Google 3 Legged OAuth2 Flow 28

The following is a quick reference example of three legged OAuth2  request to Google.
Note: client_id, redirect_uri, client_secret are all values that you have set up for your app in Google Developers Console. Scope will depend upon which Google Api you would like to access, more then one can be separated by a comma.  I will be using the scope for Google Analytics in this example.

The initial URL to request that the user give you access to there account should look like this: Note: response_type=code{clientid}

If you open that link in a browser you will see this.:


Once they click Accept you will see:

Ouath2 Authentication code

That is the Authentication Code, it is used to request a refresh token.   It is displayed to the user in the body of the html as well as in the title of the page. To get a Refresh Token you POST the Authentication code back to Google. Note: This is a HTTP Post you cant just place it in a browser that would be a HTTP Get. Note: grant_type=authorization_code

This is the response:

"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"

The access_token you get from the above request is what you will be using to make requests to the service. After one hour your access token will have expired you will need to request a new access_token you take the refresh_token that you got above and HTTP Post it to: Note: grant_type=refresh_token

This is the response:

"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600

How you send a HTTP get and HTTP post depends upon which language you are doing this in. But the above links should help you create the urls correctly.

About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as an application developer and a database expert. I have also been working with Google APIs since 2012 and I have been contributing to the Google .Net client library since 2013. In 2013 I became a a Google Developer Experts for Google Analytics.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

28 thoughts on “Google 3 Legged OAuth2 Flow

  • kicaj

    Great article, but…
    There is option without show/open Google Analytics Window for accepting? I would like show stats from my Analytics for my visitors (e.g. show charts).

    • Linda Lawton

      I think you need to look into a service account. Once you have created a service account you can add the service account email address like you would any other user to the Google analytics account it will then be able to access your data.

      I don’t have a standard example for this yet, its on my list which gets longer every day.

  • kicaj


    Great article, but I would like ask about approve window.
    There is some solution to show stats for my visitors.
    Something like autologin by my account?

    Thanks, bye!

    • Linda Lawton

      If you want to change something on the consent screen its done in the Developer console. It is very limited what you can change, the consent screen is basically something that is created for us by Googles Authentication server we don’t get to change to much of it.

  • Prafulla Kumar Sahu

    I am using an installApplication ( WordPress Plugin ),setting redirect URI

    $client = new Google_Client();
    $client->setRedirectUri( admin_url( ‘admin.php?page=analytica-admin-settings’, ‘http’ ) );

    in localhost It is working, but in server it is showing error redirect URI mismatch.

    if I change the URI to “urn:ietf:wg:oauth:2.0:oob” with a popup, It shows and “Once they click Accept you will see:” this portion and it works fine, but I do not want to use that, I want to use the admin page url as redirect uri and want it to work as, it is working on localhost, Can you help me on this. I have posted a question on stackoverflow but not getting any response, please help me.

    • Linda Lawton Post author

      Word press plugins are PHP you should be using a browser client id not an installed application client id. Anyone that downloads your plugin to install it is going to have to create there own client anyway as you cant release your own.

  • Poroda

    Hi – Thankyou for this post, it got me going forward with my own project. Could you please add the type of Authorization used in these post-requests? It would make the thing even clearer.

  • Shrama Ravin

    Hi your tutorial is great. I need some help while making by using url : + ‘scope=’ + SCOPE + ‘&client_id=’ + CLIENTID + ‘&client_secret’ + CLIENTSEC +’&redirect_uri=’ + REDIRECT + ‘&response_type=’ + TYPE; —- I got 1). access_token 2). token_type 3). expires_in. But How to get the refresh_token.

    ANd when I use the url : ‘code’ + CODE + ‘&client_id=’ + CLIENTID + ‘&client_secret=’ + secKey + ‘&redirect_uri=’ + REDIRECT + ‘&grant_type=authorization_code’;
    I got the Code.

    I just need to allow my app user to see their drive files without login. After first time authentication (with google login password). I need your help. I has used all the tutorial and google guid but cant find the solution. Please help.

  • Rithvik Gambhir

    Hey Linda,

    Great tutorial! However, I’m not sure how you were able to retrieve the authorization code from the URL after the Google user has given the application permission.

    You mention that we are required to copy the authorization code, paste it in the application so the second call to the token endpoint can be made. Is there a workaround to retrieve this authorization code programmatically so the end-user has to just click “Accept” and the application can then go ahead with making the call to the token endpoint for the access and refresh tokens?

    • Linda Lawton Post author

      To my knowledge this still works but its been a while since i have tested it. I recommend looking for a client library in the language of your choice most of them handle grabbing the authentication code for you.

  • Neal Myers

    Thank you! I have used this post (and others) to retrieve an access token using the refresh token. I am however unclear how to use it. Do you know of any examples/direction for the next step i.e. using the retrieved token to access api functionality e.g.

    In my case I will try to use python and the google youtube data api to refresh (delete and upload new) a video to my channel hourly.

  • Manjusha


    Great post. When I try with google directory, with redirect uri as localhost, I get error “Site cant be reached. Localhost refused to connect”. Can you please help
    Thank you

  • Stephen Burns

    Always like your posts, I think this one is now officially outdated as google have blocked the OOB method for Oauth2. Not sure if this should be marked as deprecated?