Introduction
If you have ever wanted to test Google OAuth 2.0 flows from the command-line, you will like this short article.
[Update: I thought about the problem below with the copy and paste requirement. I created a simple python web server which listens to the OAuth 2.0 callback which automates the two curl commands. I will document this in a follow-up Part 2 article.]
Google OAuth 2.0 – Testing with Curl – Version 2
Google OAuth 2.0 – Testing with Curl – Refresh Access Token
This article is for Windows Command Prompt users but should be easily adaptable to Linux and Mac also.
You will need your Google Client ID and Client Secret. These can be obtained from the Google Console under APIs & Services -> Credentials. In the following example code, these are stored in the file /config/client_secrets.json
These examples also use the program jq for processing the Json output. You can download a copy here.
In the following example, the Scope is cloud-platform. Modify to use the scopes that you want to test with. Here are a few scopes that you can test with:
|
1 2 3 4 5 6 7 |
"https://www.googleapis.com/auth/cloud-platform" "https://www.googleapis.com/auth/cloud-platform.read-only" "https://www.googleapis.com/auth/devstorage.full_control" "https://www.googleapis.com/auth/devstorage.read_write" "https://www.googleapis.com/auth/devstorage.read_only" "https://www.googleapis.com/auth/bigquery" "https://www.googleapis.com/auth/datastore" |
OAuth 2.0 Scopes for Google APIs
Download Git Repository
I have published the files for this article on GitHub.
https://github.com/jhanley-com/google-oauth-2-0-testing-with-curl
License: MIT License
Clone my repository to your system:
|
1 |
git clone https://github.com/jhanley-com/google-oauth-2-0-testing-with-curl.git |
Details:
- Copy the following statements to a Windows batch file or refer to my repository directory “v1”.
- Modify to fit your environment.
- Modify the script for the browser that you want to use.
- Run the batch file.
- A browser will be launched.
- The browser will go to https://accounts.google.com where you can complete the Google OAuth 2.0 authentication.
- Once complete, a code will be displayed in the browser window.
- Copy this code (control-c) from the browser window and paste into the command prompt window (control-right-click).
- The script will complete the OAuth 2.0 code exchange for a Token.
- The Token will be displayed in the command prompt.
The returned Token contains an Access Token that can be used in more curl commands.
Windows Batch Script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
set CLIENT_ID=Replace_with_your_Client_ID set CLIENT_SECRET=Replace_with_your_Client_Secret set SCOPE=https://www.googleapis.com/auth/cloud-platform set ENDPOINT=https://accounts.google.com/o/oauth2/v2/auth set URL="%ENDPOINT%?client_id=%CLIENT_ID%&response_type=code&scope=%SCOPE%&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob" @REM start iexplore %URL% @REM start microsoft-edge:%URL% start chrome %URL% set /p AUTH_CODE="Enter Code displayed in browser: " curl ^ --data client_id=%CLIENT_ID% ^ --data client_secret=%CLIENT_SECRET% ^ --data code=%AUTH_CODE% ^ --data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^ --data grant_type=authorization_code ^ https://www.googleapis.com/oauth2/v4/token |
The final output looks like this:
|
1 2 3 4 5 6 7 |
{ "access_token": "ya29.deleted_for_security_reasons", "expires_in": 3600, "refresh_token": "1/jk3/deleted_for_security_reasons", "scope": "https://www.googleapis.com/auth/cloud-platform", "token_type": "Bearer" } |
Example curl command using Access Token:
|
1 2 3 4 5 6 7 8 9 |
set ACCESS_TOKEN=replace_with_your_access_token set PROJECT=development-123456 set ZONE=us-west-1a set INSTANCE_NAME=dev-system @REM - This endpoint will start the instance named INSTANCE_NAME in ZONE set ENDPOINT=https://www.googleapis.com/compute/v1/projects/%PROJECT%/zones/%ZONE%/instances/%INSTANCE_NAM%/start curl -H "Authorization: Bearer %ACCESS_TOKEN" "%ENDPOINT%" |
Tip: Save the Access Token to a file
Modify the last line of the batch script to use jq to process the output:
|
1 2 3 4 5 6 7 8 9 10 |
curl ^ --data client_id=%CLIENT_ID% ^ --data client_secret=%CLIENT_SECRET% ^ --data code=%AUTH_CODE% ^ --data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^ --data grant_type=authorization_code ^ https://www.googleapis.com/oauth2/v4/token | jq -r ".access_token > token.save set /p ACCESS_TOKEN=<token.save echo %ACCESS_TOKEN% |
The last two lines show how to read the Access Token that was saved to a file for further use in more scripts.
Remember, Tokens expire after 60 minutes which is the default value.
This example implements the most common type of OAuth application – Web Server Application.
In the code above, we begin by creating the login endpoint:
|
1 |
set ENDPOINT=https://accounts.google.com/o/oauth2/v2/auth |
and build a URL containing the endpoint and query parameters:
- response_type=code – Indicates that your server expects to receive an authorization code
- client_id – The client ID you received when you first created the application
- redirect_uri – Indicates the URI to return the user to after authorization is complete
- scope – One or more scope values indicating which parts of the user’s account you wish to access
- state – A random string generated by your application, which you’ll verify later (optional – not used in our example program)
The login URL then looks similar to this:
|
1 |
client_id=123456789012-a4ebh96l7ltyyblk14jc8x5607kf03rl.apps.googleusercontent.com&response_type=code&scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob" |
Notice the special redirect_uri used in the URL: urn:ietf:wg:oauth:2.0:oob
urn:ietf:wg:oauth:2.0:oob
This value signals to the Google Authorization Server that the authorization code should be returned in the title bar of the browser, with the page text prompting the user to copy the code and paste it in the application. This is useful when the client (such as a Windows application) cannot listen on an HTTP port without significant client configuration.
Next, we launch a web browser using this code to login using Google Accounts. Three different browsers are listed with two being commented out so that you can select one for your test case.
|
1 2 3 |
@REM start iexplore %URL% @REM start microsoft-edge:%URL% start chrome %URL% |
After the user completes the OAuth authentication (login), a code will be displayed in the browser. This part of the script allows the user to enter that code into the example script:
|
1 |
set /p AUTH_CODE="Enter Code displayed in browser: " |
The next step is to exchange the code for OAuth tokens:
|
1 2 3 4 5 6 7 |
curl ^ --data client_id=%CLIENT_ID% ^ --data client_secret=%CLIENT_SECRET% ^ --data code=%AUTH_CODE% ^ --data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^ --data grant_type=authorization_code ^ https://www.googleapis.com/oauth2/v4/token |
Credits
I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Achim Bongard at Pexels.
Last Updated: June 18, 2019
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
January 13, 2019 at 5:15 AM
This girl oauth tutorial is extremely helpful for testing what’s really going on in the entire process.
What’s the process to use refresh tokens after access tokens expire?
January 13, 2019 at 4:48 PM
My curl example does not save the OAuth Refresh Token. This means that the OAuth Access Token cannot be renewed. You will need to repeat the process and obtain a new Access Token.
However, as I mention in the article, I wrote a small web server for the curl example. I have not published this web server example yet. I should look into your question about refresh and show an example for that too. Thank you for the idea.
November 7, 2019 at 12:02 PM
Thank you. It was really helpful. 🙂
August 1, 2021 at 5:29 PM
My goal is to automate the process. In order to get the code in the first step it requires to authenticate via browser. How can we avoid the authentication step and get rhe code directly?
August 7, 2021 at 7:31 PM
You cannot. Google authorization of a user identity requires human interaction with a browser. For non-user authentication/authorization use a service account.