In my earlier article on how to test Google OAuth 2.0 flows from the command line I showed how to generate Google OAuth 2.0 Access Token, Refresh Token, and ID Token.
In this article, I will show how to refresh an Access Token.
You will need your Client ID, Client Secret and Refresh Token.
In this example, the Client ID and Client Secret are stored in the Google secrets file /config/client_secrets.json. The Refresh Token is stored in the file refresh.token. The refresh.token file was created by curl_oauth.bat from my previous article.
Download Git Repository
I have published the files for this article on GitHub.
https://github.com/jhanley-com/google-oauth-2-0-testing-with-curl
License: MIT License
Clone my repository to your system. The code in this article is in directory v3.
|
1 |
git clone https://github.com/jhanley-com/google-oauth-2-0-testing-with-curl.git |
Windows Batch Script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
@set FILE=\config\client_secrets.json @set CMD_1=jq -r ".installed.client_id" %FILE% @set CMD_2=jq -r ".installed.client_secret" %FILE% @for /f %%i in ('%CMD_1%') do set CLIENT_ID=%%i @for /f %%i in ('%CMD_2%') do set CLIENT_SECRET=%%i @echo Client ID: %CLIENT_ID% @echo Client Secret: %CLIENT_SECRET% set ENDPOINT=https://www.googleapis.com/oauth2/v4/token set /p REFRESH_TOKEN=<refresh.token curl ^ --data client_id=%CLIENT_ID% ^ --data client_secret=%CLIENT_SECRET% ^ --data grant_type=refresh_token ^ --data refresh_token=%REFRESH_TOKEN% ^ %ENDPOINT% > oauth_refreshed.token jq -r ".access_token" oauth_refreshed.token > access.token set /p ACCESS_TOKEN=<access.token echo "Token Information:" curl -H "Authorization: Bearer %ACCESS_TOKEN%" https://www.googleapis.com/oauth2/v3/tokeninfo |
The output from https://www.googleapis.com/oauth2/v4/token looks like this:
|
1 2 3 4 5 6 7 |
{ "access_token": "ya29.deleted_for_security_reasons", "expires_in": 3600, "scope": "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform", "token_type": "Bearer", "id_token": "eyJdeleted_for_security_reasons" } |
Notice the new Access Token and ID Token.
In summary to refresh a Google OAuth 2.0 Access Token requires three items:
- Client ID
- Client Secret
- Refresh Token
However, to obtain a Refresh Token the original OAuth 2.0 authentication must have requested access_type=offline or access_type=consent.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply