is somebody getting this error: Code: 400 Response code is 400. Body: message => useragent mismatch; status => fail; Something went wrong. ... <看更多>
「instagram useragent mismatch」的推薦目錄:
- 關於instagram useragent mismatch 在 How to figure out an Instagram username from the user id 的評價
- 關於instagram useragent mismatch 在 postaddictme/instagram-php-scraper - Useragent Mismatch 的評價
- 關於instagram useragent mismatch 在 Getting JSON response from Instagram stories API Python 的評價
- 關於instagram useragent mismatch 在 Why I Can't Get Rid The Facebook User-Agent - ADocLib 的評價
- 關於instagram useragent mismatch 在 Using OAuth 2.0 for Web Server Applications | YouTube Data ... 的評價
- 關於instagram useragent mismatch 在 Add your data source | Pinterest Business help 的評價
instagram useragent mismatch 在 Getting JSON response from Instagram stories API Python 的推薦與評價
... is that when you open the same link even in the browser, it gives this response back {"message":"useragent mismatch","status":"fail… ... <看更多>
相關內容
instagram useragent mismatch 在 Why I Can't Get Rid The Facebook User-Agent - ADocLib 的推薦與評價
You can now upload images directly from a browser without the need to use the Instagram app and it's trivially easy for Chrome users. The user agent string ... ... <看更多>
instagram useragent mismatch 在 Using OAuth 2.0 for Web Server Applications | YouTube Data ... 的推薦與評價
This document explains how web server applications use Google API Client Libraries or Google
OAuth 2.0 endpoints to implement OAuth 2.0 authorization to access
the YouTube Data API.
OAuth 2.0 allows users to share specific data with an application while keeping their
usernames, passwords, and other information private.
For example, an application can use OAuth 2.0 to obtain permission
to upload videos to a user's YouTube channel.
This OAuth 2.0 flow is specifically for user authorization. It is designed for applications
that can store confidential information and maintain state. A properly authorized web server
application can access an API while the user interacts with the application or after the user
has left the application.
Web server applications frequently also use
service accounts to authorize API requests, particularly when calling Cloud APIs to access
project-based data rather than user-specific data. Web server applications can use service
accounts in conjunction with user authorization.
Note that the YouTube Data API supports the service account flow only for
YouTube content owners that own and manage multiple YouTube channels.
Specifically, content owners can use service accounts to call API methods that
support the onBehalfOfContentOwner request parameter.
Note: Given the security implications of getting the implementation
correct, we strongly encourage you to use OAuth 2.0 libraries when interacting with Google's
OAuth 2.0 endpoints. It is a best practice to use well-debugged code provided by others, and
it will help you protect yourself and your users. For more information, see
Client libraries.
Client libraries
The language-specific examples on this page use
Google API Client Libraries to implement
OAuth 2.0 authorization. To run the code samples, you must first install the
client library for your language.
When you use a Google API Client Library to handle your application's OAuth 2.0 flow, the client
library performs many actions that the application would otherwise need to handle on its own. For
example, it determines when the application can use or refresh stored access tokens as well as
when the application must reacquire consent. The client library also generates correct redirect
URLs and helps to implement redirect handlers that exchange authorization codes for access tokens.
Google API Client Libraries for server-side applications are available for the following languages:
Go
Java
.NET
Node.js
PHP
Python
Ruby
Important: The Google API client
library for JavaScript and Sign In With Google are
only intended to handle OAuth 2.0 in the user's browser. If you want to use JavaScript on the
server-side to manage OAuth 2.0 interactions with Google, consider using the
Node.js library on your back-end platform.
Prerequisites
Enable APIs for your project
Any application that calls Google APIs needs to enable those APIs in the
API Console.
To enable an API for your project:
Open the API Library in the
Google API Console.
If prompted, select a project, or create a new one. Use the Library page to find and enable the YouTube Data API. Find any other
APIs that your application will use and enable those, too.
Create authorization credentials
Any application that uses OAuth 2.0 to access Google APIs must have authorization credentials
that identify the application to Google's OAuth 2.0 server. The following steps explain how to
create credentials for your project. Your applications can then use the credentials to access APIs
that you have enabled for that project.
Go to the Credentials page.
Click Create credentials > OAuth client ID.
Select the Web application application type.
Fill in the form and click Create. Applications that use languages and frameworks
like PHP, Java, Python, Ruby, and .NET must specify authorized redirect URIs. The
redirect URIs are the endpoints to which the OAuth 2.0 server can send responses. These
endpoints must adhere to Google’s validation rules.
For testing, you can specify URIs that refer to the local machine, such as
http://localhost:8080. With that in mind, please note that all of the
examples in this document use http://localhost:8080 as the redirect URI.
We recommend that you design your app's auth endpoints so
that your application does not expose authorization codes to other resources on the
page.
After creating your credentials, download the client_secret.json file from the
API Console. Securely store the file in a location that only
your application can access.
publicly-accessible location. In addition, if you share the source code to your
application — for example, on GitHub — store the client_secret.json file
outside of your source tree to avoid inadvertently sharing your client credentials.
Identify access scopes
Scopes enable your application to only request access to the resources that it needs while also
enabling users to control the amount of access that they grant to your application. Thus, there
may be an inverse relationship between the number of scopes requested and the likelihood of
obtaining user consent.
Before you start implementing OAuth 2.0 authorization, we recommend that you identify the scopes
that your app will need permission to access.
We also recommend that your application request access to authorization scopes via an
incremental authorization process, in which your application
requests access to user data in context. This best practice helps users to more easily understand
why your application needs the access it is requesting.
The YouTube Data API v3 uses the following scopes:
Scopes
https://www.googleapis.com/auth/youtubeManage your YouTube account
https://www.googleapis.com/auth/youtube.channel-memberships.creatorSee a list of your current active channel members, their current level, and when they became a member
https://www.googleapis.com/auth/youtube.force-sslSee, edit, and permanently delete your YouTube videos, ratings, comments and captions
https://www.googleapis.com/auth/youtube.readonlyView your YouTube account
https://www.googleapis.com/auth/youtube.uploadManage your YouTube videos
https://www.googleapis.com/auth/youtubepartnerView and manage your assets and associated content on YouTube
https://www.googleapis.com/auth/youtubepartner-channel-auditView private information of your YouTube channel relevant during the audit process with a YouTube partner
The OAuth 2.0 API Scopes document contains a full
list of scopes that you might use to access Google APIs.
If your public application uses scopes that permit access to
certain user data, it must complete a verification process. If you see unverified
app on the screen when testing your application, you must submit a
verification request to remove it. Find out more about
unverified apps
and get answers to
frequently asked questions about app verification in the Help Center.
Language-specific requirements
To run any of the code samples in this document, you'll need a Google account, access to the
Internet, and a web browser. If you are using one of the API client libraries, also see the
language-specific requirements below.
PHP
PHP 5.6 or greater with the command-line interface (CLI) and JSON extension installed.
The Composer dependency management tool.
Python
Python 2.6 or greater
The pip package management tool.
The Google APIs Client Library for Python:
The
The Flask Python web application framework.
The
Ruby
Ruby 2.6 or greater
Node.js
The maintenance LTS, active LTS, or current release of Node.js.
HTTP/REST
To run the PHP code samples in this document, you'll need:
PHP 5.6 or greater with the command-line interface (CLI) and JSON extension installed.
The Composer dependency management tool.
The Google APIs Client Library for PHP:
composer require google/apiclient:^2.10
Python
To run the Python code samples in this document, you'll need:
Python 2.6 or greater
The pip package management tool.
The Google APIs Client Library for Python:
pip install --upgrade google-api-python-client
The
google-auth, google-auth-oauthlib, andgoogle-auth-httplib2 for user authorization.
pip install --upgrade google-auth google-auth-oauthlib google-auth-httplib2
The Flask Python web application framework.
pip install --upgrade flask
The
requests HTTP library.
pip install --upgrade requests
Ruby
To run the Ruby code samples in this document, you'll need:
Ruby 2.6 or greater
The Google Auth Library for Ruby:
gem install googleauth
The Sinatra Ruby web application framework.
gem install sinatra
Node.js
To run the Node.js code samples in this document, you'll need:
The maintenance LTS, active LTS, or current release of Node.js.
The Google APIs Node.js Client:
npm install googleapis crypto express express-session
HTTP/REST
You do not need to install any libraries to be able to directly call the OAuth 2.0
endpoints.
Obtaining OAuth 2.0 access tokens
The following steps show how your application interacts with Google's OAuth 2.0 server to obtain
a user's consent to perform an API request on the user's behalf. Your application must have that
consent before it can execute a Google API request that requires user authorization.
The list below quickly summarizes these steps:
Your application identifies the permissions it needs.
Your application redirects the user to Google along with the list of requested
permissions.
The user decides whether to grant the permissions to your application.
Your application finds out what the user decided.
If the user granted the requested permissions, your application retrieves tokens needed to
make API requests on the user's behalf.
Step 1: Set authorization parameters
Your first step is to create the authorization request. That request sets parameters that
identify your application and define the permissions that the user will be asked to grant to
your application.
If you use a Google client library for OAuth 2.0 authentication and authorization, you
create and configure an object that defines these parameters.
If you call the Google OAuth 2.0 endpoint directly, you'll generate a URL and set the
parameters on that URL.
The tabs below define the supported authorization parameters for web server applications. The
language-specific examples also show how to use a client library or authorization library to
configure an object that sets those parameters.
PHP
The code snippet below creates a Google\Client() object, which defines the
parameters in the authorization request.
That object uses information from your client_secret.json file to identify your
application. (See creating authorization credentials for more about
that file.) The object also identifies the scopes that your application is requesting permission
to access and the URL to your application's auth endpoint, which will handle the response from
Google's OAuth 2.0 server. Finally, the code sets the optional access_type and
include_granted_scopes parameters.
For example, this code requests offline access to manage a user's YouTube
account:
Python
$client = new Google\Client();// Required, call the setAuthConfig function to load authorization credentials from
// client_secret.json file.
$client->setAuthConfig('client_secret.json');// Required, to set the scope value, call the addScope function
$client->addScope(GOOGLE_SERVICE_YOUTUBE::YOUTUBE_FORCE_SSL);// Required, call the setRedirectUri function to specify a valid redirect URI for the
// provided client_id
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');// Recommended, offline access will give you both an access and refresh token so that
// your app can refresh the access token without user interaction.
$client->setAccessType('offline');// Recommended, call the setState function. Using a state value can increase your assurance that
// an incoming connection is the result of an authentication request.
$client->setState($sample_passthrough_value);// Optional, if your application knows which user is trying to authenticate, it can use this
// parameter to provide a hint to the Google Authentication Server.
$client->setLoginHint('hint@example.com');// Optional, call the setPrompt function to set "consent" will prompt the user for consent
$client->setPrompt('consent');// Optional, call the setIncludeGrantedScopes function with true to enable incremental
// authorization
$client->setIncludeGrantedScopes(true);
The following code snippet uses the google-auth-oauthlib.flow module to construct
the authorization request.
The code constructs a Flow object, which identifies your application using
information from the client_secret.json file that you downloaded after
creating authorization credentials. That object also identifies the
scopes that your application is requesting permission to access and the URL to your application's
auth endpoint, which will handle the response from Google's OAuth 2.0 server. Finally, the code
sets the optional access_type and include_granted_scopes parameters.
For example, this code requests offline access to manage a user's YouTube
account:
Ruby
import google.oauth2.credentials
import google_auth_oauthlib.flow# Required, call the from_client_secrets_file method to retrieve the client ID from a
# client_secret.json file. The client ID (from that file) and access scopes are required. (You can
# also use the from_client_config method, which passes the client configuration as it originally
# appeared in a client secrets file but doesn't access the file itself.)
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=['https://www.googleapis.com/auth/youtube.force-ssl'])# Required, indicate where the API server will redirect the user after the user completes
# the authorization flow. The redirect URI is required. The value must exactly
# match one of the authorized redirect URIs for the OAuth 2.0 client, which you
# configured in the API Console. If this value doesn't match an authorized URI,
# you will get a 'redirect_uri_mismatch' error.
flow.redirect_uri = 'https://www.example.com/oauth2callback'# Generate URL for request to Google's OAuth 2.0 server.
# Use kwargs to set optional request parameters.
authorization_url, state = flow.authorization_url(
# Recommended, enable offline access so that you can refresh an access token without
# re-prompting the user for permission. Recommended for web server apps.
access_type='offline',
# Optional, enable incremental authorization. Recommended as a best practice.
include_granted_scopes='true',
# Optional, if your application knows which user is trying to authenticate, it can use this
# parameter to provide a hint to the Google Authentication Server.
login_hint='hint@example.com',
# Optional, set prompt to 'consent' will prompt the user for consent
prompt='consent')
Use the client_secrets.json file that you created to configure a client object in your
application. When you configure a client object, you specify the scopes your application needs to
access, along with the URL to your application's auth endpoint, which will handle the response
from the OAuth 2.0 server.
For example, this code requests offline access to manage a user's YouTube
account:
require 'google/apis/youtube_v3'
require "googleauth"
require 'googleauth/stores/redis_token_store'client_id = Google::Auth::ClientId.from_file('/path/to/client_secret.json')
scope = 'https://www.googleapis.com/auth/youtube.force-ssl'
token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
authorizer = Google::Auth::WebUserAuthorizer.new(client_id, scope, token_store, '/oauth2callback')
Your application uses the client object to perform OAuth 2.0 operations, such as generating
authorization request URLs and applying access tokens to HTTP requests.
The following code snippet creates a google.auth.OAuth2 object, which defines the
parameters in the authorization request.
That object uses information from your client_secret.json file to identify your application. To
ask for permissions from a user to retrieve an access token, you redirect them to a consent page.
To create a consent page URL:
const {google} = require('googleapis');
const crypto = require('crypto');
const express = require('express');
const session = require('express-session');/**
* To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI
* from the client_secret.json file. To get these credentials for your application, visit
* https://console.cloud.google.com/apis/credentials.
*/
const oauth2Client = new google.auth.OAuth2(
YOUR_CLIENT_ID,
YOUR_CLIENT_SECRET,
YOUR_REDIRECT_URL
);// Access scopes for read-only Drive activity.
const scopes = [
'https://www.googleapis.com/auth/drive.metadata.readonly'
];// Generate a secure random state value.
const state = crypto.randomBytes(32).toString('hex');// Store state in the session
req.session.state = state;// Generate a url that asks permissions for the Drive activity scope
const authorizationUrl = oauth2Client.generateAuthUrl({
// 'online' (default) or 'offline' (gets refresh_token)
access_type: 'offline',
/** Pass in the scopes array defined above.
* Alternatively, if only one scope is needed, you can pass a scope URL as a string */
scope: scopes,
// Enable incremental authorization. Recommended as a best practice.
include_granted_scopes: true,
// Include the state parameter to reduce the risk of CSRF attacks.
state: state
});
Important Note - The refresh_token is only returned on the first
authorization. More details
here.
Google's OAuth 2.0 endpoint is at https://accounts.google.com/o/oauth2/v2/auth. This
endpoint is accessible only over HTTPS. Plain HTTP connections are refused.
The Google authorization server supports the following query string parameters for web
server applications:
Parameters
client_idRequired
The client ID for your application. You can find this value in the
API Console
Credentials page.
redirect_uriRequired
Determines where the API server redirects the user after the user completes the
authorization flow. The value must exactly match one of the authorized redirect URIs for
the OAuth 2.0 client, which you configured in your client's
API Console
Credentials page. If this value doesn't match an
authorized redirect URI for the provided client_id you will get a
redirect_uri_mismatch error.
Note that the http or https scheme, case, and trailing slash
('/') must all match.
response_typeRequired
Determines whether the Google OAuth 2.0 endpoint returns an authorization code.
Set the parameter value to code for web server applications.
scopeRequired
A
space-delimited
list of scopes that identify the resources that your application could access on the
user's behalf. These values inform the consent screen that Google displays to the
user.
Scopes enable your application to only request access to the resources that it needs
while also enabling users to control the amount of access that they grant to your
application. Thus, there is an inverse relationship between the number of scopes requested
and the likelihood of obtaining user consent.
The YouTube Data API v3 uses the following scopes:
Scopes
https://www.googleapis.com/auth/youtubeManage your YouTube account
https://www.googleapis.com/auth/youtube.channel-memberships.creatorSee a list of your current active channel members, their current level, and when they became a member
https://www.googleapis.com/auth/youtube.force-sslSee, edit, and permanently delete your YouTube videos, ratings, comments and captions
https://www.googleapis.com/auth/youtube.readonlyView your YouTube account
https://www.googleapis.com/auth/youtube.uploadManage your YouTube videos
https://www.googleapis.com/auth/youtubepartnerView and manage your assets and associated content on YouTube
https://www.googleapis.com/auth/youtubepartner-channel-auditView private information of your YouTube channel relevant during the audit process with a YouTube partner
The OAuth 2.0 API Scopes document provides
a full list of scopes that you might use to access Google APIs.
We recommend that your application request access to authorization scopes in context
whenever possible. By requesting access to user data in context, via
incremental authorization, you help users to more easily
understand why your application needs the access it is requesting.
access_typeRecommended
Indicates whether your application can refresh access tokens when the user is not present
at the browser. Valid parameter values are online, which is the default
value, and offline.
Set the value to offline if your application needs to refresh access tokens
when the user is not present at the browser. This is the method of refreshing access
tokens described later in this document. This value instructs the Google authorization
server to return a refresh token and an access token the first time that your
application exchanges an authorization code for tokens.
stateRecommended
Specifies any string value that your application uses to maintain state between your
authorization request and the authorization server's response.
The server returns the exact value that you send as a name=value pair in the
URL query component (?) of the
redirect_uri after the user consents to or denies your application's
access request.
You can use this parameter for several purposes, such as directing the user to the
correct resource in your application, sending nonces, and mitigating cross-site request
forgery. Since your redirect_uri can be guessed, using a state
value can increase your assurance that an incoming connection is the result of an
authentication request. If you generate a random string or encode the hash of a cookie or
another value that captures the client's state, you can validate the response to
additionally ensure that the request and response originated in the same browser,
providing protection against attacks such as
cross-site request
forgery. See the
OpenID Connect
documentation for an example of how to create and confirm a state token.
Important: The OAuth client must prevent CSRF as called out in the
OAuth2 Specification
. One way to achieve this is by using the
state parameter to maintainstate between your authorization request and the authorization server's response.
include_granted_scopesOptional
Enables applications to use incremental authorization to request access to additional
scopes in context. If you set this parameter's value to true and the
authorization request is granted, then the new access token will also cover any scopes to
which the user previously granted the application access. See the
incremental authorization section for examples.
enable_granular_consentOptional
Defaults to true. If set to false,
more
granular Google Account permissions
will be disabled for OAuth client IDs created before 2019. No effect for newer
OAuth client IDs, since more granular permissions is always enabled for them.
When Google enables granular permissions for an application, this parameter will no
longer have any effect.
login_hintOptional
If your application knows which user is trying to authenticate, it can use this parameter
to provide a hint to the Google Authentication Server. The server uses the hint to
simplify the login flow either by prefilling the email field in the sign-in form or by
selecting the appropriate multi-login session.
Set the parameter value to an email address or sub identifier, which is
equivalent to the user's Google ID.
promptOptional
A space-delimited, case-sensitive list of prompts to present the user. If you don't
specify this parameter, the user will be prompted only the first time your project
requests access. See
Prompting re-consent for more information.
Possible values are:
noneDo not display any authentication or consent screens. Must not be specified with
other values.
consentPrompt the user for consent.
select_accountPrompt the user to select an account.
Step 2: Redirect to Google's OAuth 2.0 server
Redirect the user to Google's OAuth 2.0 server to initiate the authentication and
authorization process. Typically, this occurs when your application first needs to access the
user's data. In the case of incremental authorization, this
step also occurs when your application first needs to access additional resources that it does
not yet have permission to access.
PHP
Generate a URL to request access from Google's OAuth 2.0 server:
Redirect the user to
Python
Generate a URL to request access from Google's OAuth 2.0 server:
Redirect the user to
Node.js
Use the generated URL
Redirect the user to
Generate a URL to request access from Google's OAuth 2.0 server:
$auth_url = $client->createAuthUrl();
Redirect the user to
$auth_url:
header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
Python
This example shows how to redirect the user to the authorization URL using the Flask web
application framework:
Ruby
return flask.redirect(authorization_url)
Generate a URL to request access from Google's OAuth 2.0 server:
auth_uri = authorizer.get_authorization_url(login_hint: user_id, request: request)
Redirect the user to
auth_uri.Node.js
Use the generated URL
authorizationUrl from Step 1generateAuthUrl method to request access from Google's OAuth 2.0 server.Redirect the user to
authorizationUrl.res.redirect(authorizationUrl);
HTTP/REST Sample redirect to Google's authorization server
The sample URL below requests offline access
(access_type=offline) to a scope that permits access to view
the user's YouTube account. It uses incremental authorization to ensure that
the new access token covers any scopes to which the user previously granted
the application access. The URL also sets values for the required
redirect_uri,response_type, and
client_idparameters as well as for thestate
parameter. The URL contains line breaks and spaces for readability.
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
response_type=code&
client_id=client_idAfter you create the request URL, redirect the user to it.
Google's OAuth 2.0 server authenticates the user and obtains consent from the user for your
application to access the requested scopes. The response is sent back to your application
using the redirect URL you specified.
In this step, the user decides whether to grant your application the requested access. At this
stage, Google displays a consent window that shows the name of your application and the Google API
services that it is requesting permission to access with the user's authorization credentials and
a summary of the scopes of access to be granted. The
user can then consent to grant access to one or more scopes requested by your application or
refuse the request.
Your application doesn't need to do anything at this stage as it waits for the response from
Google's OAuth 2.0 server indicating whether any access was granted. That response is explained in
the following step.
Errors
Requests to Google's OAuth 2.0 authorization endpoint may display user-facing error messages
instead of the expected authentication and authorization flows. Common error codes and suggested
resolutions are listed below.
admin_policy_enforcedThe Google Account is unable to authorize one or more scopes requested due to the policies of
their Google Workspace administrator. See the Google Workspace Admin help article
Control which third-party & internal apps access Google Workspace data
for more information about how an administrator may restrict access to all scopes or sensitive and
restricted scopes until access is explicitly granted to your OAuth client ID.
disallowed_useragentThe authorization endpoint is displayed inside an embedded user-agent disallowed by Google's
OAuth 2.0 Policies.
Android
Android developers may encounter this error message when opening authorization requests in
android.webkit.WebView.
Developers should instead use Android libraries such as
Google Sign-In for Android or OpenID Foundation's
AppAuth for Android.
Web developers may encounter this error when an Android app opens a general web link in an
embedded user-agent and a user navigates to Google's OAuth 2.0 authorization endpoint from
your site. Developers should allow general links to open in the default link handler of the
operating system, which includes both
Android App Links
handlers or the default browser app. The
Android Custom Tabs
library is also a supported option.
iOS
iOS and macOS developers may encounter this error when opening authorization requests in
WKWebView.
Developers should instead use iOS libraries such as
Google Sign-In for iOS or OpenID Foundation's
AppAuth for iOS.
Web developers may encounter this error when an iOS or macOS app opens a general web link in
an embedded user-agent and a user navigates to Google's OAuth 2.0 authorization endpoint from
your site. Developers should allow general links to open in the default link handler of the
operating system, which includes both
Universal Links
handlers or the default browser app. The
SFSafariViewController
library is also a supported option.
org_internalThe OAuth client ID in the request is part of a project limiting access to Google Accounts in a
specific
Google Cloud Organization.
For more information about this configuration option see the
User type
section in the Setting up your OAuth consent screen help article.
invalid_client The OAuth client secret is incorrect. Review the
OAuth client
configuration, including the client ID and secret used for this request.
invalid_grant
When refreshing an access token or using
incremental authorization, the token may have expired or has
been invalidated.
Authenticate the user again and ask for user consent to obtain new tokens. If you are continuing
to see this error, ensure that your application has been configured correctly and that you are
using the correct tokens and parameters in your request. Otherwise, the user account may have
been deleted or disabled.
redirect_uri_mismatchThe redirect_uri passed in the authorization request does not match an authorized
redirect URI for the OAuth client ID. Review authorized redirect URIs in the
Google API Console Credentials page.
The redirect_uri parameter may refer to the OAuth out-of-band (OOB) flow that has
been deprecated and is no longer supported. Refer to the
migration guide to update your
integration.
invalid_requestThere was something wrong with the request you made. This could be due to a number of reasons:
The request was not properly formatted
The request was missing required parameters
The request uses an authorization method that Google doesn't support. Verify your OAuth
integration uses a recommended integration method
Step 4: Handle the OAuth 2.0 server response Important:
Before handling the OAuth 2.0 response on the server, you should confirm that the
state received from Google matches the state sent in theauthorization request. This verification helps to ensure that the user, not a malicious
script, is making the request and reduces the risk of
CSRF attacks.
The OAuth 2.0 server responds to your application's access request by using the URL specified
in the request.
If the user approves the access request, then the response contains an authorization code. If
the user does not approve the request, the response contains an error message. The
authorization code or error message that is returned to the web server appears on the query
string, as shown below:
An error response:
https://oauth2.example.com/auth?error=access_denied
An authorization code response:
Important: If your response endpoint renders an
https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
HTML page, any resources on that page will be able to see the authorization code in the URL.
Scripts can read the URL directly, and the URL in the
Referer HTTP header may besent to any or all resources on the page.
Carefully consider whether you want to send authorization credentials to all resources on
that page (especially third-party scripts such as social plugins and analytics). To avoid
this issue, we recommend that the server first handle the request, then redirect to another
URL that doesn't include the response parameters.
You can test this flow by clicking on the following sample URL, which requests
read-only access to view metadata for files in your Google Drive:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
response_type=code&
client_id=client_id
After completing the OAuth 2.0 flow, you should be redirected to
http://localhost/oauth2callback, which will likely yield a
404 NOT FOUND error unless your local machine serves a file at that address. The
next step provides more detail about the information returned in the URI when the user is
redirected back to your application.
tokens
After the web server receives the authorization code, it can exchange the authorization code
for an access token.
PHP
Fields
The client ID obtained from the API Console
Credentials page.
The client secret obtained from the API Console
Credentials page.
The authorization code returned from the initial request.
As defined in the OAuth 2.0
specification, this field's value must be set to
One of the redirect URIs listed for your project in the
API Console
Credentials page for the given
Fields
The token that your application sends to authorize a Google API request.
The remaining lifetime of the access token in seconds.
A token that you can use to obtain a new access token. Refresh tokens are valid until the
user revokes access.
Again, this field is only present in this response if you set the
parameter to
The scopes of access granted by the
space-delimited, case-sensitive strings.
The type of token returned. At this time, this field's value is always set to
Important: Your application should store both tokens in a secure,
long-lived location that is accessible between different invocations of your application. The
refresh token enables your application to obtain a new access token if the one that you have
expires. As such, if your application loses the refresh token, the user will need to repeat the
OAuth 2.0 consent flow so that your application can obtain a new refresh token.
the response.
To exchange an authorization code for an access token, use the authenticate
method:
$client->authenticate($_GET['code']);
You can retrieve the access token with the getAccessToken method:
Python
$access_token = $client->getAccessToken();
On your callback page, use the google-auth library to verify the authorization
server response. Then, use the flow.fetch_token method to exchange the authorization
code in that response for an access token:
Ruby
state = flask.session['state']
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=['https://www.googleapis.com/auth/youtube.force-ssl'],
state=state)
flow.redirect_uri = flask.url_for('oauth2callback', _external=True)authorization_response = flask.request.url
flow.fetch_token(authorization_response=authorization_response)# Store the credentials in the session.
# ACTION ITEM for developers:
# Store user's access and refresh tokens in your data store if
# incorporating this code into your real app.
credentials = flow.credentials
flask.session['credentials'] = {
'token': credentials.token,
'refresh_token': credentials.refresh_token,
'token_uri': credentials.token_uri,
'client_id': credentials.client_id,
'client_secret': credentials.client_secret,
'scopes': credentials.scopes}
On your callback page, use the googleauth library to verify the authorization server
response. Use the authorizer.handle_auth_callback_deferred method to save the
authorization code and redirect back to the URL that originally requested authorization. This
defers the exchange of the code by temporarily stashing the results in the user's session.
Node.js
target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)
redirect target_url
To exchange an authorization code for an access token, use the getToken
method:
HTTP/REST
const url = require('url');// Receive the callback from Google's OAuth 2.0 server.
app.get('/oauth2callback', async (req, res) => {
let q = url.parse(req.url, true).query; if (q.error) { // An error response e.g. error=access_denied
console.log('Error:' + q.error);
} else if (q.state !== req.session.state) { //check state value
console.log('State mismatch. Possible CSRF attack');
res.end('State mismatch. Possible CSRF attack');
} else { // Get access and refresh tokens (if access_type is offline) let { tokens } = await oauth2Client.getToken(q.code);
oauth2Client.setCredentials(tokens);
});
To exchange an authorization code for an access token, call the
https://oauth2.googleapis.com/token endpoint and set the following parameters:
Fields
client_idThe client ID obtained from the API Console
Credentials page.
client_secretThe client secret obtained from the API Console
Credentials page.
codeThe authorization code returned from the initial request.
grant_typeAs defined in the OAuth 2.0
specification, this field's value must be set to
authorization_code.redirect_uriOne of the redirect URIs listed for your project in the
API Console
Credentials page for the given
client_id.The following snippet shows a sample request:
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencodedcode=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=https%3A//oauth2.example.com/code&
grant_type=authorization_code
Google responds to this request by returning a JSON object that contains a short-lived access
token and a refresh token. Note that the refresh token is only returned if your application set the access_type
parameter to offline in the initial request to Google's
authorization server.
The response contains the following fields:
Fields
access_tokenThe token that your application sends to authorize a Google API request.
expires_inThe remaining lifetime of the access token in seconds.
refresh_tokenA token that you can use to obtain a new access token. Refresh tokens are valid until the
user revokes access.
Again, this field is only present in this response if you set the
access_typeparameter to
offline in the initial request to Google's authorization server.scopeThe scopes of access granted by the
access_token expressed as a list ofspace-delimited, case-sensitive strings.
token_typeThe type of token returned. At this time, this field's value is always set to
Bearer.Important: Your application should store both tokens in a secure,
long-lived location that is accessible between different invocations of your application. The
refresh token enables your application to obtain a new access token if the one that you have
expires. As such, if your application loses the refresh token, the user will need to repeat the
OAuth 2.0 consent flow so that your application can obtain a new refresh token.
The following snippet shows a sample response:
Note: Your application should ignore any unrecognized fields included in
{
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in": 3920,
"token_type": "Bearer",
"scope": "https://www.googleapis.com/auth/youtube.force-ssl",
"refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
}
the response.
Errors
When exchanging the authorization code for an access token you may encounter the following
error instead of the expected response. Common error codes and suggested resolutions are
listed below.
invalid_grant The supplied authorization code is invalid or in the wrong format. Request a new code by
restarting the OAuth process to prompt the user for consent
again.
Calling Google APIs
PHP
If you need to apply an access token to a new
example, if you stored the access token in a user session — use the
Build a service object for the API that you want to call. You build a service object by
providing an authorized
want to call.
For example, to call the YouTube Data API:
Make requests to the API service using the
interface provided by the service object.
For example, to retrieve data about the authorized user's YouTube channel:
Python
Build a service object for the API that you want to call. You build a service object by
calling the
name and version of the API and the user credentials:
For example, to call version 3 of the YouTube Data API:
Make requests to the API service using the
interface provided by the service object.
For example, to retrieve data about the authorized user's YouTube channel:
Ruby
Build a service object for the API that you want to call.
For example, to call version 3 of the YouTube Data API:
Set the credentials on the service:
Make requests to the API service using the
interface
provided by the service object.
For example, to retrieve data about the authorized user's YouTube channel:
Node.js
Use the access token to call Google APIs by completing the following steps:
If you need to apply an access token to a new
Google\Client object — forexample, if you stored the access token in a user session — use the
setAccessToken method:
$client->setAccessToken($access_token);
Build a service object for the API that you want to call. You build a service object by
providing an authorized
Google\Client object to the constructor for the API youwant to call.
For example, to call the YouTube Data API:
$youtube = new Google_Service_YouTube($client);
Make requests to the API service using the
interface provided by the service object.
For example, to retrieve data about the authorized user's YouTube channel:
$channel = $youtube->channels->listChannels('snippet', array('mine' => $mine));
Python
After obtaining an access token, your application can use that token to authorize API requests on
behalf of a given user account or service account. Use the user-specific authorization credentials
to build a service object for the API that you want to call, and then use that object to make
authorized API requests.
Build a service object for the API that you want to call. You build a service object by
calling the
googleapiclient.discovery library's build method with thename and version of the API and the user credentials:
For example, to call version 3 of the YouTube Data API:
from googleapiclient.discovery import buildyoutube = build('youtube', 'v3', credentials=credentials)
Make requests to the API service using the
interface provided by the service object.
For example, to retrieve data about the authorized user's YouTube channel:
channel = youtube.channels().list(mine=True, part='snippet').execute()
Ruby
After obtaining an access token, your application can use that token to make API requests on
behalf of a given user account or service account. Use the user-specific authorization credentials
to build a service object for the API that you want to call, and then use that object to make
authorized API requests.
Build a service object for the API that you want to call.
For example, to call version 3 of the YouTube Data API:
youtube = Google::Apis::YoutubeV3::YouTubeService.new
Set the credentials on the service:
youtube.authorization = credentials
Make requests to the API service using the
interface
provided by the service object.
For example, to retrieve data about the authorized user's YouTube channel:
channel = youtube.list_channels(part, :mine => mine)
Alternately, authorization can be provided on a per-method basis by supplying the
options parameter to a method:
channel = youtube.list_channels(part, :mine => mine, options: { authorization: auth_client })
Node.js
After obtaining an access token and setting it to the OAuth2 object, use the object
to call Google APIs. Your application can use that token to authorize API requests on behalf of
a given user account or service account. Build a service object for the API that you want to call.
HTTP/REST
const { google } = require('googleapis');// Example of using Google Drive API to list filenames in user's Drive.
const drive = google.drive('v3');
drive.files.list({
auth: oauth2Client,
pageSize: 10,
fields: 'nextPageToken, files(id, name)',
}, (err1, res1) => {
if (err1) return console.log('The API returned an error: ' + err1);
const files = res1.data.files;
if (files.length) {
console.log('Files:');
files.map((file) => {
console.log(`${file.name} (${file.id})`);
});
} else {
console.log('No files found.');
}
});
After your application obtains an access token, you can use the token to make calls to a Google
API on behalf of a given
user account if the scope(s) of access required by the API have been granted. To do this, include
the access token in a request to the API by including either an access_token query
parameter or an Authorization HTTP header Bearer value. When possible,
the HTTP header is preferable, because query strings tend to be visible in server logs. In most
cases you can use a client library to set up your calls to Google APIs (for example, when
calling the YouTube Data API).
Note that the YouTube Data API supports service accounts only for YouTube
content owners that own and manage multiple YouTube channels, such as record
labels and movie studios.
You can try out all the Google APIs and view their scopes at the
OAuth 2.0 Playground.
A call to the
youtube.channels
endpoint (the YouTube Data API) using the Authorization: Bearer HTTP
header might look like the following. Note that you need to specify your own access token:
GET /youtube/v3/channels?part=snippet&mine=true HTTP/1.1
Host: www.googleapis.com
Authorization: Bearer access_token
Here is a call to the same API for the authenticated user using the access_token
query string parameter:
GET https://www.googleapis.com/youtube/v3/channels?access_token=access_token&part=snippet&mine=true
curl examplesYou can test these commands with the curl command-line application. Here's an
example that uses the HTTP header option (preferred):
curl -H "Authorization: Bearer access_token" https://www.googleapis.com/youtube/v3/channels?part=snippet&mine=true
Or, alternatively, the query string parameter option:
curl https://www.googleapis.com/youtube/v3/channels?access_token=access_token&part=snippet&mine=true
Complete example
The following example prints a JSON-formatted object showing information
about a user's YouTube channel after the user authenticates and authorizes the
application to manage the user's YouTube account.
PHP
In the API Console, add the URL of the local machine to the
list of redirect URLs. For example, add
Create a new directory and change to it. For example:
Install the Google API Client
Library for PHP using Composer:
Create the files
below.
Run the example with a web server configured to serve PHP. If you use PHP 5.6 or newer, you
can use PHP's built-in test web server:
index.php
Test an API request: This link points to a page that tries to execute a sample API
request. If necessary, it starts the authorization flow. If successful, the page displays the
API response.
Test the auth flow directly: This link points to a page that tries to send the user
through the authorization flow. The app requests permission to
submit authorized API requests on the user's behalf.
Revoke current credentials: This link points to a page that
revokes permissions that the user has already granted to the application.
Clear Flask session credentials: This link clears authorization credentials that are
stored in the Flask session. This lets you see what would happen if a user who had already
granted permission to your app tried to execute an API request in a new session. It also lets
you see the API response your app would get if a user had revoked permissions granted to your
app, and your app still tried to authorize a request with a revoked access token.
Note: To run this code locally, you must have followed the directions in
the prerequisites section, including setting
the client_secret.json file for those credentials to your working directory.
In the API Console, add the URL of the
local machine to the list of redirect URLs. For example, add
Make sure you have maintenance LTS, active LTS, or current release of
Node.js installed.
Create a new directory and change to it. For example:
To run this example:
In the API Console, add the URL of the local machine to the
list of redirect URLs. For example, add
http://localhost:8080.Create a new directory and change to it. For example:
mkdir ~/php-oauth2-example
cd ~/php-oauth2-example
Install the Google API Client
Library for PHP using Composer:
composer require google/apiclient:^2.10
Create the files
index.php and oauth2callback.php with the contentbelow.
Run the example with a web server configured to serve PHP. If you use PHP 5.6 or newer, you
can use PHP's built-in test web server:
php -S localhost:8080 ~/php-oauth2-example
index.php
oauth2callback.php
<?php
require_once __DIR__.'/vendor/autoload.php';session_start();$client = new Google\Client();
$client->setAuthConfig('client_secrets.json');
$client->addScope(GOOGLE_SERVICE_YOUTUBE::YOUTUBE_FORCE_SSL);if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
$client->setAccessToken($_SESSION['access_token']);
$youtube = new Google_Service_YouTube($client);
$channel = $youtube->channels->listChannels('snippet', array('mine' => $mine));
echo json_encode($channel);
} else {
$redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php';
header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}
Python
<?php
require_once __DIR__.'/vendor/autoload.php';session_start();$client = new Google\Client();
$client->setAuthConfigFile('client_secrets.json');
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');
$client->addScope(GOOGLE_SERVICE_YOUTUBE::YOUTUBE_FORCE_SSL);if (! isset($_GET['code'])) {
// Generate and set state value
$state = bin2hex(random_bytes(16));
$client->setState($state);
$_SESSION['state'] = $state; $auth_url = $client->createAuthUrl();
header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
} else {
// Check the state value
if (!isset($_GET['state']) || $_GET['state'] !== $_SESSION['state']) {
die('State mismatch. Possible CSRF attack.');
}
$client->authenticate($_GET['code']);
$_SESSION['access_token'] = $client->getAccessToken();
$redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/';
header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}
This example uses the Flask framework. It
runs a web application at http://localhost:8080 that lets you test the OAuth 2.0
flow. If you go to that URL, you should see four links:
Test an API request: This link points to a page that tries to execute a sample API
request. If necessary, it starts the authorization flow. If successful, the page displays the
API response.
Test the auth flow directly: This link points to a page that tries to send the user
through the authorization flow. The app requests permission to
submit authorized API requests on the user's behalf.
Revoke current credentials: This link points to a page that
revokes permissions that the user has already granted to the application.
Clear Flask session credentials: This link clears authorization credentials that are
stored in the Flask session. This lets you see what would happen if a user who had already
granted permission to your app tried to execute an API request in a new session. It also lets
you see the API response your app would get if a user had revoked permissions granted to your
app, and your app still tried to authorize a request with a revoked access token.
Note: To run this code locally, you must have followed the directions in
the prerequisites section, including setting
http://localhost:8080 as a valid redirect URI for your credentials and downloadingthe client_secret.json file for those credentials to your working directory.
Ruby
# -*- coding: utf-8 -*-import os
import flask
import requestsimport google.oauth2.credentials
import google_auth_oauthlib.flow
import googleapiclient.discovery# This variable specifies the name of a file that contains the OAuth 2.0
# information for this application, including its client_id and client_secret.
CLIENT_SECRETS_FILE = "client_secret.json"# This OAuth 2.0 access scope allows for full read/write access to the
# authenticated user's account and requires requests to use an SSL connection.
SCOPES = ['https://www.googleapis.com/auth/youtube.force-ssl']
API_SERVICE_NAME = 'youtube'
API_VERSION = 'v3'app = flask.Flask(__name__)
# Note: A secret key is included in the sample so that it works.
# If you use this code in your application, replace this with a truly secret
# key. See https://flask.palletsprojects.com/quickstart/#sessions.
app.secret_key = 'REPLACE ME - this value is here as a placeholder.'
@app.route('/')
def index():
return print_index_table()
@app.route('/test')
def test_api_request():
if 'credentials' not in flask.session:
return flask.redirect('authorize') # Load credentials from the session.
credentials = google.oauth2.credentials.Credentials(
**flask.session['credentials']) youtube = googleapiclient.discovery.build(
API_SERVICE_NAME, API_VERSION, credentials=credentials) channel = youtube.channels().list(mine=True, part='snippet').execute() # Save credentials back to session in case access token was refreshed.
# ACTION ITEM: In a production app, you likely want to save these
# credentials in a persistent database instead.
flask.session['credentials'] = credentials_to_dict(credentials) return flask.jsonify(**channel)
@app.route('/authorize')
def authorize():
# Create flow instance to manage the OAuth 2.0 Authorization Grant Flow steps.
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
CLIENT_SECRETS_FILE, scopes=SCOPES) # The URI created here must exactly match one of the authorized redirect URIs
# for the OAuth 2.0 client, which you configured in the API Console. If this
# value doesn't match an authorized URI, you will get a 'redirect_uri_mismatch'
# error.
flow.redirect_uri = flask.url_for('oauth2callback', _external=True) authorization_url, state = flow.authorization_url(
# Enable offline access so that you can refresh an access token without
# re-prompting the user for permission. Recommended for web server apps.
access_type='offline',
# Enable incremental authorization. Recommended as a best practice.
include_granted_scopes='true') # Store the state so the callback can verify the auth server response.
flask.session['state'] = state return flask.redirect(authorization_url)
@app.route('/oauth2callback')
def oauth2callback():
# Specify the state when creating the flow in the callback so that it can
# verified in the authorization server response.
state = flask.session['state'] flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
CLIENT_SECRETS_FILE, scopes=SCOPES, state=state)
flow.redirect_uri = flask.url_for('oauth2callback', _external=True) # Use the authorization server's response to fetch the OAuth 2.0 tokens.
authorization_response = flask.request.url
flow.fetch_token(authorization_response=authorization_response) # Store credentials in the session.
# ACTION ITEM: In a production app, you likely want to save these
# credentials in a persistent database instead.
credentials = flow.credentials
flask.session['credentials'] = credentials_to_dict(credentials) return flask.redirect(flask.url_for('test_api_request'))
@app.route('/revoke')
def revoke():
if 'credentials' not in flask.session:
return ('You need to <a href="/authorize">authorize</a> before ' +
'testing the code to revoke credentials.') credentials = google.oauth2.credentials.Credentials(
**flask.session['credentials']) revoke = requests.post('https://oauth2.googleapis.com/revoke',
params={'token': credentials.token},
headers = {'content-type': 'application/x-www-form-urlencoded'}) status_code = getattr(revoke, 'status_code')
if status_code == 200:
return('Credentials successfully revoked.' + print_index_table())
else:
return('An error occurred.' + print_index_table())
@app.route('/clear')
def clear_credentials():
if 'credentials' in flask.session:
del flask.session['credentials']
return ('Credentials have been cleared.<br><br>' +
print_index_table())
def credentials_to_dict(credentials):
return {'token': credentials.token,
'refresh_token': credentials.refresh_token,
'token_uri': credentials.token_uri,
'client_id': credentials.client_id,
'client_secret': credentials.client_secret,
'scopes': credentials.scopes}def print_index_table():
return ('<table>' +
'<tr><td><a href="/test">Test an API request</a></td>' +
'<td>Submit an API request and see a formatted JSON response. ' +
' Go through the authorization flow if there are no stored ' +
' credentials for the user.</td></tr>' +
'<tr><td><a href="/authorize">Test the auth flow directly</a></td>' +
'<td>Go directly to the authorization flow. If there are stored ' +
' credentials, you still might not be prompted to reauthorize ' +
' the application.</td></tr>' +
'<tr><td><a href="/revoke">Revoke current credentials</a></td>' +
'<td>Revoke the access token associated with the current user ' +
' session. After revoking credentials, if you go to the test ' +
' page, you should see an <code>invalid_grant</code> error.' +
'</td></tr>' +
'<tr><td><a href="/clear">Clear Flask session credentials</a></td>' +
'<td>Clear the access token currently stored in the user session. ' +
' After clearing the token, if you <a href="/test">test the ' +
' API request</a> again, you should go back to the auth flow.' +
'</td></tr></table>')
if __name__ == '__main__':
# When running locally, disable OAuthlib's HTTPs verification.
# ACTION ITEM for developers:
# When running in production *do not* leave this option enabled.
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # Specify a hostname and port that are set as a valid redirect URI
# for your API project in the Google API Console.
app.run('localhost', 8080, debug=True)
This example uses the Sinatra framework.
Node.js
require 'google/apis/youtube_v3'
require 'sinatra'
require 'googleauth'
require 'googleauth/stores/redis_token_store'configure do
enable :sessions set :client_id, Google::Auth::ClientId.from_file('/path/to/client_secret.json')
set :scope, Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY
set :token_store, Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
set :authorizer, Google::Auth::WebUserAuthorizer.new(settings.client_id, settings.scope, settings.token_store, '/oauth2callback')
endget '/' do
user_id = settings.client_id.id
credentials = settings.authorizer.get_credentials(user_id, request)
if credentials.nil?
redirect settings.authorizer.get_authorization_url(login_hint: user_id, request: request)
end
youtube = Google::Apis::YoutubeV3::YouTubeService.new
channel = youtube.list_channels(part, :mine => mine, options: { authorization: auth_client })
"<pre>#{JSON.pretty_generate(channel.to_h)}</pre>"
endget '/oauth2callback' do
target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)
redirect target_url
end
To run this example:
In the API Console, add the URL of the
local machine to the list of redirect URLs. For example, add
http://localhost.Make sure you have maintenance LTS, active LTS, or current release of
Node.js installed.
Create a new directory and change to it. For example:
mkdir ~/nodejs-oauth2-example
cd ~/nodejs-oauth2-example
Install the
Google API Client
Library
for Node.js using npm:
npm install googleapis
Create the filesmain.jswith the content below.
Run the example:
node .\main.js
main.js
HTTP/REST
const http = require('http');
const https = require('https');
const url = require('url');
const { google } = require('googleapis');
const crypto = require('crypto');
const express = require('express');
const session = require('express-session');/**
* To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI.
* To get these credentials for your application, visit
* https://console.cloud.google.com/apis/credentials.
*/
const oauth2Client = new google.auth.OAuth2(
YOUR_CLIENT_ID,
YOUR_CLIENT_SECRET,
YOUR_REDIRECT_URL
);// Access scopes for read-only Drive activity.
const scopes = [
'https://www.googleapis.com/auth/drive.metadata.readonly'
];
/* Global variable that stores user credential in this code example.
* ACTION ITEM for developers:
* Store user's refresh token in your data store if
* incorporating this code into your real app.
* For more information on handling refresh tokens,
* see https://github.com/googleapis/google-api-nodejs-client#handling-refresh-tokens
*/
let userCredential = null;async function main() {
const app = express(); app.use(session({
secret: 'your_secure_secret_key', // Replace with a strong secret
resave: false,
saveUninitialized: false,
})); // Example on redirecting user to Google's OAuth 2.0 server.
app.get('/', async (req, res) => {
// Generate a secure random state value.
const state = crypto.randomBytes(32).toString('hex');
// Store state in the session
req.session.state = state; // Generate a url that asks permissions for the Drive activity scope
const authorizationUrl = oauth2Client.generateAuthUrl({
// 'online' (default) or 'offline' (gets refresh_token)
access_type: 'offline',
/** Pass in the scopes array defined above.
* Alternatively, if only one scope is needed, you can pass a scope URL as a string */
scope: scopes,
// Enable incremental authorization. Recommended as a best practice.
include_granted_scopes: true,
// Include the state parameter to reduce the risk of CSRF attacks.
state: state
}); res.redirect(authorizationUrl);
}); // Receive the callback from Google's OAuth 2.0 server.
app.get('/oauth2callback', async (req, res) => {
// Handle the OAuth 2.0 server response
let q = url.parse(req.url, true).query; if (q.error) { // An error response e.g. error=access_denied
console.log('Error:' + q.error);
} else if (q.state !== req.session.state) { //check state value
console.log('State mismatch. Possible CSRF attack');
res.end('State mismatch. Possible CSRF attack');
} else { // Get access and refresh tokens (if access_type is offline)
let { tokens } = await oauth2Client.getToken(q.code);
oauth2Client.setCredentials(tokens); /** Save credential to the global variable in case access token was refreshed.
* ACTION ITEM: In a production app, you likely want to save the refresh token
* in a secure persistent database instead. */
userCredential = tokens; // Example of using Google Drive API to list filenames in user's Drive.
const drive = google.drive('v3');
drive.files.list({
auth: oauth2Client,
pageSize: 10,
fields: 'nextPageToken, files(id, name)',
}, (err1, res1) => {
if (err1) return console.log('The API returned an error: ' + err1);
const files = res1.data.files;
if (files.length) {
console.log('Files:');
files.map((file) => {
console.log(`${file.name} (${file.id})`);
});
} else {
console.log('No files found.');
}
});
}
}); // Example on revoking a token
app.get('/revoke', async (req, res) => {
// Build the string for the POST request
let postData = "token=" + userCredential.access_token; // Options for POST request to Google's OAuth 2.0 server to revoke a token
let postOptions = {
host: 'oauth2.googleapis.com',
port: '443',
path: '/revoke',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': Buffer.byteLength(postData)
}
}; // Set up the request
const postReq = https.request(postOptions, function (res) {
res.setEncoding('utf8');
res.on('data', d => {
console.log('Response: ' + d);
});
}); postReq.on('error', error => {
console.log(error)
}); // Post the request with data
postReq.write(postData);
postReq.end();
});
const server = http.createServer(app);
server.listen(80);
}
main().catch(console.error);
This Python example uses the Flask framework
and the Requests library to demonstrate the OAuth
2.0 web flow. We recommend using the Google API Client Library for Python for this flow. (The
example in the Python tab does use the client library.)
import jsonimport flask
import requests
app = flask.Flask(__name__)CLIENT_ID = '123456789.apps.googleusercontent.com'
CLIENT_SECRET = 'abc123' # Read from a file or environmental variable in a real app
SCOPE = 'https://www.googleapis.com/auth/youtube.force-ssl'
REDIRECT_URI = 'http://example.com/oauth2callback'
@app.route('/')
def index():
if 'credentials' not in flask.session:
return flask.redirect(flask.url_for('oauth2callback'))
credentials = json.loads(flask.session['credentials'])
if credentials['expires_in'] <= 0:
return flask.redirect(flask.url_for('oauth2callback'))
else:
headers = {'Authorization': 'Bearer {}'.format(credentials['access_token'])}
req_uri = 'https://www.googleapis.com/youtube/v3/channels/list'
r = requests.get(req_uri, headers=headers)
return r.text
@app.route('/oauth2callback')
def oauth2callback():
if 'code' not in flask.request.args:
state = str(uuid.uuid4())
flask.session['state'] = state
auth_uri = ('https://accounts.google.com/o/oauth2/v2/auth?response_type=code'
'&client_id={}&redirect_uri={}&scope={}&state={}').format(CLIENT_ID, REDIRECT_URI,
SCOPE, state)
return flask.redirect(auth_uri)
else:
if 'state' not in flask.request.args or flask.request.args['state'] != flask.session['state']:
return 'State mismatch. Possible CSRF attack.', 400 auth_code = flask.request.args.get('code')
data = {'code': auth_code,
'client_id': CLIENT_ID,
'client_secret': CLIENT_SECRET,
'redirect_uri': REDIRECT_URI,
'grant_type': 'authorization_code'}
r = requests.post('https://oauth2.googleapis.com/token', data=data)
flask.session['credentials'] = r.text
return flask.redirect(flask.url_for('index'))
if __name__ == '__main__':
import uuid
app.secret_key = str(uuid.uuid4())
app.debug = False
app.run()
Redirect URI validation rules
Google applies the following validation rules to redirect URIs in order to help developers
keep their applications secure. Your redirect URIs must adhere to these rules. See
RFC 3986 section 3 for the
definition of domain, host, path, query, scheme and userinfo, mentioned below.
Validation rules
Scheme
Redirect URIs must use the HTTPS scheme, not plain HTTP. Localhost URIs (including
localhost IP address URIs) are exempt from this rule.
Host
Hosts cannot be raw IP addresses. Localhost IP addresses are exempted from this rule.
Domain
Host TLDs
(Top Level Domains)
must belong to the public suffix list.
Host domains cannot be
“googleusercontent.com”.Redirect URIs cannot contain URL shortener domains (e.g.
goo.gl) unlessthe app owns the domain. Furthermore, if an app that owns a shortener domain chooses to
redirect to that domain, that redirect URI must either contain
“/google-callback/” in its path or end with“/google-callback”.Userinfo
Redirect URIs cannot contain the userinfo subcomponent.
Path
Redirect URIs cannot contain a path traversal (also called directory backtracking),
which is represented by an “/..” or “\..” or their URL
encoding.
Query
Redirect URIs cannot contain
open redirects.
Fragment
Redirect URIs cannot contain the fragment component.
Characters
Redirect URIs cannot contain certain characters including:
Wildcard characters (
'*')Non-printable ASCII characters
Invalid percent encodings (any percent encoding that does not follow URL-encoding
form of a percent sign followed by two hexadecimal digits)
Null characters (an encoded NULL character, e.g.,
%00,%C0%80)Incremental authorization
In the OAuth 2.0 protocol, your app requests authorization to access resources, which are
identified by scopes. It is considered a best user-experience practice to request authorization
for resources at the time you need them. To enable that practice, Google's authorization server
supports incremental authorization. This feature lets you request scopes as they are needed and,
if the user grants permission for the new scope, returns an authorization code that may be
exchanged for a token containing all scopes the user has granted the project.
For example, suppose an app helps users identify interesting local events.
The app lets users view videos about the events, rate the videos, and add the
videos to playlists. Users can also use the app to add events to their Google
Calendars.
In this case, at sign-in time, the app might not need or request access to
any scopes. However, if the user tried to rate a video, add a video to a
playlist, or perform another YouTube action, the app could request access to
the https://www.googleapis.com/auth/youtube.force-ssl scope.
Similarly, the app could request access to the
https://www.googleapis.com/auth/calendar scope if the user tried
to add a calendar event.
To implement incremental authorization, you complete the normal flow for requesting an access
token but make sure that the authorization request includes previously granted scopes. This
approach allows your app to avoid having to manage multiple access tokens.
The following rules apply to an access token obtained from an incremental authorization:
The token can be used to access resources corresponding to any of the scopes rolled into the
new, combined authorization.
When you use the refresh token for the combined authorization to obtain an access token, the
access token represents the combined authorization and can be used for any of the
scope values included in the response.The combined authorization includes all scopes that the user granted to the API project even
if the grants were requested from different clients. For example, if a user granted access to
one scope using an application's desktop client and then granted another scope to the same
application via a mobile client, the combined authorization would include both scopes.
If you revoke a token that represents a combined authorization, access to all of that
authorization's scopes on behalf of the associated user are revoked simultaneously.
Caution: choosing to include granted scopes will automatically add
scopes previously granted by the user to your authorization request. A warning or error page may
be displayed if your app is not currently approved to request all scopes that may be returned in
the response. See
Unverified apps for
more information.
The language-specific code samples in Step 1: Set authorization
parameters and the sample HTTP/REST redirect URL in Step 2:
Redirect to Google's OAuth 2.0 server all use incremental authorization. The code samples
below also show the code that you need to add to use incremental authorization.
PHP
Python
$client->setIncludeGrantedScopes(true);
In Python, set the include_granted_scopes keyword argument to true to
ensure that an authorization request includes previously granted scopes. It is very possible that
include_granted_scopes will not be the only keyword argument that you set, as
shown in the example below.
Ruby
authorization_url, state = flow.authorization_url(
# Enable offline access so that you can refresh an access token without
# re-prompting the user for permission. Recommended for web server apps.
access_type='offline',
# Enable incremental authorization. Recommended as a best practice.
include_granted_scopes='true')
Node.js
auth_client.update!(
:additional_parameters => {"include_granted_scopes" => "true"}
)
HTTP/REST
const authorizationUrl = oauth2Client.generateAuthUrl({
// 'online' (default) or 'offline' (gets refresh_token)
access_type: 'offline',
/** Pass in the scopes array defined above.
* Alternatively, if only one scope is needed, you can pass a scope URL as a string */
scope: scopes,
// Enable incremental authorization. Recommended as a best practice.
include_granted_scopes: true
});
In this example, the calling application requests access to retrieve the
user's YouTube Analytics data in addition to any other access that the user
has already granted to the application.
GET https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyt-analytics.readonly&
access_type=offline&
state=security_token%3D138rk%3Btarget_url%3Dhttp...index&
redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
response_type=code&
client_id=client_id&
include_granted_scopes=true
Refreshing an access token (offline access)
Access tokens periodically expire and become invalid credentials for a related API request. You
can refresh an access token without prompting the user for permission (including when the user is
not present) if you requested offline access to the scopes associated with the token.
If you use a Google API Client Library, the client object refreshes
the access token as needed as long as you configure that object for offline access.
If you are not using a client library, you need to set the
access_type HTTPquery parameter to
offline when redirecting the user toGoogle's OAuth 2.0 server. In that case, Google's authorization server returns a
refresh token when you exchange an authorization
code for an access token. Then, if the access token expires (or at any other time), you
can use a refresh token to obtain a new access token.
Requesting offline access is a requirement for any application that needs to access a Google
API when the user is not present. For example, an app that performs backup services or
executes actions at predetermined times needs to be able to refresh its access token when the
user is not present. The default style of access is called online.
Server-side web applications, installed applications, and devices all obtain refresh tokens
during the authorization process. Refresh tokens are not typically used in client-side
(JavaScript) web applications.
PHP
Revoking a tokenIf your application needs offline access to a Google API, set the API client's access type to
offline:
$client->setAccessType("offline");
After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.
In Python, set the access_type keyword argument to offline to ensure
that you will be able to refresh the access token without having to re-prompt the user for
permission. It is very possible that access_type will not be the only keyword
argument that you set, as shown in the example below.
authorization_url, state = flow.authorization_url(
# Enable offline access so that you can refresh an access token without
# re-prompting the user for permission. Recommended for web server apps.
access_type='offline',
# Enable incremental authorization. Recommended as a best practice.
include_granted_scopes='true')
After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.
If your application needs offline access to a Google API, set the API client's access type to
offline:
auth_client.update!(
:additional_parameters => {"access_type" => "offline"}
)
After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.
If your application needs offline access to a Google API, set the API client's access type to
offline:
const authorizationUrl = oauth2Client.generateAuthUrl({
// 'online' (default) or 'offline' (gets refresh_token)
access_type: 'offline',
/** Pass in the scopes array defined above.
* Alternatively, if only one scope is needed, you can pass a scope URL as a string */
scope: scopes,
// Enable incremental authorization. Recommended as a best practice.
include_granted_scopes: true
});
After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.
Access tokens expire. This library will automatically use a refresh token to obtain a new access
token if it is about to expire. An easy way to make sure you always store the most recent tokens
is to use the tokens event:
oauth2Client.on('tokens', (tokens) => {
if (tokens.refresh_token) {
// store the refresh_token in your secure persistent database
console.log(tokens.refresh_token);
}
console.log(tokens.access_token);
});
This tokens event only occurs in the first authorization, and you need to have set your
access_type to offline when calling the generateAuthUrl
method to receive the refresh token. If you have already given your app the requisiste permissions
without setting the appropriate constraints for receiving a refresh token, you will need to
re-authorize the application to receive a fresh refresh token.
To set the refresh_token at a later time, you can use the setCredentials method:
oauth2Client.setCredentials({
refresh_token: `STORED_REFRESH_TOKEN`
});
Once the client has a refresh token, access tokens will be acquired and refreshed automatically
in the next call to the API.
To refresh an access token, your application sends an HTTPS POST
request to Google's authorization server (https://oauth2.googleapis.com/token) that
includes the following parameters:
Fields
client_id
The client ID obtained from the API Console.
client_secret
The client secret obtained from the API Console.
grant_type
As
defined in the
OAuth 2.0 specification,
this field's value must be set to refresh_token.
refresh_token
The refresh token returned from the authorization code exchange.
The following snippet shows a sample request:
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencodedclient_id=your_client_id&
client_secret=your_client_secret&
refresh_token=refresh_token&
grant_type=refresh_token
As long as the user has not revoked the access granted to the application, the token server
returns a JSON object that contains a new access token. The following snippet shows a sample
response:
{
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in": 3920,
"scope": "https://www.googleapis.com/auth/drive.metadata.readonly",
"token_type": "Bearer"
}
Note that there are limits on the number of refresh tokens that will be issued; one limit per
client/user combination, and another per user across all clients. You should save refresh tokens
in long-term storage and continue to use them as long as they remain valid. If your application
requests too many refresh tokens, it may run into these limits, in which case older refresh tokens
will stop working.
In some cases a user may wish to revoke access given to an application. A user can revoke access
by visiting
Account Settings. See the
Remove
site or app access section of the Third-party sites & apps with access to your account
support document for more information.
It is also possible for an application to programmatically revoke the access given to it.
Programmatic revocation is important in instances where a user unsubscribes, removes an
application, or the API resources required by an app have significantly changed. In other words,
part of the removal process can include an API request to ensure the permissions previously
granted to the application are removed.
PHP
Note: Following a successful revocation response, it might take someTo programmatically revoke a token, call revokeToken():
Python
$client->revokeToken();
To programmatically revoke a token, make a request to
https://oauth2.googleapis.com/revoke that includes the token as a parameter and sets the
Content-Type header:
Ruby
requests.post('https://oauth2.googleapis.com/revoke',
params={'token': credentials.token},
headers = {'content-type': 'application/x-www-form-urlencoded'})
To programmatically revoke a token, make an HTTP request to the oauth2.revoke
endpoint:
uri = URI('https://oauth2.googleapis.com/revoke')
response = Net::HTTP.post_form(uri, 'token' => auth_client.access_token)
The token can be an access token or a refresh token. If the token is an access token and it has
a corresponding refresh token, the refresh token will also be revoked.
If the revocation is successfully processed, then the status code of the response is
200. For error conditions, a status code 400 is returned along with an
error code.
To programmatically revoke a token, make an HTTPS POST request to /revoke
endpoint:
const https = require('https');// Build the string for the POST request
let postData = "token=" + userCredential.access_token;// Options for POST request to Google's OAuth 2.0 server to revoke a token
let postOptions = {
host: 'oauth2.googleapis.com',
port: '443',
path: '/revoke',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': Buffer.byteLength(postData)
}
};// Set up the request
const postReq = https.request(postOptions, function (res) {
res.setEncoding('utf8');
res.on('data', d => {
console.log('Response: ' + d);
});
});postReq.on('error', error => {
console.log(error)
});// Post the request with data
postReq.write(postData);
postReq.end();
The token parameter can be an access token or a refresh token. If the token is an access token and it has
a corresponding refresh token, the refresh token will also be revoked.
If the revocation is successfully processed, then the status code of the response is
200. For error conditions, a status code 400 is returned along with an
error code.
To programmatically revoke a token, your application makes a request to
https://oauth2.googleapis.com/revoke and includes the token as a parameter:
curl -d -X -POST --header "Content-type:application/x-www-form-urlencoded" \
https://oauth2.googleapis.com/revoke?token={token}
The token can be an access token or a refresh token. If the token is an access token and it has a
corresponding refresh token, the refresh token will also be revoked.
If the revocation is successfully processed, then the HTTP status code of the response is
200. For error conditions, an HTTP status code 400 is returned along
with an error code.
time before the revocation has full effect.
Implementing Cross-Account Protection
An additional step you should take to protect your users' accounts is implementing Cross-Account
Protection by utilizing Google's Cross-Account Protection Service. This service lets you
subscribe to security event notifications which provide information to your application about
major changes to the user account. You can then use the information to take action depending on
how you decide to respond to events.
Some examples of the event types sent to your app by Google's Cross-Account Protection Service are:
https://schemas.openid.net/secevent/risc/event-type/sessions-revokedhttps://schemas.openid.net/secevent/oauth/event-type/token-revokedhttps://schemas.openid.net/secevent/risc/event-type/account-disabled
See the
Protect user accounts with Cross-Account Protection page
for more information on how to implement Cross Account Protection and for the full list of available events.
... <看更多>
instagram useragent mismatch 在 Add your data source | Pinterest Business help 的推薦與評價
Error code Error message Error type
100 Your data source cannot be accessed File‑level failure
102 Your data source contains formatting errors File‑level failure
104 Some image links are formatted incorrectly Row‑level failure ... <看更多>
instagram useragent mismatch 在 How to figure out an Instagram username from the user id 的推薦與評價
... <看更多>
相關內容