[Total: 0    Average: 0/5]

If you have ever wanted to test Google OAuth 2.0 flows from the command line you will like this short article.

[Update: I thought about the problem below with the copy and paste requirement. I created a simple python web server which listens to the OAuth 2.0 callback which automates the two curl commands. I will document this in a follow-up Part 2 article.]

Google OAuth 2.0 – Testing with Curl – Version 2
Google OAuth 2.0 – Testing with Curl – Refresh Access Token

This article is for Windows Command Prompt users but should be easily adaptable to Linux and Mac also.

You will need your Google Client ID and Client Secret. These can be obtained from the Google Console under APIs & Services -> Credentials. In the following example code, these are stored in the file /config/client_secrets.json

These examples also use the program jq for processing the Json output. You can download a copy here.

In the following example, the Scope is cloud-platform. Modify to use the scopes that you want to test with. Here are a few scopes that you can test with:

OAuth 2.0 Scopes for Google APIs

Details:
  1. Copy the following statements to a Windows batch file.
  2. Modify to fit your environment.
  3. Modify the script for the browser that you want to use.
  4. Run the batch file.
  5. A browser will be launched.
  6. The browser will go to https://accounts.google.com where you can complete the Google OAuth 2.0 authentication.
  7. Once complete, a code will be displayed in the browser window.
  8. Copy this code (control-c) from the browser window and paste into the command prompt window (control-right-click).
  9. The script will complete the OAuth 2.0 code exchange for a Token.
  10. The Token will be displayed in the command prompt.

The returned Token contains an Access Token that can be used in more curl commands.

Windows Batch Script:

The final output looks like this:

Example curl command using Access Token:

Tip: Save the Access Token to a file

Modify the last line of the batch script to use jq to process the output:

The last two lines show how to read the Access Token that was saved to a file for further use in more scripts.

Remember, Tokens expire after 60 minutes which is the default value.

This example implements the most common type of OAuth application – Web Server Application.

In the code above, we begin by creating the login endpoint:

and build a URL containing the endpoint and query parameters:

  • response_type=code – Indicates that your server expects to receive an authorization code
  • client_id – The client ID you received when you first created the application
  • redirect_uri – Indicates the URI to return the user to after authorization is complete
  • scope – One or more scope values indicating which parts of the user’s account you wish to access
  • state – A random string generated by your application, which you’ll verify later (optional – not used in our example program)

The login URL then looks similar to this:

Notice the special redirect_uri used in the URL: urn:ietf:wg:oauth:2.0:oob

urn:ietf:wg:oauth:2.0:oob

This value signals to the Google Authorization Server that the authorization code should be returned in the title bar of the browser, with the page text prompting the user to copy the code and paste it in the application. This is useful when the client (such as a Windows application) cannot listen on an HTTP port without significant client configuration.

Next, we launch a web browser using this code to login using Google Accounts. Three different browsers are listed with two being commented out so that you can select one for your test case.

After the user completes the OAuth authentication (login), a code will be displayed in the browser. This part of the script allows the user to enter that code into the example script:

The next step is to exchange the code for OAuth tokens: