Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to perform OAuth 2.0 using the Curl CLI?

I would like to use curl from a Windows command prompt to perform Google OAuth 2.0. My goal is to better understand the authentication flows that an OAuth server implements, see the HTTP headers, etc.

How can this be done using curl.exe from a Windows Command Prompt?

like image 698
John Hanley Avatar asked Nov 18 '18 03:11

John Hanley


People also ask

How do you get auth tokens in curl?

To generate an access token: Replace {AUTH CODE QUERY PARAMETER} with the auth code you copied from the previous step in the above cURL request. Replace {CLIENT ID} in the above request with the Client ID from your Oauth client. Replace {CLIENT SECRET} in the above request with the Client Secret from your Oauth client.

How do I use authentication with curl?

To use basic authentication, use the cURL --user option followed by your company name and user name as the value. cURL will then prompt you for your password.


1 Answers

How to perform OAuth 2.0 using the Curl CLI?

This answer is for Windows Command Prompt users but should be easily adaptable to Linux and Mac also.

You will need your Google Client ID and Client Secret. These can be obtained from the Google Console under APIs & Services -> Credentials.

In the following example, the Scope is cloud-platform. Modify to use the scopes that you want to test with. Here are a few scopes that you can test with:

"https://www.googleapis.com/auth/cloud-platform"
"https://www.googleapis.com/auth/cloud-platform.read-only"
"https://www.googleapis.com/auth/devstorage.full_control"
"https://www.googleapis.com/auth/devstorage.read_write"
"https://www.googleapis.com/auth/devstorage.read_only"
"https://www.googleapis.com/auth/bigquery"
"https://www.googleapis.com/auth/datastore"

OAuth 2.0 Scopes for Google APIs

Details:

  • Copy the following statements to a Windows batch file.
  • Modify to fit your environment.
  • Modify the script for the browser that you want to use.
  • Run the batch file.
  • A browser will be launched.
  • The browser will go to https://accounts.google.com where you can complete the Google OAuth 2.0 authentication.
  • Once complete a code will be displayed in the browser window.
  • Copy this code (control-c) from the browser window and paste into the command prompt window (control-rightclick).
  • The script will complete the OAuth 2.0 code exchange for a Token.
  • The Token will be displayed in the command prompt.
  • The returned Token contains an Access Token that can be used in more curl commands.

Windows Batch Script:

set CLIENT_ID=Replace_with_your_Client_ID
set CLIENT_SECRET=Replace_with_your_Client_Secret
set SCOPE=https://www.googleapis.com/auth/cloud-platform
set ENDPOINT=https://accounts.google.com/o/oauth2/v2/auth

set URL="%ENDPOINT%?client_id=%CLIENT_ID%&response_type=code&scope=%SCOPE%&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob"

@REM start iexplore %URL%
@REM start microsoft-edge:%URL%
start chrome %URL%

set /p AUTH_CODE="Enter Code displayed in browser: "

curl ^
--data client_id=%CLIENT_ID% ^
--data client_secret=%CLIENT_SECRET% ^
--data code=%AUTH_CODE% ^
--data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^
--data grant_type=authorization_code ^
https://www.googleapis.com/oauth2/v4/token

The final output looks like this:

{
  "access_token": "ya29.deleted_for_security_reasons",
  "expires_in": 3600,
  "refresh_token": "1/jk3/deleted_for_security_reasons",
  "scope": "https://www.googleapis.com/auth/cloud-platform",
  "token_type": "Bearer"
}

Example curl command using Access Token:

set ACCESS_TOKEN=replace_with_your_access_token
set PROJECT=development-123456
set ZONE=us-west-1a
set INSTANCE_NAME=dev-system

@REM - This endpoint will start the instance named INSTANCE_NAME in ZONE
set ENDPOINT=https://www.googleapis.com/compute/v1/projects/%PROJECT%/zones/%ZONE%/instances/%INSTANCE_NAM%/start

curl -H "Authorization: Bearer %ACCESS_TOKEN" "%ENDPOINT%"

Tip: Save the Access Token to a file

Modify the last line of the batch script to use jq to process the output:

curl ^
--data client_id=%CLIENT_ID% ^
--data client_secret=%CLIENT_SECRET% ^
--data code=%AUTH_CODE% ^
--data redirect_uri=urn:ietf:wg:oauth:2.0:oob ^
--data grant_type=authorization_code ^
https://www.googleapis.com/oauth2/v4/token | jq -r ".access_token > token.save

set /p ACCESS_TOKEN=<token.save
echo %ACCESS_TOKEN%

The last two lines show how to read the Access Token that was saved to a file for further use in more scripts.

Remember, Tokens expire after 60 minutes which is the default value.

I wrote an article detailing this on my blog:

Google OAuth 2.0 – Testing with Curl

[Update 3/18/2020]

I write an article on how to perform OAuth in Powershell. This article shows how to do OAuth, save and refresh tokens and then impersonate a service account.

PowerShell – Impersonate Google Service Account

like image 51
John Hanley Avatar answered Oct 08 '22 10:10

John Hanley