Google 3 Legged OAuth2 Flow 8


Please Share

The following is a quick reference example of three legged OAuth2  request to Google.
Note: client_id, redirect_uri, client_secret are all values that you have set up for your app in Google Developers Console. Scope will depend upon which Google Api you would like to access, more then one can be separated by a comma.  I will be using the scope for Google Analytics in this example.

The initial URL to request that the user give you access to there account should look like this: Note: response_type=code

https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code

If you open that link in a browser you will see this.:
Oauth2RequestBrowser

 

Once they click Accept you will see:

Ouath2 Authentication code

That is the Authentication Code, it is used to request a refresh token.   It is displayed to the user in the body of the html as well as in the title of the page. To get a Refresh Token you POST the Authentication code back to Google. Note: This is a HTTP Post you cant just place it in a browser that would be a HTTP Get. Note: grant_type=authorization_code

https://accounts.google.com/o/oauth2/token
code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code

This is the response:

{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}

The access_token you get from the above request is what you will be using to make requests to the service. After one hour your access token will have expired you will need to request a new access_token you take the refresh_token that you got above and HTTP Post it to: Note: grant_type=refresh_token

https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token

This is the response:

{
"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600
}

How you send a HTTP get and HTTP post depends upon which language you are doing this in. But the above links should help you create the urls correctly.

Please Share


Linda Lawton

About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as a developer and a database expert. I have been working with several of the Google APIs, since 2012. I helping others in the On-Line community to develop with the Google APIs, by creating my own blog www.daimto.com. This and my presence on a number of On-Line developer forums lead me to be noticed by the Google Analytics API development team. I was nominated for and recently became one of the first Google Developer Experts for Google Analytics.


Leave a comment

Your email address will not be published. Required fields are marked *

8 thoughts on “Google 3 Legged OAuth2 Flow

  • kicaj

    Great article, but…
    There is option without show/open Google Analytics Window for accepting? I would like show stats from my Analytics for my visitors (e.g. show charts).

    • Administrator
      Linda Lawton

      I think you need to look into a service account. Once you have created a service account you can add the service account email address like you would any other user to the Google analytics account it will then be able to access your data.

      I don’t have a standard example for this yet, its on my list which gets longer every day.

  • kicaj

    Hi,

    Great article, but I would like ask about approve window.
    There is some solution to show stats for my visitors.
    Something like autologin by my account?

    Thanks, bye!

    • Administrator
      Linda Lawton

      If you want to change something on the consent screen its done in the Developer console. It is very limited what you can change, the consent screen is basically something that is created for us by Googles Authentication server we don’t get to change to much of it.

  • Prafulla Kumar Sahu

    I am using an installApplication ( WordPress Plugin ),setting redirect URI

    $client = new Google_Client();
    $client->setRedirectUri( admin_url( ‘admin.php?page=analytica-admin-settings’, ‘http’ ) );

    in localhost It is working, but in server it is showing error redirect URI mismatch.

    if I change the URI to “urn:ietf:wg:oauth:2.0:oob” with a popup, It shows and “Once they click Accept you will see:” this portion and it works fine, but I do not want to use that, I want to use the admin page url as redirect uri and want it to work as, it is working on localhost, Can you help me on this. I have posted a question on stackoverflow http://stackoverflow.com/questions/34316162/installed-application-redirect-uri-mismatch-when-site-is-online but not getting any response, please help me.

    • Linda Lawton
      Linda Lawton Post author

      Word press plugins are PHP you should be using a browser client id not an installed application client id. Anyone that downloads your plugin to install it is going to have to create there own client anyway as you cant release your own.