Google Calendar - Permission to Access

Question

Is it possible for me to create an application that can send our requests to access to users' Google Calendar so that I can see the events in there and be able to add, edit, and delete events?

I do not want the users to log into my website to enable this access. Rather, I want to be able to send this request, perhaps via email.

Alternatively, perhaps they could log in the web app and authorize access themselves somehow.

Answer 1

One option would be to e-mail the user a link to the OAuth 2.0 consent screen. The users would still need to open the link in a browser, sign in to their Google account (if not already signed in), and click the "Authorize" button to grant your application access to their Google calendar events.

First, you will need to register your application as a Web App in Google's Developer Console (just like for any other application) and obtain a client_id. Be sure to fill in the name of your application and a link to your website in the "OAuth consent screen" section, because these values will be shown to your users when they click the authorization link.

Then, follow these steps:

1. Send the user an authorization link in an HTML e-mail message. The link should be constructed according to the guidelines in "Redirecting to Google's OAuth 2.0 server", and pay attention to the following aspects:

   • Ensure that the redirect_uri parameter in the authorization link points to your application.
   • Since you already know the e-mail address of the user, consider including the login_hint=<email address> parameter to bypass the account selection screen.
   • Important: provide a value in the state parameter so that you can link this authorization request with the user.
   • The link should be placed in an <a> tag somewhere in the body of the e-mail: <a href="{auth_url}">Allow access to my Google calendar</a>

2. When the user clicks on this link, their browser will open and show the standard Google consent screen:

   Once the user has made a choice, their browser will be redirected to the redirect_uri which you have provided.

3. Make sure that the redirect_uri will work even if the user isn't signed in to your application. Capture the state and authorization_code values which Google appends to the redirect_uri, and then return a confirmation page (e.g. "Thank you for giving us access to your Google calendar" would be a good idea).

4. Using the state and authorization_code values, follow the rest of the standard OAuth 2.0 flow and retrieve a refresh_token which will allow you to access the user's Google calendar from your application.

Keep in mind that the calendar owner (the user who is clicking the link in the e-mail and granting your application consent to access the calendar) may not even be a user of your application. This is why it is important to provide as much information as possible on the consent screen and in the confirmation page.

Since your confirmation page will be loaded even if the user does not grant your application consent, you could take the opportunity to give the user a full description of why you are asking for access to their calendar and provide a link that will take them back to the consent screen. This should increase your success rate.