTP Post it to: Note: grant_type=refresh_token

https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token

This is the response:

{
"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600
}

How you send a HTTP get and HTTP post depends upon which language you are doing this in. But the above links should help you create the urls correctly.

Please Share


Linda Lawton

About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as an application developer and a database expert. I have also been working with Google APIs since 2012 and I have been contributing to the Google .Net client library since 2013. In 2013 I became a a Google Developer Experts for Google Analytics.


Leave a comment

Your email address will not be published. Required fields are marked *

12 thoughts on “Google 3 Legged OAuth2 Flow

  • kicaj

    Great article, but…
    There is option without show/open Google Analytics Window for accepting? I would like show stats from my Analytics for my visitors (e.g. show charts).

    • Administrator
      Linda Lawton

      I think you need to look into a service account. Once you have created a service account you can add the service account email address like you would any other user to the Google analytics account it will then be able to access your data.

      I don’t have a standard example for this yet, its on my list which gets longer every day.

  • kicaj

    Hi,

    Great article, but I would like ask about approve window.
    There is some solution to show stats for my visitors.
    Something like autologin by my account?

    Thanks, bye!

    • Administrator
      Linda Lawton

      If you want to change something on the consent screen its done in the Developer console. It is very limited what you can change, the consent screen is basically something that is created for us by Googles Authentication server we don’t get to change to much of it.

  • Prafulla Kumar Sahu

    I am using an installApplication ( WordPress Plugin ),setting redirect URI

    $client = new Google_Client();
    $client->setRedirectUri( admin_url( ‘admin.php?page=analytica-admin-settings’, ‘http’ ) );

    in localhost It is working, but in server it is showing error redirect URI mismatch.

    if I change the URI to “urn:ietf:wg:oauth:2.0:oob” with a popup, It shows and “Once they click Accept you will see:” this portion and it works fine, but I do not want to use that, I want to use the admin page url as redirect uri and want it to work as, it is working on localhost, Can you help me on this. I have posted a question on stackoverflow http://stackoverflow.com/questions/34316162/installed-application-redirect-uri-mismatch-when-site-is-online but not getting any response, please help me.

    • Linda Lawton
      Linda Lawton Post author

      Word press plugins are PHP you should be using a browser client id not an installed application client id. Anyone that downloads your plugin to install it is going to have to create there own client anyway as you cant release your own.

  • Poroda

    Hi – Thankyou for this post, it got me going forward with my own project. Could you please add the type of Authorization used in these post-requests? It would make the thing even clearer.

  • Shrama Ravin

    Hi your tutorial is great. I need some help while making by using url : https://accounts.google.com/o/oauth2/auth? + ‘scope=’ + SCOPE + ‘&client_id=’ + CLIENTID + ‘&client_secret’ + CLIENTSEC +’&redirect_uri=’ + REDIRECT + ‘&response_type=’ + TYPE; —- I got 1). access_token 2). token_type 3). expires_in. But How to get the refresh_token.

    ANd when I use the url : https://accounts.google.com/o/oauth2/token+ ‘code’ + CODE + ‘&client_id=’ + CLIENTID + ‘&client_secret=’ + secKey + ‘&redirect_uri=’ + REDIRECT + ‘&grant_type=authorization_code’;
    I got the Code.

    I just need to allow my app user to see their drive files without login. After first time authentication (with google login password). I need your help. I has used all the tutorial and google guid but cant find the solution. Please help.