curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Scripts to obtain Google OAuth bearer token for use with curl

From: Ray Satiro via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 13 Jan 2023 03:14:06 -0500

I've started a new project [1] that uses curl, jq and perl to request
and refresh OAuth bearer tokens from Google. I think this project will
be useful for users of curl and libcurl that can no longer access their
Google account through Google's now banned "less secure apps" access (ie
username/password).

I did not find the process of obtaining Google OAuth tokens easy at all,
and many of the existing scripts on the internet that retrieved a Google
bearer token for curl use stopped working in 2022 when Google ended
their deprecated "out of band" authorization procedure.

The project's README has a quick start and also explains each file.
Here's a brief explanation of the three notable files:

credential.txt contains credential information from your Google cloud
project. If you don't have a Google cloud project you'll have to create
one as described in the README. You'll need to set client_id,
client_secret and scope of access (eg you want to request a token that
can access your gmail [2]).

bearer-new.pl gets new token info from Google after completing the
required interactive authorization procedure, which must be done in the
browser. The script launches the authorization page (eg Google asks do
you allow your cloud app to access your gmail?) and receives the
authorization result code from Google.

bearer-refresh.pl refreshes an expired or about to expire bearer token.
This script is not interactive. Google's bearer tokens are ephemeral and
will expire, usually within an hour. From what I've observed when the
token info is refreshed Google responds with a different bearer token.
In other words, Google will not extend the expiration of an existing
bearer token it just generates a new one.

When valid token information is received by either script then the
bearer token is formatted as curl configuration option --oauth2-bearer
<token> [3] and written to bearer.cfg. You can access Google's REST API
using curl like this:

./bearer-refresh.pl --quiet && \
curl -sS -K bearer.cfg
https://www.googleapis.com/gmail/v1/users/me/labels/INBOX | jq
.messagesUnread

I wrote and tested the scripts in Windows and haven't tried them
elsewhere. For Linux I have the bearer-new script call xdg-home to
launch the Google URL that requires interactive consent, but I'm not
sure if that is going to work asynchronously the way I expect.

Though I wrote the scripts to generate a Google bearer token (OAuth 2.0
access_token) formatted as a curl option, you can extract the token from
token.json or bearer.cfg and use it with any application that supports
bearer tokens.

I haven't written a revocation script yet, so if you need to revoke
token info (lost, stolen etc) you'd have to 'remove access' entirely of
the cloud app in your Google account's third-party apps list [4].


[1]: https://github.com/jay/curl_google_oauth
[2]: https://developers.google.com/identity/protocols/oauth2/scopes#gmail
[3]: https://curl.se/docs/manpage.html#--oauth2-bearer
[4]: https://myaccount.google.com/permissions

-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-01-13