How to get google oAuth2.0 access token using curl command?

Question

I was experimenting the google's REST apis. Here, I was trying to generate the access token from cURL command to use that in further REST request. But I was facing the below errors.

I was trying to get the access token tru the below cURL command but i getting below error responses.

curl \
--request POST \
--data "code=4/GQEg70zaxHAuRhhd6A1RB_6LIxwwBV8ak5xRP-nZIBTjuvt4g3fTWyU&client_id=954040553015-bphgid2596t65i91827omteq778cp7gj.apps.googleusercontent.com&client_secret=Sn3giYFFPMCNteKC--938xsP&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token

Response:

{
"error": "invalid_grant",
"error_description": "Bad Request"
}

Then I have edited the command as below but it fails.

curl -d client_id=954040553015-bphgid2596t65i91827omteq778cp7gj.apps.googleusercontent.com -d client_secret=Sn3giYFFPMCNteKC--938xsP -d grant_type=authorization_code -d redirect_uri=urn:ietf:wg:oauth:2.0:oob -d code=4/GQEg70zaxHAuRhhd6A1RB_6LIxwwBV8ak5xRP-nZIBTjuvt4g3fTWyU https://oauth2.googleapis.com/token

Response:

{
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

So, based on this link https://gist.github.com/LindaLawton/cff75182aac5fa42930a09f58b63a309#file-googleauthenticationcurl-sh I have changed the grant_type=client_credentials. But again I got the error response.

{
"error": "unsupported_grant_type",
"error_description": "Invalid grant_type: client_credentials"
}

So, Please help me to resolve the error.

Answer 1

After Making Google OAuth interactions safer by using more secure OAuth flows you can no longer use urn:ietf:wg:oauth:2.0:oob make sure to use localhost

# Tutorial https://www.daimto.com/how-to-get-a-google-access-token-with-curl/
# YouTube video https://youtu.be/hBC_tVJIx5w
# Client id from Google Developer console
# Client Secret from Google Developer console
# Scope this is a space separated list of the scopes of access you are requesting.

# Authorization link.  Place this in a browser and copy the code that is returned after you accept the scopes.
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=https://127.0.0.1&scope=[Scopes]&response_type=code

# Exchange Authorization code for an access token and a refresh token.

curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token

# Exchange a refresh token for a new access token.
curl \
--request POST \
--data 'client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token' \
https://accounts.google.com/o/oauth2/token

Answer 2

don't use urn:ietf:wg:oauth:2.0:oob

nor use https://developers.google.com/oauthplayground

but use http://localhost ...

or any web-server, which rewrites the post-back to a local host-name.

unless processing that post-back, the cURL request by itself is useless.

while this question does not even disclose if this is on-line or behind NAT.

for server to server oAuth2 flow, you need an on-line host & credentials for a service-account.

Answer 3

So the answer was in the question. "Invalid grant_type: client_credentials" whereas the grant type should be authorization_code

My advice for you was to go to the OAuth playground and compare what it sends with what you are sending. Here is a paste from the playground...

POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-length: 277
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
code=4%2FGgFtOcUM73dTMJNpE7XR7w082MrYH-LCm7zMylg31ESKrwmpyQXnzOM
 &redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground
 &client_id=407408718192.apps.googleusercontent.com
 &client_secret=************
 &scope=
 &grant_type=authorization_code