-
-
Save LindaLawton/cff75182aac5fa42930a09f58b63a309 to your computer and use it in GitHub Desktop.
| # Tutorial https://www.daimto.com/how-to-get-a-google-access-token-with-curl/ | |
| # YouTube video https://youtu.be/hBC_tVJIx5w | |
| # Client id from Google Developer console | |
| # Client Secret from Google Developer console | |
| # Scope this is a space seprated list of the scopes of access you are requesting. | |
| # Authorization link. Place this in a browser and copy the code that is returned after you accept the scopes. | |
| https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=http://127.0.0.1&scope=[Scopes]&response_type=code | |
| # Exchange Authorization code for an access token and a refresh token. | |
| curl \ | |
| --request POST \ | |
| --data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=http://127.0.0.1&grant_type=authorization_code" \ | |
| https://accounts.google.com/o/oauth2/token | |
| # Exchange a refresh token for a new access token. | |
| curl \ | |
| --request POST \ | |
| --data 'client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token' \ | |
| https://accounts.google.com/o/oauth2/token |
I know for a fact that your not going to be able to do it with postman. Im not sure that curl is able to do the encoding needed if you manage to create a valid JWT with curl i would love to see the code. heres a link to the documentation https://developers.google.com/identity/protocols/oauth2/service-account
Here is a bash function to generate jwt, needs openssl to craete the payload data and jq to extract values from json. Wrote this function recently for some google drive stuff
###################################################
# Generate rs256 jwt just with cli commands and shell
# Specifically for gdrive service accounts usage
# Globals: None
# Arguments: 2
# ${1} = service account json file contents ( should contain client_email and private key )
# ${2} = SCOPE for gdrive ( if not given then global var SCOPE is used )
# Result: print jwt
# Refrences:
# https://stackoverflow.com/questions/46657001/how-do-you-create-an-rs256-jwt-assertion-with-bash-shell-scripting
# Inspired by implementation by Will Haley at:
# http://willhaley.com/blog/generate-jwt-with-bash/
###################################################
_generate_jwt() {
declare json="${1:?Error: Give service json file contents}" \
scope="${2:-${SCOPE}}" aud="https://oauth2.googleapis.com/token" \
header='{"alg":"RS256","typ":"JWT"}' \
algo="256" scope payload_data iss exp iat rsa_secret signed_content sign
if iss="$(jq .client_email <<< "${json}")" &&
rsa_secret="$(jq .private_key <<< "${json}")"; then
rsa_secret="$(printf "%b\n" "${rsa_secret}")"
else
printf "Error: Invalid service account file.\n" && return 1
fi
iat="$(printf "%(%s)T\\n" "-1")" exp="$((iat + 3400))"
b64enc() { : "$(openssl enc -base64 -A)" && : "${_//+/-}" && : "${_//\//_}" && printf "%s\n" "${_//=/}"; }
payload_data='{"iss":"'${iss}'","scope":"'${scope}'","aud":"'${aud}'","exp":'${exp}',"iat":'${iat}'}'
{
signed_content="$(b64enc <<< "${header}").$(b64enc <<< "${payload_data}")"
sign="$(printf %s "${signed_content}" | openssl dgst -binary -sha"${algo}" -sign <(printf '%s\n' "${rsa_secret}") | b64enc)"
} || return 1
printf '%s.%s\n' "${signed_content}" "${sign}"
return 0
}P.S: Also answered your post on stackoverflow
The out-of-band method no longer works which is why the script is broken. I have some scripts that use the loopback method on desktop and are working as of this posting.
Thanks @jay!
@jay you can use http://127.0.0.1 instead of urn:ietf:wg:oauth:2.0:oob and it works fine.
Works perfectly - thanks!
Why is there a consent screen for the first step to get the code? How would I possible click the Accept in a server environment? Could anyone please help me out if possible.
@rohanmenon96 you wouldn't do this on a server you would do it on your local machine. A server doesn't have a browser window. Get a refresh token then store it and upload that to your server
unrelated but it's worth the reference,
get access_token using google/apiclient library in Laravel(php8),
This access_token works with any project in 1 firebase
https://github.com/linhdv96/cUrl-firebase-remote-config
Found a good link, Goog OAUth2 Playground helped generate the refresh token with correct scope, etc. Doc here, link is in the doc:
https://developers.google.com/google-ads/api/docs/oauth/playground
I'm looking for full curl automation that didn't require to go to the consent screen to grab the code, is there a way to achieve pure, full and complete curl automation?
@mymirai-nikki you wont find that. Oauth2 requires user consent. The only thing to do that would be a service account pat token, and i have never had the time or inclination to try and code service account authorization in curl as it requires to much security magic.
Edit: gemini seems to have a few ideas one using the google cloud console logged in on your machine, the other is some fancy stuff using curl directly. If you get it to work let me know i would love to see the code working.
Google has recently made a change that breaks this script How to authorize a curl script to Google Oauth after OAuth out-of-band oob flow is deprecated?. I have a question up on Stack overflow to see if it can be fixed or not.
The solution was to use http://127.0.0.1 instead.