I would like to use curl from a Windows command prompt to perform Google OAuth 2.0. My goal is to better understand the authentication flows that an OAuth server implements, see the HTTP headers, etc.
How can this be done using curl.exe from a Windows Command Prompt?
To generate an access token: Replace {AUTH CODE QUERY PARAMETER} with the auth code you copied from the previous step in the above cURL request. Replace {CLIENT ID} in the above request with the Client ID from your Oauth client. Replace {CLIENT SECRET} in the above request with the Client Secret from your Oauth client.
To use basic authentication, use the cURL --user option followed by your company name and user name as the value. cURL will then prompt you for your password.
How to perform OAuth 2.0 using the Curl CLI?
This answer is for Windows Command Prompt users but should be easily adaptable to Linux and Mac also.
You will need your Google Client ID
and Client Secret
. These can be obtained from the Google Console under APIs & Services
-> Credentials
.
In the following example, the Scope is cloud-platform
. Modify to use the scopes that you want to test with. Here are a few scopes that you can test with:
"https://www.googleapis.com/auth/cloud-platform"
"https://www.googleapis.com/auth/cloud-platform.read-only"
"https://www.googleapis.com/auth/devstorage.full_control"
"https://www.googleapis.com/auth/devstorage.read_write"
"https://www.googleapis.com/auth/devstorage.read_only"
"https://www.googleapis.com/auth/bigquery"
"https://www.googleapis.com/auth/datastore"
OAuth 2.0 Scopes for Google APIs
Details:
Windows Batch Script:
set CLIENT_ID=Replace_with_your_Client_ID
set CLIENT_SECRET=Replace_with_your_Client_Secret
set SCOPE=https://www.googleapis.com/auth/cloud-platform
set ENDPOINT=https://accounts.google.com/o/oauth2/v2/auth
set URL="%ENDPOINT%?client_id=%CLIENT_ID%&response_type=code&scope=%SCOPE%&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob"
@REM start iexplore %URL%
@REM start microsoft-edge:%URL%
start chrome %URL%
set /p AUTH_CODE="Enter Code displayed in browser: "
curl ^
--data client_id=%CLIENT_ID% ^
--data client_secret=%CLIENT_SECRET% ^
--data code=%AUTH_CODE% ^
--data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^
--data grant_type=authorization_code ^
https://www.googleapis.com/oauth2/v4/token
The final output looks like this:
{
"access_token": "ya29.deleted_for_security_reasons",
"expires_in": 3600,
"refresh_token": "1/jk3/deleted_for_security_reasons",
"scope": "https://www.googleapis.com/auth/cloud-platform",
"token_type": "Bearer"
}
Example curl command using Access Token:
set ACCESS_TOKEN=replace_with_your_access_token
set PROJECT=development-123456
set ZONE=us-west-1a
set INSTANCE_NAME=dev-system
@REM - This endpoint will start the instance named INSTANCE_NAME in ZONE
set ENDPOINT=https://www.googleapis.com/compute/v1/projects/%PROJECT%/zones/%ZONE%/instances/%INSTANCE_NAM%/start
curl -H "Authorization: Bearer %ACCESS_TOKEN" "%ENDPOINT%"
Tip: Save the Access Token to a file
Modify the last line of the batch script to use jq
to process the output:
curl ^
--data client_id=%CLIENT_ID% ^
--data client_secret=%CLIENT_SECRET% ^
--data code=%AUTH_CODE% ^
--data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^
--data grant_type=authorization_code ^
https://www.googleapis.com/oauth2/v4/token | jq -r ".access_token > token.save
set /p ACCESS_TOKEN=<token.save
echo %ACCESS_TOKEN%
The last two lines show how to read the Access Token that was saved to a file for further use in more scripts.
Remember, Tokens expire after 60 minutes which is the default value.
I wrote an article detailing this on my blog:
Google OAuth 2.0 – Testing with Curl
[Update 3/18/2020]
I write an article on how to perform OAuth in Powershell. This article shows how to do OAuth, save and refresh tokens and then impersonate a service account.
PowerShell – Impersonate Google Service Account
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With