← Home

Google OAuth token CLI tool

I’ve been setting up some APIs to use Google Authentication as the identity provider. The API needs to know the user’s identity (well, just their email address), and that’s it.

This requires getting a JWT out of Google’s identity system. First, you have to set up an OAuth 2.0 client ID in the Google Cloud Console, and get the client ID and client secret out. [0]

From the view credentials screen, create a new OAuth Client ID.

When I’m a bit further along with the project, I’ll make a web-based UI, but for now, I’m just trying to test the API surface, so I created a “Desktop App”.

With this in place, I needed a way to get an authentication token out of the Google system so that I can send it to my APIs, so I wrote a CLI tool in Go to pop open the Google Authentication screen to do it.

It starts a local web server, and initiates the OAuth authentication on the Web:

The Google domain is instructed to redirect back to the locally running Web server after authentication.

Once that’s done, the token is exchanged and the tokens (Access Token, ID Token) are printed to the console.

% sh ./start.sh
Opening auth URL: https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2FCallback&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=de380ddc-f159-4c4c-b8a4-xxxxxxxxxxxxx

Access Token: Bearer ya29.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Authorization: xxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxx

The code is over at [1]

Run it with:

go run main.go -clientID=xxx-yyy.apps.googleusercontent.com -clientSecret=zzzzzzzzzzzzzzzz