How do I authorise an app (web or installed) without user intervention?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

55

Let's say that I have a web app that needs to access Drive files in a background service. It will either own the files it is accessing, or be run in a Google Account with which the owner has shared the documents.

I understand that my app needs a refresh token, but I don't want to write the code to obtain that since I'll only ever do it once.

NB. This is NOT using a Service Account. The app will be run under a conventional Google account. Service Account is a valid approach in some situations. However the technique of using Oauth Playground to simulate the app can save a bunch of redundant effort, and applies to any APIs for which sharing to a Service Account is unsupported.

google-api google-drive-sdk google-oauth gmail-api

share|improve this question

edited Jan 27 at 9:45

pinoyyid

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

add a comment | 

55

Let's say that I have a web app that needs to access Drive files in a background service. It will either own the files it is accessing, or be run in a Google Account with which the owner has shared the documents.

I understand that my app needs a refresh token, but I don't want to write the code to obtain that since I'll only ever do it once.

NB. This is NOT using a Service Account. The app will be run under a conventional Google account. Service Account is a valid approach in some situations. However the technique of using Oauth Playground to simulate the app can save a bunch of redundant effort, and applies to any APIs for which sharing to a Service Account is unsupported.

google-api google-drive-sdk google-oauth gmail-api

share|improve this question

edited Jan 27 at 9:45

pinoyyid

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

add a comment | 

55

55

55

44

Let's say that I have a web app that needs to access Drive files in a background service. It will either own the files it is accessing, or be run in a Google Account with which the owner has shared the documents.

I understand that my app needs a refresh token, but I don't want to write the code to obtain that since I'll only ever do it once.

NB. This is NOT using a Service Account. The app will be run under a conventional Google account. Service Account is a valid approach in some situations. However the technique of using Oauth Playground to simulate the app can save a bunch of redundant effort, and applies to any APIs for which sharing to a Service Account is unsupported.

google-api google-drive-sdk google-oauth gmail-api

share|improve this question

edited Jan 27 at 9:45

pinoyyid

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

Let's say that I have a web app that needs to access Drive files in a background service. It will either own the files it is accessing, or be run in a Google Account with which the owner has shared the documents.

I understand that my app needs a refresh token, but I don't want to write the code to obtain that since I'll only ever do it once.

NB. This is NOT using a Service Account. The app will be run under a conventional Google account. Service Account is a valid approach in some situations. However the technique of using Oauth Playground to simulate the app can save a bunch of redundant effort, and applies to any APIs for which sharing to a Service Account is unsupported.

google-api google-drive-sdk google-oauth gmail-api

google-api google-drive-sdk google-oauth gmail-api

share|improve this question

edited Jan 27 at 9:45

pinoyyid

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

share|improve this question

edited Jan 27 at 9:45

pinoyyid

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

share|improve this question

share|improve this question

edited Jan 27 at 9:45

pinoyyid

edited Jan 27 at 9:45

pinoyyid

edited Jan 27 at 9:45

pinoyyid

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

asked Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

14.3k83685

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

109

This can be done with the Oauth2 Playground at https://developers.google.com/oauthplayground

Steps:-

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials. Credentials/Create Credentials/OAuth Client Id then select Web application
   


4. Include https://developers.google.com/oauthplayground as a valid redirect URI


5. Note the client ID (web app) and Client Secret


6. Login as my.drive.app@gmail.com


7. Go to Oauth2 playground


8. In Settings (gear icon), set
   
   
   
   
   • Oauth flow: server
   
   
   • Access type: offline
   
   
   • Use your own OAuth credentials: TICK
   
   
   • Client Id and Client Secret: from step 5
   
   
   
   


9. Click Step 1 and choose Drive API https://www.googleapis.com/auth/drive (having said that, this technique also works for any of the Google APIs listed)


10. Click Authorize APIs. You will be prompted to choose your Google account and confirm access


11. Click Step 2 and "Exchange Authorization code for tokens"


12. Copy the returned Refresh Token and paste it into your app, source code or in to some form of storage from where your app can retrieve it.

Your app can now run unattended, and use the Refresh Token as described https://developers.google.com/accounts/docs/OAuth2WebServer#offline to obtain an Access Token.

NB. Be aware that the refresh token can be expired by Google which will mean that you need to repeat steps 5 onwards to get a new refresh token. The symptom of this will be a Invalid Grant returned when you try to use the refresh token.

NB2. This technique works well if you want a web app which access your own (and only your own) Drive account, without bothering to write the authorization code which would only ever be run once. Just skip step 1, and replace "my.drive.app" with your own email address in step 6. make sure you are aware of the security implications if the Refresh Token gets stolen.

See Woody's comment below where he links to this Google video https://www.youtube.com/watch?v=hfWe1gPCnzc

.
.
.

Here is a quick JavaScript routine that shows how to use the Refresh Token from the OAuth Playground to list some Drive files. You can simply copy-paste it into Chrome dev console, or run it with node. Of course provide your own credentials (the ones below are all fake).

function get_access_token_using_saved_refresh_token() {

    // from the oauth playground

    const refresh_token = "1/0PvMAoF9GaJFqbNsLZQg-f9NXEljQclmRP4Gwfdo_0";

    // from the API console

    const client_id = "559798723558-amtjh114mvtpiqis80lkl3kdo4gfm5k.apps.googleusercontent.com";

    // from the API console

    const client_secret = "WnGC6KJ91H40mg6H9r1eF9L";

    // from https://developers.google.com/identity/protocols/OAuth2WebServer#offline

    const refresh_url = "https://www.googleapis.com/oauth2/v4/token";



    const post_body = `grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}`;



    let refresh_request = {

        body: post_body,

        method: "POST",

        headers: new Headers({

            'Content-Type': 'application/x-www-form-urlencoded'

        })

    }



    // post to the refresh endpoint, parse the json response and use the access token to call files.list

    fetch(refresh_url, refresh_request).then( response => {

            return(response.json());

        }).then( response_json =>  {

            console.log(response_json);

            files_list(response_json.access_token);

    });

}



// a quick and dirty function to list some Drive files using the newly acquired access token

function files_list (access_token) {

    const drive_url = "https://www.googleapis.com/drive/v3/files";

    let drive_request = {

        method: "GET",

        headers: new Headers({

            Authorization: "Bearer "+access_token

        })

    }

    fetch(drive_url, drive_request).then( response => {

        return(response.json());

    }).then( list =>  {

        console.log("Found a file called "+list.files[0].name);

    });

}



get_access_token_using_saved_refresh_token();

share|improve this answer

edited Mar 21 at 1:52

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc
  
  – woody
  Dec 13 '13 at 21:11
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.
  
  – Zig Mandel
  Aug 11 '15 at 14:22
  
  
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.
  
  – pinoyyid
  Aug 11 '15 at 15:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3
  
  – Dan
  Jan 21 '17 at 17:26
  
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!
  
  – mga
  Dec 19 '17 at 15:33
  

  
  
  
  

 | 
show 19 more comments

0

Let me add an alternative route to pinoyyid's excellent answer (which didn't work for me - popping redirect errors).

Instead of using the OAuthPlayground you can also use the HTTP REST API directly. So the difference to pinoyyid's answer is that we'll do things locally. Follow steps 1-3 from pinoyyid's answer. I'll quote them:

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials (NB OAuth Client ID not Service Account Key and then choose "Web Application" from the selection)

Now, instead of the playground, add the following to your credentials:

Authorized JavaScript Sources: http://localhost (I don't know if this is required but just do it.)
Authorized Redirect URIs: http://localhost:8080

Screenshot (in German):

Make sure to actually save your changes via the blue button below!

Now you'll probably want to use a GUI to build your HTTP requests. I used Insomnia but you can go with Postman or plain cURL. I recommend Insomnia for it allows you to go through the consent screens easily.

Build a new GET request with the following parameters:

URL: https://accounts.google.com/o/oauth2/v2/auth

Query Param: redirect_uri=http://localhost:8080

Query Param: prompt=consent

Query Param: response_type=code

Query Param: client_id=<your client id from OAuth credentials>

Query Param: scope=<your chosen scopes, e.g. https://www.googleapis.com/auth/drive.file>

Query Param: access_type=offline

If your tool of choice doesn't handle URL encoding automagically make sure to get it right yourself.

Before you fire your request set up a webserver to listen on http://localhost:8080. If you have node and npm installed run npm i express, then create an index.js:

var express = require('express');

var app = express();



app.get('/', function (req, res) {

  res.send('ok');

  console.log(req)

});



app.listen(8080, function () {

  console.log('Listening on port 8080!');

});

And run the server via node index.js. I recommend to either not log the whole req object or to run node index.js | less for the full output will be huge.

There are very simple solutions for other languages, too. E.g. use PHP's built in web server on 8080 php -S localhost:8080.

Now fire your request (in Insomnia) and you should be prompted with the login:

Log in with your email and password and confirm the consent screen (should contain your chosen scopes).

Go back to your terminal and check the output. If you logged the whole thing scroll down (e.g. pgdown in less) until you see a line with code=4/....

Copy that code; it is your authorization code that you'll want to exchange for an access and refresh token. Don't copy too much - if there's an ampersand & do not copy it or anything after. & delimits query parameters. We just want the code.

Now set up a HTTP POST request pointing to https://www.googleapis.com/oauth2/v4/token as form URL encoded. In Insomnia you can just click that - in other tools you might have to set the header yourself to Content-Type: application/x-www-form-urlencoded.

Add the following parameters:

code=<the authorization code from the last step>

client_id=<your client ID again>

client_secret=<your client secret from the OAuth credentials>

redirect_uri=http://localhost:8080

grant_type=authorization_code

Again, make sure that the encoding is correct.

Fire your request and check the output from your server. In the response you should see a JSON object:

{

  "access_token": "xxxx",

  "expires_in": 3600,

  "refresh_token": "1/xxxx",

  "scope": "https://www.googleapis.com/auth/drive.file",

  "token_type": "Bearer"

}

You can use the access_token right away but it'll only be valid for one hour. Note the refresh token. This is the one you can always* exchange for a new access token.

* You will have to repeat the procedure if the user changes his password, revokes access, is inactive for 6 months etc.

Happy OAuthing!

share|improve this answer

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.
  
  – pinoyyid
  Mar 15 at 1:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.
  
  – m02ph3u5
  Mar 15 at 10:10
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f19766912%2fhow-do-i-authorise-an-app-web-or-installed-without-user-intervention%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

109

This can be done with the Oauth2 Playground at https://developers.google.com/oauthplayground

Steps:-

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials. Credentials/Create Credentials/OAuth Client Id then select Web application
   


4. Include https://developers.google.com/oauthplayground as a valid redirect URI


5. Note the client ID (web app) and Client Secret


6. Login as my.drive.app@gmail.com


7. Go to Oauth2 playground


8. In Settings (gear icon), set
   
   
   
   
   • Oauth flow: server
   
   
   • Access type: offline
   
   
   • Use your own OAuth credentials: TICK
   
   
   • Client Id and Client Secret: from step 5
   
   
   
   


9. Click Step 1 and choose Drive API https://www.googleapis.com/auth/drive (having said that, this technique also works for any of the Google APIs listed)


10. Click Authorize APIs. You will be prompted to choose your Google account and confirm access


11. Click Step 2 and "Exchange Authorization code for tokens"


12. Copy the returned Refresh Token and paste it into your app, source code or in to some form of storage from where your app can retrieve it.

Your app can now run unattended, and use the Refresh Token as described https://developers.google.com/accounts/docs/OAuth2WebServer#offline to obtain an Access Token.

NB. Be aware that the refresh token can be expired by Google which will mean that you need to repeat steps 5 onwards to get a new refresh token. The symptom of this will be a Invalid Grant returned when you try to use the refresh token.

NB2. This technique works well if you want a web app which access your own (and only your own) Drive account, without bothering to write the authorization code which would only ever be run once. Just skip step 1, and replace "my.drive.app" with your own email address in step 6. make sure you are aware of the security implications if the Refresh Token gets stolen.

See Woody's comment below where he links to this Google video https://www.youtube.com/watch?v=hfWe1gPCnzc

.
.
.

Here is a quick JavaScript routine that shows how to use the Refresh Token from the OAuth Playground to list some Drive files. You can simply copy-paste it into Chrome dev console, or run it with node. Of course provide your own credentials (the ones below are all fake).

function get_access_token_using_saved_refresh_token() {

    // from the oauth playground

    const refresh_token = "1/0PvMAoF9GaJFqbNsLZQg-f9NXEljQclmRP4Gwfdo_0";

    // from the API console

    const client_id = "559798723558-amtjh114mvtpiqis80lkl3kdo4gfm5k.apps.googleusercontent.com";

    // from the API console

    const client_secret = "WnGC6KJ91H40mg6H9r1eF9L";

    // from https://developers.google.com/identity/protocols/OAuth2WebServer#offline

    const refresh_url = "https://www.googleapis.com/oauth2/v4/token";



    const post_body = `grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}`;



    let refresh_request = {

        body: post_body,

        method: "POST",

        headers: new Headers({

            'Content-Type': 'application/x-www-form-urlencoded'

        })

    }



    // post to the refresh endpoint, parse the json response and use the access token to call files.list

    fetch(refresh_url, refresh_request).then( response => {

            return(response.json());

        }).then( response_json =>  {

            console.log(response_json);

            files_list(response_json.access_token);

    });

}



// a quick and dirty function to list some Drive files using the newly acquired access token

function files_list (access_token) {

    const drive_url = "https://www.googleapis.com/drive/v3/files";

    let drive_request = {

        method: "GET",

        headers: new Headers({

            Authorization: "Bearer "+access_token

        })

    }

    fetch(drive_url, drive_request).then( response => {

        return(response.json());

    }).then( list =>  {

        console.log("Found a file called "+list.files[0].name);

    });

}



get_access_token_using_saved_refresh_token();

share|improve this answer

edited Mar 21 at 1:52

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc
  
  – woody
  Dec 13 '13 at 21:11
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.
  
  – Zig Mandel
  Aug 11 '15 at 14:22
  
  
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.
  
  – pinoyyid
  Aug 11 '15 at 15:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3
  
  – Dan
  Jan 21 '17 at 17:26
  
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!
  
  – mga
  Dec 19 '17 at 15:33
  

  
  
  
  

 | 
show 19 more comments

109

This can be done with the Oauth2 Playground at https://developers.google.com/oauthplayground

Steps:-

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials. Credentials/Create Credentials/OAuth Client Id then select Web application
   


4. Include https://developers.google.com/oauthplayground as a valid redirect URI


5. Note the client ID (web app) and Client Secret


6. Login as my.drive.app@gmail.com


7. Go to Oauth2 playground


8. In Settings (gear icon), set
   
   
   
   
   • Oauth flow: server
   
   
   • Access type: offline
   
   
   • Use your own OAuth credentials: TICK
   
   
   • Client Id and Client Secret: from step 5
   
   
   
   


9. Click Step 1 and choose Drive API https://www.googleapis.com/auth/drive (having said that, this technique also works for any of the Google APIs listed)


10. Click Authorize APIs. You will be prompted to choose your Google account and confirm access


11. Click Step 2 and "Exchange Authorization code for tokens"


12. Copy the returned Refresh Token and paste it into your app, source code or in to some form of storage from where your app can retrieve it.

Your app can now run unattended, and use the Refresh Token as described https://developers.google.com/accounts/docs/OAuth2WebServer#offline to obtain an Access Token.

NB. Be aware that the refresh token can be expired by Google which will mean that you need to repeat steps 5 onwards to get a new refresh token. The symptom of this will be a Invalid Grant returned when you try to use the refresh token.

NB2. This technique works well if you want a web app which access your own (and only your own) Drive account, without bothering to write the authorization code which would only ever be run once. Just skip step 1, and replace "my.drive.app" with your own email address in step 6. make sure you are aware of the security implications if the Refresh Token gets stolen.

See Woody's comment below where he links to this Google video https://www.youtube.com/watch?v=hfWe1gPCnzc

.
.
.

Here is a quick JavaScript routine that shows how to use the Refresh Token from the OAuth Playground to list some Drive files. You can simply copy-paste it into Chrome dev console, or run it with node. Of course provide your own credentials (the ones below are all fake).

function get_access_token_using_saved_refresh_token() {

    // from the oauth playground

    const refresh_token = "1/0PvMAoF9GaJFqbNsLZQg-f9NXEljQclmRP4Gwfdo_0";

    // from the API console

    const client_id = "559798723558-amtjh114mvtpiqis80lkl3kdo4gfm5k.apps.googleusercontent.com";

    // from the API console

    const client_secret = "WnGC6KJ91H40mg6H9r1eF9L";

    // from https://developers.google.com/identity/protocols/OAuth2WebServer#offline

    const refresh_url = "https://www.googleapis.com/oauth2/v4/token";



    const post_body = `grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}`;



    let refresh_request = {

        body: post_body,

        method: "POST",

        headers: new Headers({

            'Content-Type': 'application/x-www-form-urlencoded'

        })

    }



    // post to the refresh endpoint, parse the json response and use the access token to call files.list

    fetch(refresh_url, refresh_request).then( response => {

            return(response.json());

        }).then( response_json =>  {

            console.log(response_json);

            files_list(response_json.access_token);

    });

}



// a quick and dirty function to list some Drive files using the newly acquired access token

function files_list (access_token) {

    const drive_url = "https://www.googleapis.com/drive/v3/files";

    let drive_request = {

        method: "GET",

        headers: new Headers({

            Authorization: "Bearer "+access_token

        })

    }

    fetch(drive_url, drive_request).then( response => {

        return(response.json());

    }).then( list =>  {

        console.log("Found a file called "+list.files[0].name);

    });

}



get_access_token_using_saved_refresh_token();

share|improve this answer

edited Mar 21 at 1:52

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc
  
  – woody
  Dec 13 '13 at 21:11
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.
  
  – Zig Mandel
  Aug 11 '15 at 14:22
  
  
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.
  
  – pinoyyid
  Aug 11 '15 at 15:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3
  
  – Dan
  Jan 21 '17 at 17:26
  
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!
  
  – mga
  Dec 19 '17 at 15:33
  

  
  
  
  

 | 
show 19 more comments

109

109

109

This can be done with the Oauth2 Playground at https://developers.google.com/oauthplayground

Steps:-

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials. Credentials/Create Credentials/OAuth Client Id then select Web application
   


4. Include https://developers.google.com/oauthplayground as a valid redirect URI


5. Note the client ID (web app) and Client Secret


6. Login as my.drive.app@gmail.com


7. Go to Oauth2 playground


8. In Settings (gear icon), set
   
   
   
   
   • Oauth flow: server
   
   
   • Access type: offline
   
   
   • Use your own OAuth credentials: TICK
   
   
   • Client Id and Client Secret: from step 5
   
   
   
   


9. Click Step 1 and choose Drive API https://www.googleapis.com/auth/drive (having said that, this technique also works for any of the Google APIs listed)


10. Click Authorize APIs. You will be prompted to choose your Google account and confirm access


11. Click Step 2 and "Exchange Authorization code for tokens"


12. Copy the returned Refresh Token and paste it into your app, source code or in to some form of storage from where your app can retrieve it.

Your app can now run unattended, and use the Refresh Token as described https://developers.google.com/accounts/docs/OAuth2WebServer#offline to obtain an Access Token.

NB. Be aware that the refresh token can be expired by Google which will mean that you need to repeat steps 5 onwards to get a new refresh token. The symptom of this will be a Invalid Grant returned when you try to use the refresh token.

NB2. This technique works well if you want a web app which access your own (and only your own) Drive account, without bothering to write the authorization code which would only ever be run once. Just skip step 1, and replace "my.drive.app" with your own email address in step 6. make sure you are aware of the security implications if the Refresh Token gets stolen.

See Woody's comment below where he links to this Google video https://www.youtube.com/watch?v=hfWe1gPCnzc

.
.
.

Here is a quick JavaScript routine that shows how to use the Refresh Token from the OAuth Playground to list some Drive files. You can simply copy-paste it into Chrome dev console, or run it with node. Of course provide your own credentials (the ones below are all fake).

function get_access_token_using_saved_refresh_token() {

    // from the oauth playground

    const refresh_token = "1/0PvMAoF9GaJFqbNsLZQg-f9NXEljQclmRP4Gwfdo_0";

    // from the API console

    const client_id = "559798723558-amtjh114mvtpiqis80lkl3kdo4gfm5k.apps.googleusercontent.com";

    // from the API console

    const client_secret = "WnGC6KJ91H40mg6H9r1eF9L";

    // from https://developers.google.com/identity/protocols/OAuth2WebServer#offline

    const refresh_url = "https://www.googleapis.com/oauth2/v4/token";



    const post_body = `grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}`;



    let refresh_request = {

        body: post_body,

        method: "POST",

        headers: new Headers({

            'Content-Type': 'application/x-www-form-urlencoded'

        })

    }



    // post to the refresh endpoint, parse the json response and use the access token to call files.list

    fetch(refresh_url, refresh_request).then( response => {

            return(response.json());

        }).then( response_json =>  {

            console.log(response_json);

            files_list(response_json.access_token);

    });

}



// a quick and dirty function to list some Drive files using the newly acquired access token

function files_list (access_token) {

    const drive_url = "https://www.googleapis.com/drive/v3/files";

    let drive_request = {

        method: "GET",

        headers: new Headers({

            Authorization: "Bearer "+access_token

        })

    }

    fetch(drive_url, drive_request).then( response => {

        return(response.json());

    }).then( list =>  {

        console.log("Found a file called "+list.files[0].name);

    });

}



get_access_token_using_saved_refresh_token();

share|improve this answer

edited Mar 21 at 1:52

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

This can be done with the Oauth2 Playground at https://developers.google.com/oauthplayground

Steps:-

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials. Credentials/Create Credentials/OAuth Client Id then select Web application
   


4. Include https://developers.google.com/oauthplayground as a valid redirect URI


5. Note the client ID (web app) and Client Secret


6. Login as my.drive.app@gmail.com


7. Go to Oauth2 playground


8. In Settings (gear icon), set
   
   
   
   
   • Oauth flow: server
   
   
   • Access type: offline
   
   
   • Use your own OAuth credentials: TICK
   
   
   • Client Id and Client Secret: from step 5
   
   
   
   


9. Click Step 1 and choose Drive API https://www.googleapis.com/auth/drive (having said that, this technique also works for any of the Google APIs listed)


10. Click Authorize APIs. You will be prompted to choose your Google account and confirm access


11. Click Step 2 and "Exchange Authorization code for tokens"


12. Copy the returned Refresh Token and paste it into your app, source code or in to some form of storage from where your app can retrieve it.

Your app can now run unattended, and use the Refresh Token as described https://developers.google.com/accounts/docs/OAuth2WebServer#offline to obtain an Access Token.

NB. Be aware that the refresh token can be expired by Google which will mean that you need to repeat steps 5 onwards to get a new refresh token. The symptom of this will be a Invalid Grant returned when you try to use the refresh token.

NB2. This technique works well if you want a web app which access your own (and only your own) Drive account, without bothering to write the authorization code which would only ever be run once. Just skip step 1, and replace "my.drive.app" with your own email address in step 6. make sure you are aware of the security implications if the Refresh Token gets stolen.

See Woody's comment below where he links to this Google video https://www.youtube.com/watch?v=hfWe1gPCnzc

.
.
.

Here is a quick JavaScript routine that shows how to use the Refresh Token from the OAuth Playground to list some Drive files. You can simply copy-paste it into Chrome dev console, or run it with node. Of course provide your own credentials (the ones below are all fake).

function get_access_token_using_saved_refresh_token() {

    // from the oauth playground

    const refresh_token = "1/0PvMAoF9GaJFqbNsLZQg-f9NXEljQclmRP4Gwfdo_0";

    // from the API console

    const client_id = "559798723558-amtjh114mvtpiqis80lkl3kdo4gfm5k.apps.googleusercontent.com";

    // from the API console

    const client_secret = "WnGC6KJ91H40mg6H9r1eF9L";

    // from https://developers.google.com/identity/protocols/OAuth2WebServer#offline

    const refresh_url = "https://www.googleapis.com/oauth2/v4/token";



    const post_body = `grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}`;



    let refresh_request = {

        body: post_body,

        method: "POST",

        headers: new Headers({

            'Content-Type': 'application/x-www-form-urlencoded'

        })

    }



    // post to the refresh endpoint, parse the json response and use the access token to call files.list

    fetch(refresh_url, refresh_request).then( response => {

            return(response.json());

        }).then( response_json =>  {

            console.log(response_json);

            files_list(response_json.access_token);

    });

}



// a quick and dirty function to list some Drive files using the newly acquired access token

function files_list (access_token) {

    const drive_url = "https://www.googleapis.com/drive/v3/files";

    let drive_request = {

        method: "GET",

        headers: new Headers({

            Authorization: "Bearer "+access_token

        })

    }

    fetch(drive_url, drive_request).then( response => {

        return(response.json());

    }).then( list =>  {

        console.log("Found a file called "+list.files[0].name);

    });

}



get_access_token_using_saved_refresh_token();

share|improve this answer

edited Mar 21 at 1:52

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

share|improve this answer

share|improve this answer

edited Mar 21 at 1:52

edited Mar 21 at 1:52

edited Mar 21 at 1:52

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

answered Nov 4 '13 at 11:37

pinoyyidpinoyyid

14.3k83685

14.3k83685

• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc
  
  – woody
  Dec 13 '13 at 21:11
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.
  
  – Zig Mandel
  Aug 11 '15 at 14:22
  
  
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.
  
  – pinoyyid
  Aug 11 '15 at 15:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3
  
  – Dan
  Jan 21 '17 at 17:26
  
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!
  
  – mga
  Dec 19 '17 at 15:33
  

  
  
  
  

 | 
show 19 more comments

• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc
  
  – woody
  Dec 13 '13 at 21:11
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.
  
  – Zig Mandel
  Aug 11 '15 at 14:22
  
  
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.
  
  – pinoyyid
  Aug 11 '15 at 15:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3
  
  – Dan
  Jan 21 '17 at 17:26
  
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!
  
  – mga
  Dec 19 '17 at 15:33
  

  
  
  
  

6

6

Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc

– woody
Dec 13 '13 at 21:11

Note that my research indicates that refresh tokens are 'long lived' and are not expired by Google, but can be revoked on the API Console. Also, Google has a short 4 minute video on how to get a refresh token from Playground: youtube.com/watch?v=hfWe1gPCnzc

– woody
Dec 13 '13 at 21:11

2

2

in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.

– Zig Mandel
Aug 11 '15 at 14:22

in reality its much cleaner if you also code a separate setup page that generates the refresh token by asking permissions to an admin. the admin uses the page to deploy the app or reconfigure later. using the oauth playground is just a quick way to avoid writting such admin page.

– Zig Mandel
Aug 11 '15 at 14:22

8

8

in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.

– pinoyyid
Aug 11 '15 at 15:43

in reality it's much cleaner if you don't code anything at all. Why waste hours if not days figuring out OAuth, wrangling the leaky abstractions of the Google libraries, all for an app that you will only run once? That's not clean, it's borderline insane.

– pinoyyid
Aug 11 '15 at 15:43

1

1

Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3

– Dan
Jan 21 '17 at 17:26

Where do I perform step 3? Also V2 is not showing up. Will try this with Drive V3

– Dan
Jan 21 '17 at 17:26

3

3

this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!

– mga
Dec 19 '17 at 15:33

this is the best answer ever. i'd give it ten votes if i could. you just made the oauth insanity bearable. thanks!

– mga
Dec 19 '17 at 15:33

 | 
show 19 more comments

0

Let me add an alternative route to pinoyyid's excellent answer (which didn't work for me - popping redirect errors).

Instead of using the OAuthPlayground you can also use the HTTP REST API directly. So the difference to pinoyyid's answer is that we'll do things locally. Follow steps 1-3 from pinoyyid's answer. I'll quote them:

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials (NB OAuth Client ID not Service Account Key and then choose "Web Application" from the selection)

Now, instead of the playground, add the following to your credentials:

Authorized JavaScript Sources: http://localhost (I don't know if this is required but just do it.)
Authorized Redirect URIs: http://localhost:8080

Screenshot (in German):

Make sure to actually save your changes via the blue button below!

Now you'll probably want to use a GUI to build your HTTP requests. I used Insomnia but you can go with Postman or plain cURL. I recommend Insomnia for it allows you to go through the consent screens easily.

Build a new GET request with the following parameters:

URL: https://accounts.google.com/o/oauth2/v2/auth

Query Param: redirect_uri=http://localhost:8080

Query Param: prompt=consent

Query Param: response_type=code

Query Param: client_id=<your client id from OAuth credentials>

Query Param: scope=<your chosen scopes, e.g. https://www.googleapis.com/auth/drive.file>

Query Param: access_type=offline

If your tool of choice doesn't handle URL encoding automagically make sure to get it right yourself.

Before you fire your request set up a webserver to listen on http://localhost:8080. If you have node and npm installed run npm i express, then create an index.js:

var express = require('express');

var app = express();



app.get('/', function (req, res) {

  res.send('ok');

  console.log(req)

});



app.listen(8080, function () {

  console.log('Listening on port 8080!');

});

And run the server via node index.js. I recommend to either not log the whole req object or to run node index.js | less for the full output will be huge.

There are very simple solutions for other languages, too. E.g. use PHP's built in web server on 8080 php -S localhost:8080.

Now fire your request (in Insomnia) and you should be prompted with the login:

Log in with your email and password and confirm the consent screen (should contain your chosen scopes).

Go back to your terminal and check the output. If you logged the whole thing scroll down (e.g. pgdown in less) until you see a line with code=4/....

Copy that code; it is your authorization code that you'll want to exchange for an access and refresh token. Don't copy too much - if there's an ampersand & do not copy it or anything after. & delimits query parameters. We just want the code.

Now set up a HTTP POST request pointing to https://www.googleapis.com/oauth2/v4/token as form URL encoded. In Insomnia you can just click that - in other tools you might have to set the header yourself to Content-Type: application/x-www-form-urlencoded.

Add the following parameters:

code=<the authorization code from the last step>

client_id=<your client ID again>

client_secret=<your client secret from the OAuth credentials>

redirect_uri=http://localhost:8080

grant_type=authorization_code

Again, make sure that the encoding is correct.

Fire your request and check the output from your server. In the response you should see a JSON object:

{

  "access_token": "xxxx",

  "expires_in": 3600,

  "refresh_token": "1/xxxx",

  "scope": "https://www.googleapis.com/auth/drive.file",

  "token_type": "Bearer"

}

You can use the access_token right away but it'll only be valid for one hour. Note the refresh token. This is the one you can always* exchange for a new access token.

* You will have to repeat the procedure if the user changes his password, revokes access, is inactive for 6 months etc.

Happy OAuthing!

share|improve this answer

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.
  
  – pinoyyid
  Mar 15 at 1:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.
  
  – m02ph3u5
  Mar 15 at 10:10
  

  
  
  
  

add a comment | 

0

Let me add an alternative route to pinoyyid's excellent answer (which didn't work for me - popping redirect errors).

Instead of using the OAuthPlayground you can also use the HTTP REST API directly. So the difference to pinoyyid's answer is that we'll do things locally. Follow steps 1-3 from pinoyyid's answer. I'll quote them:

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials (NB OAuth Client ID not Service Account Key and then choose "Web Application" from the selection)

Now, instead of the playground, add the following to your credentials:

Authorized JavaScript Sources: http://localhost (I don't know if this is required but just do it.)
Authorized Redirect URIs: http://localhost:8080

Screenshot (in German):

Make sure to actually save your changes via the blue button below!

Now you'll probably want to use a GUI to build your HTTP requests. I used Insomnia but you can go with Postman or plain cURL. I recommend Insomnia for it allows you to go through the consent screens easily.

Build a new GET request with the following parameters:

URL: https://accounts.google.com/o/oauth2/v2/auth

Query Param: redirect_uri=http://localhost:8080

Query Param: prompt=consent

Query Param: response_type=code

Query Param: client_id=<your client id from OAuth credentials>

Query Param: scope=<your chosen scopes, e.g. https://www.googleapis.com/auth/drive.file>

Query Param: access_type=offline

If your tool of choice doesn't handle URL encoding automagically make sure to get it right yourself.

Before you fire your request set up a webserver to listen on http://localhost:8080. If you have node and npm installed run npm i express, then create an index.js:

var express = require('express');

var app = express();



app.get('/', function (req, res) {

  res.send('ok');

  console.log(req)

});



app.listen(8080, function () {

  console.log('Listening on port 8080!');

});

And run the server via node index.js. I recommend to either not log the whole req object or to run node index.js | less for the full output will be huge.

There are very simple solutions for other languages, too. E.g. use PHP's built in web server on 8080 php -S localhost:8080.

Now fire your request (in Insomnia) and you should be prompted with the login:

Log in with your email and password and confirm the consent screen (should contain your chosen scopes).

Go back to your terminal and check the output. If you logged the whole thing scroll down (e.g. pgdown in less) until you see a line with code=4/....

Copy that code; it is your authorization code that you'll want to exchange for an access and refresh token. Don't copy too much - if there's an ampersand & do not copy it or anything after. & delimits query parameters. We just want the code.

Now set up a HTTP POST request pointing to https://www.googleapis.com/oauth2/v4/token as form URL encoded. In Insomnia you can just click that - in other tools you might have to set the header yourself to Content-Type: application/x-www-form-urlencoded.

Add the following parameters:

code=<the authorization code from the last step>

client_id=<your client ID again>

client_secret=<your client secret from the OAuth credentials>

redirect_uri=http://localhost:8080

grant_type=authorization_code

Again, make sure that the encoding is correct.

Fire your request and check the output from your server. In the response you should see a JSON object:

{

  "access_token": "xxxx",

  "expires_in": 3600,

  "refresh_token": "1/xxxx",

  "scope": "https://www.googleapis.com/auth/drive.file",

  "token_type": "Bearer"

}

You can use the access_token right away but it'll only be valid for one hour. Note the refresh token. This is the one you can always* exchange for a new access token.

* You will have to repeat the procedure if the user changes his password, revokes access, is inactive for 6 months etc.

Happy OAuthing!

share|improve this answer

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.
  
  – pinoyyid
  Mar 15 at 1:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.
  
  – m02ph3u5
  Mar 15 at 10:10
  

  
  
  
  

add a comment | 

0

0

0

Let me add an alternative route to pinoyyid's excellent answer (which didn't work for me - popping redirect errors).

Instead of using the OAuthPlayground you can also use the HTTP REST API directly. So the difference to pinoyyid's answer is that we'll do things locally. Follow steps 1-3 from pinoyyid's answer. I'll quote them:

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials (NB OAuth Client ID not Service Account Key and then choose "Web Application" from the selection)

Now, instead of the playground, add the following to your credentials:

Authorized JavaScript Sources: http://localhost (I don't know if this is required but just do it.)
Authorized Redirect URIs: http://localhost:8080

Screenshot (in German):

Make sure to actually save your changes via the blue button below!

Now you'll probably want to use a GUI to build your HTTP requests. I used Insomnia but you can go with Postman or plain cURL. I recommend Insomnia for it allows you to go through the consent screens easily.

Build a new GET request with the following parameters:

URL: https://accounts.google.com/o/oauth2/v2/auth

Query Param: redirect_uri=http://localhost:8080

Query Param: prompt=consent

Query Param: response_type=code

Query Param: client_id=<your client id from OAuth credentials>

Query Param: scope=<your chosen scopes, e.g. https://www.googleapis.com/auth/drive.file>

Query Param: access_type=offline

If your tool of choice doesn't handle URL encoding automagically make sure to get it right yourself.

Before you fire your request set up a webserver to listen on http://localhost:8080. If you have node and npm installed run npm i express, then create an index.js:

var express = require('express');

var app = express();



app.get('/', function (req, res) {

  res.send('ok');

  console.log(req)

});



app.listen(8080, function () {

  console.log('Listening on port 8080!');

});

And run the server via node index.js. I recommend to either not log the whole req object or to run node index.js | less for the full output will be huge.

There are very simple solutions for other languages, too. E.g. use PHP's built in web server on 8080 php -S localhost:8080.

Now fire your request (in Insomnia) and you should be prompted with the login:

Log in with your email and password and confirm the consent screen (should contain your chosen scopes).

Go back to your terminal and check the output. If you logged the whole thing scroll down (e.g. pgdown in less) until you see a line with code=4/....

Copy that code; it is your authorization code that you'll want to exchange for an access and refresh token. Don't copy too much - if there's an ampersand & do not copy it or anything after. & delimits query parameters. We just want the code.

Now set up a HTTP POST request pointing to https://www.googleapis.com/oauth2/v4/token as form URL encoded. In Insomnia you can just click that - in other tools you might have to set the header yourself to Content-Type: application/x-www-form-urlencoded.

Add the following parameters:

code=<the authorization code from the last step>

client_id=<your client ID again>

client_secret=<your client secret from the OAuth credentials>

redirect_uri=http://localhost:8080

grant_type=authorization_code

Again, make sure that the encoding is correct.

Fire your request and check the output from your server. In the response you should see a JSON object:

{

  "access_token": "xxxx",

  "expires_in": 3600,

  "refresh_token": "1/xxxx",

  "scope": "https://www.googleapis.com/auth/drive.file",

  "token_type": "Bearer"

}

You can use the access_token right away but it'll only be valid for one hour. Note the refresh token. This is the one you can always* exchange for a new access token.

* You will have to repeat the procedure if the user changes his password, revokes access, is inactive for 6 months etc.

Happy OAuthing!

share|improve this answer

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

Let me add an alternative route to pinoyyid's excellent answer (which didn't work for me - popping redirect errors).

Instead of using the OAuthPlayground you can also use the HTTP REST API directly. So the difference to pinoyyid's answer is that we'll do things locally. Follow steps 1-3 from pinoyyid's answer. I'll quote them:

1. Create the Google Account (eg. my.drive.app@gmail.com) - Or skip this step if you are using an existing account.


2. Use the API console to register the mydriveapp (https://console.developers.google.com/apis/credentials/oauthclient?project=mydriveapp or just https://console.developers.google.com/apis/)


3. Create a new set of credentials (NB OAuth Client ID not Service Account Key and then choose "Web Application" from the selection)

Now, instead of the playground, add the following to your credentials:

Authorized JavaScript Sources: http://localhost (I don't know if this is required but just do it.)
Authorized Redirect URIs: http://localhost:8080

Screenshot (in German):

Make sure to actually save your changes via the blue button below!

Now you'll probably want to use a GUI to build your HTTP requests. I used Insomnia but you can go with Postman or plain cURL. I recommend Insomnia for it allows you to go through the consent screens easily.

Build a new GET request with the following parameters:

URL: https://accounts.google.com/o/oauth2/v2/auth

Query Param: redirect_uri=http://localhost:8080

Query Param: prompt=consent

Query Param: response_type=code

Query Param: client_id=<your client id from OAuth credentials>

Query Param: scope=<your chosen scopes, e.g. https://www.googleapis.com/auth/drive.file>

Query Param: access_type=offline

If your tool of choice doesn't handle URL encoding automagically make sure to get it right yourself.

Before you fire your request set up a webserver to listen on http://localhost:8080. If you have node and npm installed run npm i express, then create an index.js:

var express = require('express');

var app = express();



app.get('/', function (req, res) {

  res.send('ok');

  console.log(req)

});



app.listen(8080, function () {

  console.log('Listening on port 8080!');

});

And run the server via node index.js. I recommend to either not log the whole req object or to run node index.js | less for the full output will be huge.

There are very simple solutions for other languages, too. E.g. use PHP's built in web server on 8080 php -S localhost:8080.

Now fire your request (in Insomnia) and you should be prompted with the login:

Log in with your email and password and confirm the consent screen (should contain your chosen scopes).

Go back to your terminal and check the output. If you logged the whole thing scroll down (e.g. pgdown in less) until you see a line with code=4/....

Copy that code; it is your authorization code that you'll want to exchange for an access and refresh token. Don't copy too much - if there's an ampersand & do not copy it or anything after. & delimits query parameters. We just want the code.

Now set up a HTTP POST request pointing to https://www.googleapis.com/oauth2/v4/token as form URL encoded. In Insomnia you can just click that - in other tools you might have to set the header yourself to Content-Type: application/x-www-form-urlencoded.

Add the following parameters:

code=<the authorization code from the last step>

client_id=<your client ID again>

client_secret=<your client secret from the OAuth credentials>

redirect_uri=http://localhost:8080

grant_type=authorization_code

Again, make sure that the encoding is correct.

Fire your request and check the output from your server. In the response you should see a JSON object:

{

  "access_token": "xxxx",

  "expires_in": 3600,

  "refresh_token": "1/xxxx",

  "scope": "https://www.googleapis.com/auth/drive.file",

  "token_type": "Bearer"

}

You can use the access_token right away but it'll only be valid for one hour. Note the refresh token. This is the one you can always* exchange for a new access token.

* You will have to repeat the procedure if the user changes his password, revokes access, is inactive for 6 months etc.

Happy OAuthing!

share|improve this answer

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

share|improve this answer

share|improve this answer

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

answered Mar 14 at 14:06

m02ph3u5m02ph3u5

1,88022235

1,88022235

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.
  
  – pinoyyid
  Mar 15 at 1:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.
  
  – m02ph3u5
  Mar 15 at 10:10
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.
  
  – pinoyyid
  Mar 15 at 1:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.
  
  – m02ph3u5
  Mar 15 at 10:10
  

  
  
  
  

I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.

– pinoyyid
Mar 15 at 1:56

I've just double checked my instructions and they work fine. If you're having a problem it means you've made a mistake at 3,4 or 8.

– pinoyyid
Mar 15 at 1:56

Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.

– m02ph3u5
Mar 15 at 10:10

Probably but I couldn't spot the mistake. Non-playground path can be useful if the playground is down/ unreachable, too.

– m02ph3u5
Mar 15 at 10:10

add a comment | 

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f19766912%2fhow-do-i-authorise-an-app-web-or-installed-without-user-intervention%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here