[wp_ad_camp_3]
Occasionally while working on a project I have need to test some calls to Googles APIs manually. To do that you need an access token. Getting an Access token can be a pain sometimes.
So i have created a simple CURL script that will show you how to authenticate to Google and get an access token.
You will need to go to Google developer console and create a client id for this its easier to use a type other client. By using type other we can avoid the need for a redirect URI, we don’t really need one as we are just going to run this as a curl script. If you are really worried about security you can lock the client to your ip address.
Prerequisites
What you need are the following:
- Client ID
- Client Secret
- Scopes – the scopes define what access you will receive. you can have more then one just put a space between them. For this i am just going to use openid.
Requesting Authorization
Now replace the values needed in the following link and put it in a web browser
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code
Exchanging Authentication code
You should get the standard request for authentication. Once you have accepted authentication copy the Authentication code. Take the following code replace the values as needed.
curl \
–request POST \
–data “code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code” \
https://accounts.google.com/o/oauth2/token
You should get something like this:
{
“access_token”:“XXXXX”,
“expires_in”:3600,
“id_token”:“XXXXX”,
“refresh_token”:“XXXXX”,
“token_type”:“Bearer”
}
Congratulations you now have an access token you can use in your Google API call. Just remember to use access_token= and not key= there is a difference.
[wp_ad_camp_5]
Use Refresh Token
If your access token expires you can use the following command to refresh it using the Refresh token.
curl \
–request POST \
–data ‘client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token’ \
https://accounts.google.com/o/oauth2/token
The response will be slightly diffrent this time. You wont get a new Refresh token.
{
“access_token” : “XXXXX”,
“expires_in” : 3600,
“id_token” : “xxxxx”,
“token_type” : “Bearer”
}
Conclusion
We can use a couple of simple curl commands to get an access token for use with Google APIs. There is a public Gist up on Github for this GoogleAuthenticationCurl.sh
Its important to note that some of these characters are not ascii-text characters, and may cause errors if you copy and paste it. In addition, there should be a “–” before “request” and “data”; not a single dash. Other than that, this guide should work.
Can i use this without auth window?
server to server way?
thank
You would need to authenticate it once then save the refresh token you wont need to authenticate again after that. Or figure out how to do service account authentication. I haven’t had the time to work out service account authentication in curl myself. However if you get it working i would love to see it.
Hi Linda,
I used the php-client-api but fails miserably. I use my own autoloader. Even the required files from GuzzleHttp seem to be loaded but still can’t pass “$client->authenticate($_GET[‘code’]);” as in tutorials. With curl-php I managed to make a authorization request and get the data with fields:
[access_token] => ya29…
[expires_in] => 2017-11-03 15:37:04
[id_token] => ey…
[token_type] => Bearer
So, my question is:
a) where is the refresh field?
My curl-php (passes):
public function authenticate($code, $client_id, $client_secret, $redirect_uri) {
$url = ‘https://accounts.google.com/o/oauth2/token’;
$curlPost = ‘client_id=’ . $client_id . ‘&client_secret=’ . $client_secret . ‘&redirect_uri=’ . $redirect_uri . ‘&code=’. $code . ‘&grant_type=authorization_code’;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = json_decode(curl_exec($ch), true);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code != 200)
throw new \Exception(__CLASS__ . “::authenticate() is called but failed to receieve access token!”);
$this->access = $data;
$this->access[‘expires_in’] = \date(“Y-m-d H:i:s”, \time() + $this->access[‘expires_in’]);
}
My other question is:
b) how do we get user info?
My curl-php (fails):
public function userinfo($access_token) {
= $this->access[‘access_token’];
$url = ‘https://www.googleapis.com/plus/v2/people/me’;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Authorization: Bearer ‘. $access_token));
$data = json_decode(curl_exec($ch), true);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code != 200)
throw new \Exception(__CLASS__ . “::userinfo() is called but failed to get user information!”);
$this->data = $data;
return $data;
}
Thanks for your patience.
Refresh token will only appear if you request offline access. I think you should put this question up on stackoverflow.com its to much code to go though in comments make sure to tag it google-api-php-clinet
Hi, Linda,
thank you very much for this helpful information.
I have a related question to this topic and hope you could help me to find some answers:
According to this Google documentation: https://cloud.google.com/speech/docs/auth
I can read about bearer tokens obtained with gcloud and cURL for the speech API. Now here are my questions:
1. Can these bearer tokens be used to make gRPC streaming requests to the speech API?
2. Are these bearer tokens only valid for 3600 seconds?
3. Is there a limit on how many bearer tokens one service account will issue or can be possessed at the same time, when using a service account?
4. Once a successful connection to the speech API has been established with a bearer token, is it possible to establish a second connection, using the identical same bearer token, while the first connection is still ongoing? (We hope not, for security reasons.)
5. What steps are recommended to enforce that only legitimate use of these bearer tokens happen? (Keywords: “network sniffer”, “reverse engineering”) We plan to distribute them at application runtime to our clients (end users) who are using our dictation software as a native c# windows application?
Many thanks for your help.
Best,
Sven
1. I have no experience with the gRPC streaming apis sorry cant help with this.
2. yes access tokens are only valid for one hour
3. not that I know of i have never found one.
4. Sorry i have no experience with that api try it see what happens.
5. I think you should put these question son stackoverflow.com
This was very helpful, thanks! I referenced your tutorial to answer how to authenticate to Google API using MATLAB: https://www.mathworks.com/matlabcentral/answers/264403-how-can-i-access-an-api-which-requires-oauth-2-0-authorization-such-as-google-apis#answer_302103
Sorry i have no experience with MatLab
“error”: “unsupported_grant_type”,
“error_description”: “Invalid grant_type
You created the wrong type of client in Google developer console. You need to create a native client i believe.
what authorisation_code should i give to grant type
None the value you should send as grant type is authorisation_code
When i tried this authentication for google analytics it gave me the access code but when i tried to retrieve the data from google analytics using this access token it showed this error
{“error”:{“errors”:[{“domain”:”global”,”reason”:”required”,”message”:”Login Required”,”locationType”:”header”,”location”:”Authorization”}],”code”:401,”message”:”Login Required”}}
Authorization code must be exchanged for an access token. YOu need to send the accss token with your request to the api either as a authorization header bearer token or as a parameter in the request ?access_token=
Thank you, now i am able to get the refresh token .
Great instruction. However I am still having issues. I get failed to convert -data and code=4 to ACE. string contains a disallowed character.
I am on windows using bash to run the curl command.
well if the code you are sending is 4 then there is something wrong. Thats not a valid code.