Introduction
Google OAuth's main purpose is to get access to Google API. Google APIs use the OAuth 2.0 protocol for authentication and authorization. Step by step we will understand how to create a Google developer account and create a Google Project, and how to get access token and refresh token.
Step 1
Create your Google developer account at https://developers.google.com/. Open https://console.developers.google.com/ and click on the "Select a project" drop-down to create a new project.
Step 2
Click on the OAuth consent screen. Select External to allow a login for all users and on the next screen fill in all details related to App.
On the next screen, you can add the scopes required to call APIs [ reference https://developers.google.com/identity/protocols/oauth2/scopes] add comma-separated scopes.
ex: https://www.googleapis.com/auth/gmail.metadata,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/drive
Click on save and continue.
Step 3
Go to the Credentials tab in the side menu.
Create Cerdentials => select OAuth Client ID => Fill application type, name and redirect url.
Users will be redirected to this path after they have authenticated with Google. Determines where the API server redirects the user after the user completes the authorization flow.
You will get Client Id and Client Secret.
Step 4
Go to the library tab. Here you can Enable libraries, for example, if want to get Gmail emails then add Gmail API. The Gmail API lets you view and manage Gmail mailbox data like threads, messages, and labels. Google Calendar API to display, create, and modify calendar events as well as work with many other calendar-related objects.
These are basic steps needed to start Google OAuth flow.
Now you have Client Id, Client Secret, and scopes.
Fill in your Client Id, redirect URL, and scope in the below URL and open the URL in the browser.
Url 1: Authorization URL - This will take you to the google login page.
https://accounts.google.com/o/oauth2/v2/auth scope=https://www.googleapis.com/auth/gmail.metadata+https://www.googleapis.com/auth/gmail.readonly+https://www.googleapis.com/auth/drive &google_client.authorization.scope=[https://www.googleapis.com/auth/gmail.readonly+https://www.googleapis.com/auth/userinfo.profile]
&access_type=offline &include_granted_scopes=true &response_type=code &state=state_parameter_passthrough_value &redirect_uri={redirect_uri} &client_id={client_id}
Redirect Url
Determines where the API server redirects the user after the user completes the authorization flow. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in your client's API Console Credentials page. If this value doesn't match an authorized redirect URI for the provided client_id you will get a redirect_uri_mismatch error.
Scope
Add plus sign between two scopes as shown above.
State
You can pass any value in the state. For example, if you want to check if the user is registered in your app then you can pass userId and when OAuth login is successful it will redirect to the redirect URL given in the App consent screen.
The below page will open when you log in with your account. Once the app completes google verification process this screen won't appear. For now to continue log in click on Hide Advanced and Go to "Your App Name"(unsafe).
On the next screen, you will see a pop-up listing all the scopes requested by the application. The user should agree to provide application access to these scopes.
After this, it will redirect to redirect URL specified in URL in that you can see code, state, and scope.
https://www.google.com/?state={state}&code={authorization code}&scope={scope}
Url 2: Access Token Url - To exchange authorization code to access token call the below endpoint. Replace the content in flower brackets and remove brackets.
https://oauth2.googleapis.com/token?client_id={client_id}&client_secret={client_secret}&code={authorizationcode}&redirect_uri={redirect_uri}&grant_type=authorization_code
We got the authorization code from the previous API response. You can see that in the browser URL also.
These are the values you get in response,
- access_token: The token that your application sends to authorize a Google API request.
- expires_in: The remaining lifetime of the access token in seconds.
- refresh_token: A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access. Again, this field is only present in this response if you set the access_type parameter to offline in the initial request to Google's authorization server.
- scope: The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.
- token_type: The type of token returned. At this time, this field's value is always set to Bearer.
Using access token you can other Google APIs.
Step 5
Go to the Domain Verification tab and verify domain ownership to allow webhook notifications to be sent to your external domains. Google verifies that the user owns each of the listed domains via Search Console.
This step you can skip in the beginning.
Once Google verification is done. "Google hasn't verified this App" will not appear.
When you want to integrate google APIs in your application the first thing we need is an Access token. We don't need to save user's Google username and password. This article showed you how to create a Google project in the Google console, add scopes to the application, call authorization URL and how to get an access token using authorization code. Google will allow only 100 users to log in after that you have to pay. You can check the number of users logged into the OAuth Consent screen and also verification status.