OAuth2 and Google Services

Introduction

OAuth 2.0 is an open authorization framework that allows applications to access a user’s resources on a given service. With Google services, OAuth 2.0 lets you obtain access tokens so your application can interact with Google APIs on behalf of the user.

To use OAuth 2.0 with Google services:

  1. Create a project in the Google Cloud Console (https://console.cloud.google.com). This project represents your application.

  2. Enable the necessary APIs that your application needs to access (for example, the Google Calendar API for a calendar application).

  3. Set up the OAuth consent screen to specify the information about your application shown to users when access is requested (application name, logo, requested scopes).

  4. Create credentials: create OAuth 2.0 client credentials for your application. You will provide a redirect URI — the endpoint the authorization server redirects to after authentication.

  5. Implement the authorization flow appropriate for your application (commonly the authorization code flow). The user is redirected to Google’s authorization server to grant the requested permissions.

  6. Obtain an access token: after the user grants permission, exchange the authorization code for an access token at Google’s token endpoint.

  7. Use the access token: include it in the Authorization header of your requests following the OAuth 2.0 Bearer token scheme.

Authentication

Create an authenticator of type oauth2 to connect with the Google OAuth2 protocol. OAuth2 requires three requests: an auth request to obtain the authorization code, a token request to obtain the token, and a refresh token request.

Authentication Request

The authorization request typically involves the following steps:

  1. The client application redirects the user to the authorization server’s authorization endpoint URL with the parameters below.

  2. Provide a client_id — the unique identifier of the client application.

  3. Add a redirect_uri — the URL the authorization server redirects the user’s browser to after authorization completes.

  4. Specify the response_type — the value should be code, indicating that an authorization code is requested.

  5. The authorization server authenticates the user and asks for permission to grant the requested access.

  6. If the user grants permission, the authorization server generates an authorization code and redirects the user’s browser to the redirect_uri with the code appended as a query parameter.

  7. The client application receives the authorization code and uses it to request an access token to access the protected resources on behalf of the user.

OAuth2 authentication request
The authorization code must be kept confidential. The redirect_uri does not need to be set here. Configure your Google Developer Console account to obtain your client_id (https://console.cloud.google.com).

Token Request

To obtain the token, send a POST request to Google’s token endpoint (https://oauth2.googleapis.com/token) with the following parameters:

  1. grant_type: set to authorization_code

  2. code: set to the authorization code obtained previously

  3. redirect_uri: set to the same value used in the authorization request

  4. client_id: the ID of the Google Cloud Console project

  5. client_secret: the secret key of the Google Cloud Console project

OAuth2 token request

Refresh Token Request

To request a refresh token, include the access_type parameter set to offline in the initial authorization request to Google’s authorization server. This indicates that a refresh token is requested alongside the access token.

Refresh token request
When you click Authenticate, the result of each of the three requests is shown in its corresponding tab panel below.
OAuth2 authentication result

Request: List Messages of a Google Account

In this example we retrieve all messages in a Google account. You can implement any request you need:

Get messages request