Accessing user data in a application using google api on an embedded device without a browser

Question

So, Here is what I understand about how Google Oauth2 works.

1. Every application or a website (client) needs to register its project and get a client_id and a client secret.

2. The client_id and a redirect uri are used by the client to make an authorization request to the auth url on behalf of the user who is logged in.

3. When this happens, there is a pop-up and the user(resource owner) is prompted to allow or deny access to the user's protected resource for the client.

4. If the user accepts then the user is redirected to the redirect uri from where the client or the application can get the authorization code.

5. This authorization code is further exchanged for an access token from the OAUTH URL. This access token is later used in the Api calls the client make.

The problem is with the step 3. I am not running a web app or a website. Rather an application that can make curl function calls. Step 4 and step 5 are doable but, How do I bypass the step 3 as I don't have browser capabilities? Is it even possible?

Also can someone please tell how an android app does it? Because even the android app shouldn't have an inbuilt browser. Thanks in advance

Answer 1

We have the OAuth2 for Devices flow to take care of the problem you are trying to solve See this

The user can authorize the app from a different device that has a web broswer.

Answer 2

1. Every application or a website (client) needs to register its project and get a client_id and a client secret.

Correction / clarification: Any application that wishes to access private Google data must first be registered on Google Developer console. If the data to be accessed is public then a API key can be used. If the data is private then either Oauth2 credentials must be created or service account credentials.

Oauth2 credentials allow a user to grant an application access to a portion of their data (Denoted by scope) the application is identified by the client id and client secret.

Service accounts would allow for preauthorized access to private data normally owned by the developer working on the application. They do not popup the request for user authentication. Please see my article on this Google Developer console service account I don't want to go into service accounts here as you appear to be concerned with Oauth2.

2 . The client_id and a redirect uri are used by the client to make an authorization request to the auth url on behalf of the user who is logged in.

Correction / clarification: The first step in the Oauth2 dance is to request access from the user. This is done via a web page.

https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code

Redirect uri is used to tell the authentication server where to return the authorization code to. In the event this is a web page application it would be the full location to a webpage capable of handling the next steps in the process. As you can see I have not put a web page in. This is in sense localhost. It tells the authentication server to just return the code to where ever it was I just sent my request from. It is used in windows applications and probably android although I am not an android programmer so I am not sure its just an educated guess.

4.If the user accepts then the user is redirected to the redirect uri from where the client or the application can get the authorization code.

Correction / clarification: Its probably your code that's redirecting you. I don't think its the server redirecting you but I may be wrong. The authentication server can send the code were ever you want it would be up to the developer to redirect the user someplace after the exchange.

5.This authorization code is further exchanged for an access token from the OAUTH URL. This access token is later used in the Api calls the client make.

Correction / clarification: access token is only good for an hour and you might also get a refresh token back which can be used to get a new access token.

Addressing your problems

The problem is with the step 3. I am not running a web app or a website. Rather an application that can make curl function calls. Step 4 and step 5 are doable but, How do I bypass the step 3 as I don't have browser capabilities? Is it even possible?

This is going to depend upon which api you are going for and whos data this is. If this is data owned by your users then request access from them save the refresh token and then when you need to access it again in your curl script you can just get a new access token and you have access. Its only the initial authorization you need to bother your users with.

Second option if this is your data that you personally have access to you may be able to user a service account. Service accounts are like dummy users you can preauthorize their access. I could create a service account add it as a user on a folder in my google drive and it would then be able to read and write to my google drive with out that popup window.

Also can someone please tell how an android app does it? Because even the android app shouldn't have an inbuilt browser. Thanks in advance

I am not an android developer I think part of it is magic in the Android SDK the credentials you get for android apps are even different. Cant really help with this one.