Google API OAuth2 - Get refresh token from Authorization token

4
votes

Following the steps described at Using OAuth 2.0 for Installed Applications, I have been able to get an Authorization code for my application.

I have registered my application as an OAuth 2.0 Client ID in the Google Developers Console:

I am using the type "Other", as the application will only need to get a new access_token (using the refresh_token), and won't use any type of user consent.

The security does not matter, since it will be a private application.

The application needs to be able to read and write to a spreadsheet, and run Google Apps Scripts that are linked to the spreadsheet.

This is all possible within the scope "https://www.googleapis.com/auth/spreadsheets", according to Google's OAuth 2.0 Playground:

I have been able to get my hands on an Authorization code, using the following request (following this step):

https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fspreadsheets&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
response_type=code&
client_id=#####.apps.googleusercontent.com

Pasting this URL in my browser, it redirected me to this page:

This way I have obtained an Authorization code that, theoretically, can be exchanged for a refresh_token and an access_token.

I tried mimicking the requests that Google's OAuth 2.0 Playground does when exchanging an Authorization code for a refresh_token and an access_token:

It sends a POST request to the following URL:

https://www.googleapis.com/oauth2/v3/token?
  code={auth_code}&
  redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&
  client_id=#####.apps.googleusercontent.com&
  client_secret=#####&
  scope=&
  grant_type=authorization_code

When I try to do this request, I get an ERROR 400 with the following response:

 {"error": "invalid_request", "error_description": "Invalid parameter value for redirect_uri: Missing scheme: {redirect_uri}}

It throws an error about "Missing scheme" for the redirect_uri. This isn't weird in my opinion, since my Application Type is "Other", and you can't Authorize redirect URIs with that type.

I have tried the OAuth2ForDevices (which is exactly what I want), but I can't use that for Google's spreadsheets.

What is the correct way to obtain a refresh_token (and access_token) using an Authorization code, obtained via a client-ID type "Other" (which can be used for Google spreadsheets)?

2
oauthgoogle-apiauthorizationgoogle-oauth

2 Answers

4
votes

I figured it out.

Use this request:

https://accounts.google.com/o/oauth2/v2/auth?
  scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fspreadsheets&
  redirect_uri=urn:ietf:wg:oauth:2.0:oob&
  response_type=code&
  client_id=#####.apps.googleusercontent.com

This returns an Authorization code. Then, make the following POST request:

POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded

code={auth_code}&
client_id=######.apps.googleusercontent.com&
client_secret=#####&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
grant_type=authorization_code

If you don't use "urn:ietf:wg:oauth:2.0:oob" as your redirect_uri, it doesn't work. This isn't stated in the OAuth2InstalledApp Guide (it uses "https://oauth2-login-demo.appspot.com/code" as example for the redirect_uri, which confused me).

Short answer: Use "urn:ietf:wg:oauth:2.0:oob" as redirect_uri

0
votes

Use the same redirect_uri you used for the call to:

https://accounts.google.com/o/oauth2/v2/auth

Google will not make any further requests to that uri, but I presume it uses it for matching purposes as some small added security.