Skip to main content

Concepts (Google)

Google OAuth 2.0

Introduction

Google OAuth 2.0 allows users to securely authorize access to their data in Google APIs. This document provides a step-by-step guide on how to implement the OAuth 2.0 flow.

Prerequisites

  1. A Google account.
  2. A Google Cloud project with the necessary APIs enabled.
  3. OAuth 2.0 credentials (Client ID and Client Secret).

Step 1: Setting Up Your Google Cloud Project

  1. Go to the Google Cloud Console.
  2. Create a new project or select an existing one.
  3. Navigate to APIs & Services > Credentials.
  4. Click on Create Credentials and select OAuth 2.0 Client IDs.
  5. Configure the consent screen:
    • Provide required information like Application name, support email, etc.
  6. Create OAuth 2.0 Client ID:
    • Choose application type (e.g., Web application).
    • Configure authorized redirect URIs (e.g., https://yourapp.com/oauth2/callback).
  7. Note down the Client ID and Client Secret.

Step 2: Creating the Authorization URL

To initiate the OAuth 2.0 flow, create an authorization URL and redirect the user to it.

Authorization URL Example:

https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_SCOPES&state=STATE_PARAMETER&access_type=offline&prompt=consent

Parameters:

  • response_type=code: Indicates that you want an authorization code.
  • client_id: Your OAuth 2.0 Client ID.
  • redirect_uri: One of the redirect URIs configured in your Google Cloud project.
  • scope: A space-separated list of scopes that identify the resources your application could access on the user's behalf (e.g., https://www.googleapis.com/auth/userinfo.profile).
  • state: A random string to maintain state between your authorization request and the callback (useful for CSRF protection).
  • access_type=offline: Requests a refresh token for long-term access.
  • prompt=consent: Forces the consent screen to be shown again.

Example URL:

https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=1234567890-abcdefg.apps.googleusercontent.com&redirect_uri=https://yourapp.com/oauth2/callback&scope=https://www.googleapis.com/auth/userinfo.profile&state=xyz&access_type=offline&prompt=consent

Step 3: Handling the Authorization Response

After the user consents, Google redirects to the specified redirect_uri with an authorization code.

Example Redirect:

https://yourapp.com/oauth2/callback?code=AUTHORIZATION_CODE&state=xyz

Extract the code parameter from the query string.

Step 4: Exchanging the Authorization Code for an Access Token

Send a POST request to Google's token endpoint to exchange the authorization code for an access token.

Token Endpoint:

https://oauth2.googleapis.com/token

Request Parameters:

  • code: The authorization code received from the authorization response.
  • client_id: Your OAuth 2.0 Client ID.
  • client_secret: Your OAuth 2.0 Client Secret.
  • redirect_uri: The same redirect URI used in the authorization request.
  • grant_type=authorization_code: Specifies the grant type.

Example Request:

POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded

code=AUTHORIZATION_CODE&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=YOUR_REDIRECT_URI&
grant_type=authorization_code

Example Response:

{
  "access_token": "ACCESS_TOKEN",
  "expires_in": 3600,
  "refresh_token": "REFRESH_TOKEN",
  "scope": "https://www.googleapis.com/auth/userinfo.profile",
  "token_type": "Bearer"
}

Step 5: Using the Access Token

Use the access token to authenticate API requests to Google services.

Example API Request:

GET /userinfo/v2/me HTTP/1.1
Host: www.googleapis.com
Authorization: Bearer ACCESS_TOKEN

Step 6: Refreshing the Access Token

If the access token expires, use the refresh token to obtain a new access token.

Token Endpoint:

https://oauth2.googleapis.com/token

Request Parameters:

  • client_id: Your OAuth 2.0 Client ID.
  • client_secret: Your OAuth 2.0 Client Secret.
  • refresh_token: The refresh token received during the token exchange.
  • grant_type=refresh_token: Specifies the grant type.

Example Request:

POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded

client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
refresh_token=REFRESH_TOKEN&
grant_type=refresh_token

Example Response:

{
  "access_token": "NEW_ACCESS_TOKEN",
  "expires_in": 3600,
  "scope": "https://www.googleapis.com/auth/userinfo.profile",
  "token_type": "Bearer"
}

Conclusion

This document outlines the Google OAuth 2.0 flow, detailing how to create an authorization URL, handle the authorization response, exchange the authorization code for an access token, use the access token, and refresh the token when it expires.