Sunday, April 10, 2022

[SOLVED] How to authorize a curl script to Google Oauth after OAuth out-of-band (oob) flow is deprecated?

Issue

I have a curl script GoogleAuthenticationCurl.sh which i have been using for around ten years to request information from Googles different Google APIs.

This script users installed application credentials to build the consent screen for Googles oauth server. I copy the link and it shows the consent screen.

# Authorization link.  Place this in a browser and copy the code that is returned after you accept the scopes.
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code

Google recently made a change which deprecated the redirect uri of urn:ietf:wg:oauth:2.0:oob. (#instructions-oob)

If I use the link i used to use i get the following

enter image description here

Google wants us to use redirect_uri=http://127.0.0.1:port or http://[::1]:port">http://[::1]:port instead of urn:ietf:wg:oauth:2.0:oob.

So I changed my link to the following and placed it in a web browser

https://accounts.google.com/o/oauth2/auth?client_id=[ClientId]&redirect_uri=http://127.0.0.1b&scope=profile&response_type=code

All went well in the beginning I was able to see the consent screen again and consent to authorization. But instead of getting a authorization code returned I got

enter image description here

This being due to the fact that I am not running a webpage I am just trying to authorize a curl script.

Is there anyway to get my curl script to respond to this request or have google completely removed the ability to authorize a curl Script now?


Solution

Deprecation

Google has deprecated the OOB flow, and so the redirect URL urn:ietf:wg:oauth:2.0:oob is removed since Feb 28, 2022. It is an unsafe feature for clients that cannot listen on an HTTP port.

Migration

You need to migrate to another flow. This does not necessarily mean you cannot use curl. But somehow, you need to be able to receive the redirect call with the necessary code.

Possible fix

  • Use the redirect URL http://127.0.0.1, notice the removed b at the end.
  • After the consent screen, check the URL, you probably find the code there http://127.0.0.1/?code=COPY_THIS_CODE.
  • Run the curl call to request the authorization codes.

Postscript

Postman could be interesting.



Answered By - Ron van der Heijden
Answer Checked By - David Goodson (WPSolving Volunteer)
at