關於 flow together中文 ，我們在網路上蒐集到這些相關的討論、資訊與評價

To run the PHP code samples in this document, you'll need:

The Google APIs Client Library for PHP:

 composer require google/apiclient:^2.15.0

See Google APIs Client Library for
PHP for more information.

To run the Python code samples in this document, you'll need:

 pip install --upgrade google-api-python-client

 pip install --upgrade google-auth google-auth-oauthlib google-auth-httplib2

 pip install --upgrade flask

 pip install --upgrade requests

Review the Google API Python client library
release note
if you aren't able to upgrade python and associated migration guide.

To run the Ruby code samples in this document, you'll need:

The Google Auth Library for Ruby:

 gem install googleauth

The Sinatra Ruby web application framework.

 gem install sinatra

To run the Node.js code samples in this document, you'll need:

The Google APIs Node.js Client:

npm install googleapis crypto express express-session

You do not need to install any libraries to be able to directly call the OAuth 2.0
endpoints.

The following code snippet creates a Google\Client() object, which defines the
parameters in the authorization request.

That object uses information from your client_secret.json file to identify your
application. (See creating authorization credentials for more about
that file.) The object also identifies the scopes that your application is requesting permission
to access and the URL to your application's auth endpoint, which will handle the response from
Google's OAuth 2.0 server. Finally, the code sets the optional access_type and
include_granted_scopes parameters.

For example, this code requests offline access to manage a user's YouTube
account:

use Google\Client;$client = new Client();// Required, call the setAuthConfig function to load authorization credentials from
 // client_secret.json file.
 $client->setAuthConfig('client_secret.json');// Required, to set the scope value, call the addScope function
 $client->addScope(GOOGLE_SERVICE_YOUTUBE::YOUTUBE_FORCE_SSL);// Required, call the setRedirectUri function to specify a valid redirect URI for the
 // provided client_id
 $client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');// Recommended, offline access will give you both an access and refresh token so that
 // your app can refresh the access token without user interaction.
 $client->setAccessType('offline');// Recommended, call the setState function. Using a state value can increase your assurance that
 // an incoming connection is the result of an authentication request.
 $client->setState($sample_passthrough_value);// Optional, if your application knows which user is trying to authenticate, it can use this
 // parameter to provide a hint to the Google Authentication Server.
 $client->setLoginHint('hint@example.com');// Optional, call the setPrompt function to set "consent" will prompt the user for consent
 $client->setPrompt('consent');// Optional, call the setIncludeGrantedScopes function with true to enable incremental
 // authorization
 $client->setIncludeGrantedScopes(true);

The following code snippet uses the google-auth-oauthlib.flow module to construct
the authorization request.

The code constructs a Flow object, which identifies your application using
information from the client_secret.json file that you downloaded after
creating authorization credentials. That object also identifies the
scopes that your application is requesting permission to access and the URL to your application's
auth endpoint, which will handle the response from Google's OAuth 2.0 server. Finally, the code
sets the optional access_type and include_granted_scopes parameters.

For example, this code requests offline access to manage a user's YouTube
account:

import google.oauth2.credentials
 import google_auth_oauthlib.flow# Required, call the from_client_secrets_file method to retrieve the client ID from a
 # client_secret.json file. The client ID (from that file) and access scopes are required. (You can
 # also use the from_client_config method, which passes the client configuration as it originally
 # appeared in a client secrets file but doesn't access the file itself.)
 flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file('client_secret.json',
     scopes=['https://www.googleapis.com/auth/youtube.force-ssl'])# Required, indicate where the API server will redirect the user after the user completes
 # the authorization flow. The redirect URI is required. The value must exactly
 # match one of the authorized redirect URIs for the OAuth 2.0 client, which you
 # configured in the API Console. If this value doesn't match an authorized URI,
 # you will get a 'redirect_uri_mismatch' error.
 flow.redirect_uri = 'https://www.example.com/oauth2callback'# Generate URL for request to Google's OAuth 2.0 server.
 # Use kwargs to set optional request parameters.
 authorization_url, state = flow.authorization_url(
     # Recommended, enable offline access so that you can refresh an access token without
     # re-prompting the user for permission. Recommended for web server apps.
     access_type='offline',
     # Optional, enable incremental authorization. Recommended as a best practice.
     include_granted_scopes='true',
     # Optional, if your application knows which user is trying to authenticate, it can use this
     # parameter to provide a hint to the Google Authentication Server.
     login_hint='hint@example.com',
     # Optional, set prompt to 'consent' will prompt the user for consent
     prompt='consent')

Use the client_secrets.json file that you created to configure a client object in your
application. When you configure a client object, you specify the scopes your application needs to
access, along with the URL to your application's auth endpoint, which will handle the response
from the OAuth 2.0 server.

For example, this code requests offline access to manage a user's YouTube
account:

require 'googleauth'
 require 'googleauth/web_user_authorizer'
 require 'googleauth/stores/redis_token_store'require 'google/apis/youtube_v3'# Required, call the from_file method to retrieve the client ID from a
 # client_secret.json file.
 client_id = Google::Auth::ClientId.from_file('/path/to/client_secret.json')# Required, scope value 
 scope = 'https://www.googleapis.com/auth/youtube.force-ssl'# Required, Authorizers require a storage instance to manage long term persistence of
 # access and refresh tokens.
 token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)# Required, indicate where the API server will redirect the user after the user completes
 # the authorization flow. The redirect URI is required. The value must exactly
 # match one of the authorized redirect URIs for the OAuth 2.0 client, which you
 # configured in the API Console. If this value doesn't match an authorized URI,
 # you will get a 'redirect_uri_mismatch' error.
 callback_uri = '/oauth2callback'# To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI
 # from the client_secret.json file. To get these credentials for your application, visit
 # https://console.cloud.google.com/apis/credentials.
 authorizer = Google::Auth::WebUserAuthorizer.new(client_id, scope,
                                                 token_store, callback_uri)

Your application uses the client object to perform OAuth 2.0 operations, such as generating
authorization request URLs and applying access tokens to HTTP requests.

The following code snippet creates a google.auth.OAuth2 object, which defines the
parameters in the authorization request.

That object uses information from your client_secret.json file to identify your application. To
ask for permissions from a user to retrieve an access token, you redirect them to a consent page.
To create a consent page URL:

const {google} = require('googleapis');
 const crypto = require('crypto');
 const express = require('express');
 const session = require('express-session');/**
  * To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI
  * from the client_secret.json file. To get these credentials for your application, visit
  * https://console.cloud.google.com/apis/credentials.
  */
 const oauth2Client = new google.auth.OAuth2(
   YOUR_CLIENT_ID,
   YOUR_CLIENT_SECRET,
   YOUR_REDIRECT_URL
 );// Access scopes for YouTube API
 const scopes = [
   'https://www.googleapis.com/auth/youtube.force-ssl'
 ];// Generate a secure random state value.
 const state = crypto.randomBytes(32).toString('hex');// Store state in the session
 req.session.state = state;// Generate a url that asks permissions for the Drive activity and Google Calendar scope
 const authorizationUrl = oauth2Client.generateAuthUrl({
   // 'online' (default) or 'offline' (gets refresh_token)
   access_type: 'offline',
   /** Pass in the scopes array defined above.
     * Alternatively, if only one scope is needed, you can pass a scope URL as a string */
   scope: scopes,
   // Enable incremental authorization. Recommended as a best practice.
   include_granted_scopes: true,
   // Include the state parameter to reduce the risk of CSRF attacks.
   state: state
 });

Important Note - The refresh_token is only returned on the first
authorization. More details

here.

Google's OAuth 2.0 endpoint is at https://accounts.google.com/o/oauth2/v2/auth. This
endpoint is accessible only over HTTPS. Plain HTTP connections are refused.

$auth_url = $client->createAuthUrl();

header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));

This example shows how to redirect the user to the authorization URL using the Flask web
application framework:

return flask.redirect(authorization_url)

auth_uri = authorizer.get_authorization_url(request: request)

res.redirect(authorizationUrl);

The sample URL below requests offline access
(access_type=offline) to a scope that permits access to view
the user's YouTube account. It uses incremental authorization to ensure that
the new access token covers any scopes to which the user previously granted
the application access. The URL also sets values for the required
redirect_uri, response_type, and
client_id parameters as well as for the state
parameter. The URL contains line breaks and spaces for readability.

 https://accounts.google.com/o/oauth2/v2/auth?
  scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&
  access_type=offline&
  include_granted_scopes=true&
  state=state_parameter_passthrough_value&
  redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
  response_type=code&
  client_id=client_id

After you create the request URL, redirect the user to it.

To exchange an authorization code for an access token, use the
fetchAccessTokenWithAuthCode method:

$access_token = $client->fetchAccessTokenWithAuthCode($_GET['code']);

On your callback page, use the google-auth library to verify the authorization
server response. Then, use the flow.fetch_token method to exchange the authorization
code in that response for an access token:

state = flask.session['state']
 flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
     'client_secret.json',
     scopes=['https://www.googleapis.com/auth/youtube.force-ssl'],
     state=state)
 flow.redirect_uri = flask.url_for('oauth2callback', _external=True)authorization_response = flask.request.url
 flow.fetch_token(authorization_response=authorization_response)# Store the credentials in the session.
 # ACTION ITEM for developers:
 #     Store user's access and refresh tokens in your data store if
 #     incorporating this code into your real app.
 credentials = flow.credentials
 flask.session['credentials'] = {
     'token': credentials.token,
     'refresh_token': credentials.refresh_token,
     'token_uri': credentials.token_uri,
     'client_id': credentials.client_id,
     'client_secret': credentials.client_secret,
     'granted_scopes': credentials.granted_scopes}

On your callback page, use the googleauth library to verify the authorization server
response. Use the authorizer.handle_auth_callback_deferred method to save the
authorization code and redirect back to the URL that originally requested authorization. This
defers the exchange of the code by temporarily stashing the results in the user's session.

  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)
   redirect target_url

To exchange an authorization code for an access token, use the getToken
method:

const url = require('url');// Receive the callback from Google's OAuth 2.0 server.
 app.get('/oauth2callback', async (req, res) => {
   let q = url.parse(req.url, true).query;  if (q.error) { // An error response e.g. error=access_denied
     console.log('Error:' + q.error);
   } else if (q.state !== req.session.state) { //check state value
     console.log('State mismatch. Possible CSRF attack');
     res.end('State mismatch. Possible CSRF attack');
   } else { // Get access and refresh tokens (if access_type is offline)    let { tokens } = await oauth2Client.getToken(q.code);
     oauth2Client.setCredentials(tokens);
 });

To exchange an authorization code for an access token, call the
https://oauth2.googleapis.com/token endpoint and set the following parameters:

The following snippet shows a sample request:

POST /token HTTP/1.1
 Host: oauth2.googleapis.com
 Content-Type: application/x-www-form-urlencodedcode=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
 client_id=your_client_id&
 client_secret=your_client_secret&
 redirect_uri=https%3A//oauth2.example.com/code&
 grant_type=authorization_code

Google responds to this request by returning a JSON object that contains a short-lived access
token and a refresh token. Note that the refresh token is only returned if your application set the access_type
parameter to offline in the initial request to Google's
authorization server.

The response contains the following fields:

The following snippet shows a sample response:

{
   "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
   "expires_in": 3920,
   "token_type": "Bearer",
   "scope": "https://www.googleapis.com/auth/youtube.force-ssl",
   "refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
 }

To check which scopes the user has granted, use the getGrantedScope() method:

// Space-separated string of granted scopes if it exists, otherwise null.
 $granted_scopes = $client->getOAuth2Service()->getGrantedScope();

The returned credentials object has a granted_scopes property,
which is a list of scopes the user has granted to your app.

credentials = flow.credentials
 flask.session['credentials'] = {
     'token': credentials.token,
     'refresh_token': credentials.refresh_token,
     'token_uri': credentials.token_uri,
     'client_id': credentials.client_id,
     'client_secret': credentials.client_secret,
     'granted_scopes': credentials.granted_scopes}

When requesting multiple scopes at once, check which scopes were granted through
the scope property of the credentials object.

# User authorized the request. Now, check which scopes were granted.
 if credentials.scope.include?(Google::Apis::YoutubeV3::AUTH_YOUTUBE_FORCE_SSL)
   # User authorized permission to see, edit, and permanently delete the
   # YouTube videos, ratings, comments and captions.
   # Calling the APIs, etc
 else
   # User didn't authorize the permission.
   # Update UX and application accordingly
 end

When requesting multiple scopes at once, check which scopes were granted through
the scope property of the tokens object.

// User authorized the request. Now, check which scopes were granted.
 if (tokens.scope.includes('https://www.googleapis.com/auth/youtube.force-ssl'))
 {
   // User authorized permission to see, edit, and permanently delete the
   // YouTube videos, ratings, comments and captions.
   // Calling the APIs, etc.
 }
 else
 {
   // User didn't authorize read-only Drive activity permission.
   // Update UX and application accordingly
 }

To check whether the user has granted your application access to a particular scope,
exam the scope field in the access token response. The scopes of access granted by
the access_token expressed as a list of space-delimited, case-sensitive strings.

For example, the following sample access token response indicates that the user has granted your
application permission to see, edit, and permanently delete user's YouTube videos, ratings,
comments and captions:

  {
     "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
     "expires_in": 3920,
     "token_type": "Bearer",
     "scope": "https://www.googleapis.com/auth/youtube.force-ssl",
     "refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
   }

Use the access token to call Google APIs by completing the following steps:

$client->setAccessToken($access_token);

$youtube = new Google_Service_YouTube($client);

$channel = $youtube->channels->listChannels('snippet', array('mine' => $mine));

After obtaining an access token, your application can use that token to authorize API requests on
behalf of a given user account or service account. Use the user-specific authorization credentials
to build a service object for the API that you want to call, and then use that object to make
authorized API requests.

from googleapiclient.discovery import buildyoutube = build('youtube', 'v3', credentials=credentials)

channel = youtube.channels().list(mine=True, part='snippet').execute()

After obtaining an access token, your application can use that token to make API requests on
behalf of a given user account or service account. Use the user-specific authorization credentials
to build a service object for the API that you want to call, and then use that object to make
authorized API requests.

youtube = Google::Apis::YoutubeV3::YouTubeService.new

youtube.authorization = credentials

channel = youtube.list_channels(part, :mine => mine)

Alternately, authorization can be provided on a per-method basis by supplying the
options parameter to a method:

channel = youtube.list_channels(part, :mine => mine, options: { authorization: auth_client })

After obtaining an access token and setting it to the OAuth2 object, use the object
to call Google APIs. Your application can use that token to authorize API requests on behalf of
a given user account or service account. Build a service object for the API that you want to call.
For example, the following code uses the Google Drive API to list filenames in the user's Drive.

const { google } = require('googleapis');// Example of using YouTube API to list channels.
 var service = google.youtube('v3');
 service.channels.list({
   auth: oauth2Client,
   part: 'snippet,contentDetails,statistics',
   forUsername: 'GoogleDevelopers'
 }, function (err, response) {
   if (err) {
     console.log('The API returned an error: ' + err);
     return;
   }
   var channels = response.data.items;
   if (channels.length == 0) {
     console.log('No channel found.');
   } else {
     console.log('This channel\'s ID is %s. Its title is \'%s\', and ' +
       'it has %s views.',
       channels[0].id,
       channels[0].snippet.title,
       channels[0].statistics.viewCount);
   }
 });

After your application obtains an access token, you can use the token to make calls to a Google
API on behalf of a given
user account if the scope(s) of access required by the API have been granted. To do this, include
the access token in a request to the API by including either an access_token query
parameter or an Authorization HTTP header Bearer value. When possible,
the HTTP header is preferable, because query strings tend to be visible in server logs. In most
cases you can use a client library to set up your calls to Google APIs (for example, when
calling the YouTube Data API).

Note that the YouTube Data API supports service accounts only for YouTube
content owners that own and manage multiple YouTube channels, such as record
labels and movie studios.

You can try out all the Google APIs and view their scopes at the
OAuth 2.0 Playground.

A call to the

youtube.channels
endpoint (the YouTube Data API) using the Authorization: Bearer HTTP
header might look like the following. Note that you need to specify your own access token:

 GET /youtube/v3/channels?part=snippet&mine=true HTTP/1.1
 Host: www.googleapis.com
 Authorization: Bearer access_token

Here is a call to the same API for the authenticated user using the access_token
query string parameter:

 GET https://www.googleapis.com/youtube/v3/channels?access_token=access_token&part=snippet&mine=true

You can test these commands with the curl command-line application. Here's an
example that uses the HTTP header option (preferred):

 curl -H "Authorization: Bearer access_token" https://www.googleapis.com/youtube/v3/channels?part=snippet&mine=true

Or, alternatively, the query string parameter option:

 curl https://www.googleapis.com/youtube/v3/channels?access_token=access_token&part=snippet&mine=true

To run this example:

 mkdir ~/php-oauth2-example
 cd ~/php-oauth2-example

 composer require google/apiclient:^2.15.0

 php -S localhost:8080 ~/php-oauth2-example

<?php
 require_once __DIR__.'/vendor/autoload.php';session_start();$client = new Google\Client();
 $client->setAuthConfig('client_secret.json');// User granted permission as an access token is in the session.
 if (isset($_SESSION['access_token']) && $_SESSION['access_token'])
 {
   $client->setAccessToken($_SESSION['access_token']);
   
   $youtube = new Google_Service_YouTube($client);
   $channel = $youtube->channels->listChannels('snippet', array('mine' => $mine));
   echo json_encode($channel);
   
 }
 else
 {
   // Redirect users to outh2call.php which redirects users to Google OAuth 2.0
   $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php';
   header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
 }
 ?>

<?php
 require_once __DIR__.'/vendor/autoload.php';session_start();$client = new Google\Client();// Required, call the setAuthConfig function to load authorization credentials from
 // client_secret.json file.
 $client->setAuthConfigFile('client_secret.json');
 $client->setRedirectUri('http://' . $_SERVER['HTTP_HOST']. $_SERVER['PHP_SELF']);// Required, to set the scope value, call the addScope function.
 $client->addScope(GOOGLE_SERVICE_YOUTUBE::YOUTUBE_FORCE_SSL);// Enable incremental authorization. Recommended as a best practice.
 $client->setIncludeGrantedScopes(true);// Recommended, offline access will give you both an access and refresh token so that
 // your app can refresh the access token without user interaction.
 $client->setAccessType("offline");// Generate a URL for authorization as it doesn't contain code and error
 if (!isset($_GET['code']) && !isset($_GET['error']))
 {
   // Generate and set state value
   $state = bin2hex(random_bytes(16));
   $client->setState($state);
   $_SESSION['state'] = $state;  // Generate a url that asks permissions.
   $auth_url = $client->createAuthUrl();
   header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
 }// User authorized the request and authorization code is returned to exchange access and
 // refresh tokens.
 if (isset($_GET['code']))
 {
   // Check the state value
   if (!isset($_GET['state']) || $_GET['state'] !== $_SESSION['state']) {
     die('State mismatch. Possible CSRF attack.');
   }  // Get access and refresh tokens (if access_type is offline)
   $token = $client->fetchAccessTokenWithAuthCode($_GET['code']);  /** Save access and refresh token to the session variables.
     * ACTION ITEM: In a production app, you likely want to save the
     *              refresh token in a secure persistent storage instead. */
   $_SESSION['access_token'] = $token;
   $_SESSION['refresh_token'] = $client->getRefreshToken();
   
   $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/';
   header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
 }// An error response e.g. error=access_denied
 if (isset($_GET['error']))
 {
   echo "Error: ". $_GET['error'];
 }
 ?>

This example uses the Flask framework. It
runs a web application at http://localhost:8080 that lets you test the OAuth 2.0
flow. If you go to that URL, you should see five links:

# -*- coding: utf-8 -*-import os
 import flask
 import requestsimport google.oauth2.credentials
 import google_auth_oauthlib.flow
 import googleapiclient.discovery# This variable specifies the name of a file that contains the OAuth 2.0
 # information for this application, including its client_id and client_secret.
 CLIENT_SECRETS_FILE = "client_secret.json"# The OAuth 2.0 access scope allows for access to the
 # authenticated user's account and requires requests to use an SSL connection.
 SCOPES = ['https://www.googleapis.com/auth/youtube.force-ssl']
 API_SERVICE_NAME = 'youtube'
 API_VERSION = 'v3'app = flask.Flask(__name__)
 # Note: A secret key is included in the sample so that it works.
 # If you use this code in your application, replace this with a truly secret
 # key. See https://flask.palletsprojects.com/quickstart/#sessions.
 app.secret_key = 'REPLACE ME - this value is here as a placeholder.'@app.route('/')
 def index():
   return print_index_table()@app.route('/test')
 def test_api_request():
   if 'credentials' not in flask.session:
   return flask.redirect('authorize')  # Load credentials from the session.
   credentials = google.oauth2.credentials.Credentials(
     **flask.session['credentials'])  youtube = googleapiclient.discovery.build(
     API_SERVICE_NAME, API_VERSION, credentials=credentials)  channel = youtube.channels().list(mine=True, part='snippet').execute()  # Save credentials back to session in case access token was refreshed.
   # ACTION ITEM: In a production app, you likely want to save these
   #              credentials in a persistent database instead.
   flask.session['credentials'] = credentials_to_dict(credentials)  return flask.jsonify(**channel)
 @app.route('/authorize')
 def authorize():
   # Create flow instance to manage the OAuth 2.0 Authorization Grant Flow steps.
   flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
       CLIENT_SECRETS_FILE, scopes=SCOPES)  # The URI created here must exactly match one of the authorized redirect URIs
   # for the OAuth 2.0 client, which you configured in the API Console. If this
   # value doesn't match an authorized URI, you will get a 'redirect_uri_mismatch'
   # error.
   flow.redirect_uri = flask.url_for('oauth2callback', _external=True)  authorization_url, state = flow.authorization_url(
       # Enable offline access so that you can refresh an access token without
       # re-prompting the user for permission. Recommended for web server apps.
       access_type='offline',
       # Enable incremental authorization. Recommended as a best practice.
       include_granted_scopes='true')  # Store the state so the callback can verify the auth server response.
   flask.session['state'] = state  return flask.redirect(authorization_url)@app.route('/oauth2callback')
 def oauth2callback():
   # Specify the state when creating the flow in the callback so that it can
   # verified in the authorization server response.
   state = flask.session['state']  flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
       CLIENT_SECRETS_FILE, scopes=SCOPES, state=state)
   flow.redirect_uri = flask.url_for('oauth2callback', _external=True)  # Use the authorization server's response to fetch the OAuth 2.0 tokens.
   authorization_response = flask.request.url
   flow.fetch_token(authorization_response=authorization_response)  # Store credentials in the session.
   # ACTION ITEM: In a production app, you likely want to save these
   #              credentials in a persistent database instead.
   credentials = flow.credentials
   
   flask.session['credentials'] = credentials_to_dict(credentials)  return flask.redirect(flask.url_for('test_api_request'))
   @app.route('/revoke')
 def revoke():
   if 'credentials' not in flask.session:
     return ('You need to <a href="/authorize">authorize</a> before ' +
             'testing the code to revoke credentials.')  credentials = google.oauth2.credentials.Credentials(
     **flask.session['credentials'])  revoke = requests.post('https://oauth2.googleapis.com/revoke',
       params={'token': credentials.token},
       headers = {'content-type': 'application/x-www-form-urlencoded'})  status_code = getattr(revoke, 'status_code')
   if status_code == 200:
     return('Credentials successfully revoked.' + print_index_table())
   else:
     return('An error occurred.' + print_index_table())@app.route('/clear')
 def clear_credentials():
   if 'credentials' in flask.session:
     del flask.session['credentials']
   return ('Credentials have been cleared.<br><br>' +
           print_index_table())def credentials_to_dict(credentials):
   return {'token': credentials.token,
           'refresh_token': credentials.refresh_token,
           'token_uri': credentials.token_uri,
           'client_id': credentials.client_id,
           'client_secret': credentials.client_secret,
           'granted_scopes': credentials.granted_scopes}def print_index_table():
   return ('<table>' +
           '<tr><td><a href="/test">Test an API request</a></td>' +
           '<td>Submit an API request and see a formatted JSON response. ' +
           '    Go through the authorization flow if there are no stored ' +
           '    credentials for the user.</td></tr>' +
           '<tr><td><a href="/authorize">Test the auth flow directly</a></td>' +
           '<td>Go directly to the authorization flow. If there are stored ' +
           '    credentials, you still might not be prompted to reauthorize ' +
           '    the application.</td></tr>' +
           '<tr><td><a href="/revoke">Revoke current credentials</a></td>' +
           '<td>Revoke the access token associated with the current user ' +
           '    session. After revoking credentials, if you go to the test ' +
           '    page, you should see an <code>invalid_grant</code> error.' +
           '</td></tr>' +
           '<tr><td><a href="/clear">Clear Flask session credentials</a></td>' +
           '<td>Clear the access token currently stored in the user session. ' +
           '    After clearing the token, if you <a href="/test">test the ' +
           '    API request</a> again, you should go back to the auth flow.' +
           '</td></tr></table>')if __name__ == '__main__':
   # When running locally, disable OAuthlib's HTTPs verification.
   # ACTION ITEM for developers:
   #     When running in production *do not* leave this option enabled.
   os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'  # This disables the requested scopes and granted scopes check.
   # If users only grant partial request, the warning would not be thrown.
   os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1'  # Specify a hostname and port that are set as a valid redirect URI
   # for your API project in the Google API Console.
   app.run('localhost', 8080, debug=True)

This example uses the Sinatra framework.

require 'googleauth'
 require 'googleauth/web_user_authorizer'
 require 'googleauth/stores/redis_token_store'require 'google/apis/youtube_v3'require 'sinatra'configure do
   enable :sessions  # Required, call the from_file method to retrieve the client ID from a
   # client_secret.json file.
   set :client_id, Google::Auth::ClientId.from_file('/path/to/client_secret.json')  # Required, scope value
   # Access scopes for retrieving data about the user's YouTube channel.
   scope = 'Google::Apis::YoutubeV3::AUTH_YOUTUBE_FORCE_SSL'  # Required, Authorizers require a storage instance to manage long term persistence of
   # access and refresh tokens.
   set :token_store, Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)  # Required, indicate where the API server will redirect the user after the user completes
   # the authorization flow. The redirect URI is required. The value must exactly
   # match one of the authorized redirect URIs for the OAuth 2.0 client, which you
   # configured in the API Console. If this value doesn't match an authorized URI,
   # you will get a 'redirect_uri_mismatch' error.
   set :callback_uri, '/oauth2callback'  # To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI
   # from the client_secret.json file. To get these credentials for your application, visit
   # https://console.cloud.google.com/apis/credentials.
   set :authorizer, Google::Auth::WebUserAuthorizer.new(settings.client_id, settings.scope,
                           settings.token_store, callback_uri: settings.callback_uri)
 endget '/' do
   # NOTE: Assumes the user is already authenticated to the app
   user_id = request.session['user_id']  # Fetch stored credentials for the user from the given request session.
   # nil if none present
   credentials = settings.authorizer.get_credentials(user_id, request)  if credentials.nil?
     # Generate a url that asks the user to authorize requested scope(s).
     # Then, redirect user to the url.
     redirect settings.authorizer.get_authorization_url(request: request)
   end
   
   # User authorized read-only YouTube Data API permission.
   # Example of using YouTube Data API to list user's YouTube channel
   youtube = Google::Apis::YoutubeV3::YouTubeService.new
   channel = youtube.list_channels(part, :mine => mine, options: { authorization: auth_client })
   
   "<pre>#{JSON.pretty_generate(channel.to_h)}</pre>"
 end# Receive the callback from Google's OAuth 2.0 server.
 get '/oauth2callback' do
   # Handle the result of the oauth callback. Defers the exchange of the code by
   # temporarily stashing the results in the user's session.
   target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)
   redirect target_url
 end

To run this example:

 mkdir ~/nodejs-oauth2-example
 cd ~/nodejs-oauth2-example

npm install googleapis

node .\main.js

const http = require('http');
 const https = require('https');
 const url = require('url');
 const { google } = require('googleapis');
 const crypto = require('crypto');
 const express = require('express');
 const session = require('express-session');/**
  * To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI.
  * To get these credentials for your application, visit
  * https://console.cloud.google.com/apis/credentials.
  */
 const oauth2Client = new google.auth.OAuth2(
   YOUR_CLIENT_ID,
   YOUR_CLIENT_SECRET,
   YOUR_REDIRECT_URL
 );// Access scopes for YouTube API
 const scopes = [
   'https://www.googleapis.com/auth/youtube.force-ssl'
 ];/* Global variable that stores user credential in this code example.
  * ACTION ITEM for developers:
  *   Store user's refresh token in your data store if
  *   incorporating this code into your real app.
  *   For more information on handling refresh tokens,
  *   see https://github.com/googleapis/google-api-nodejs-client#handling-refresh-tokens
  */
 let userCredential = null;async function main() {
   const app = express();  app.use(session({
     secret: 'your_secure_secret_key', // Replace with a strong secret
     resave: false,
     saveUninitialized: false,
   }));  // Example on redirecting user to Google's OAuth 2.0 server.
   app.get('/', async (req, res) => {
     // Generate a secure random state value.
     const state = crypto.randomBytes(32).toString('hex');
     // Store state in the session
     req.session.state = state;    // Generate a url that asks permissions for the Drive activity and Google Calendar scope
     const authorizationUrl = oauth2Client.generateAuthUrl({
       // 'online' (default) or 'offline' (gets refresh_token)
       access_type: 'offline',
       /** Pass in the scopes array defined above.
         * Alternatively, if only one scope is needed, you can pass a scope URL as a string */
       scope: scopes,
       // Enable incremental authorization. Recommended as a best practice.
       include_granted_scopes: true,
       // Include the state parameter to reduce the risk of CSRF attacks.
       state: state
     });    res.redirect(authorizationUrl);
   });  // Receive the callback from Google's OAuth 2.0 server.
   app.get('/oauth2callback', async (req, res) => {
     // Handle the OAuth 2.0 server response
     let q = url.parse(req.url, true).query;    if (q.error) { // An error response e.g. error=access_denied
       console.log('Error:' + q.error);
     } else if (q.state !== req.session.state) { //check state value
       console.log('State mismatch. Possible CSRF attack');
       res.end('State mismatch. Possible CSRF attack');
     } else { // Get access and refresh tokens (if access_type is offline)
       let { tokens } = await oauth2Client.getToken(q.code);
       oauth2Client.setCredentials(tokens);      /** Save credential to the global variable in case access token was refreshed.
         * ACTION ITEM: In a production app, you likely want to save the refresh token
         *              in a secure persistent database instead. */
       userCredential = tokens;
       
       // Example of using YouTube API to list channels.
       var service = google.youtube('v3');
       service.channels.list({
         auth: oauth2Client,
         part: 'snippet,contentDetails,statistics',
         forUsername: 'GoogleDevelopers'
       }, function (err, response) {
         if (err) {
           console.log('The API returned an error: ' + err);
           return;
         }
         var channels = response.data.items;
         if (channels.length == 0) {
           console.log('No channel found.');
         } else {
           console.log('This channel\'s ID is %s. Its title is \'%s\', and ' +
             'it has %s views.',
             channels[0].id,
             channels[0].snippet.title,
             channels[0].statistics.viewCount);
         }
       });
     }
   });  // Example on revoking a token
   app.get('/revoke', async (req, res) => {
     // Build the string for the POST request
     let postData = "token=" + userCredential.access_token;    // Options for POST request to Google's OAuth 2.0 server to revoke a token
     let postOptions = {
       host: 'oauth2.googleapis.com',
       port: '443',
       path: '/revoke',
       method: 'POST',
       headers: {
         'Content-Type': 'application/x-www-form-urlencoded',
         'Content-Length': Buffer.byteLength(postData)
       }
     };    // Set up the request
     const postReq = https.request(postOptions, function (res) {
       res.setEncoding('utf8');
       res.on('data', d => {
         console.log('Response: ' + d);
       });
     });    postReq.on('error', error => {
       console.log(error)
     });    // Post the request with data
     postReq.write(postData);
     postReq.end();
   });
   const server = http.createServer(app);
   server.listen(8080);
 }
 main().catch(console.error);

This Python example uses the Flask framework
and the Requests library to demonstrate the OAuth
2.0 web flow. We recommend using the Google API Client Library for Python for this flow. (The
example in the Python tab does use the client library.)

import json
 import flask
 import requestsapp = flask.Flask(__name__)# To get these credentials (CLIENT_ID CLIENT_SECRET) and for your application, visit
 # https://console.cloud.google.com/apis/credentials.
 CLIENT_ID = '123456789.apps.googleusercontent.com'
 CLIENT_SECRET = 'abc123'  # Read from a file or environmental variable in a real app# Access scopes for YouTube API
 SCOPE = 'https://www.googleapis.com/auth/youtube.force-ssl'# Indicate where the API server will redirect the user after the user completes
 # the authorization flow. The redirect URI is required. The value must exactly
 # match one of the authorized redirect URIs for the OAuth 2.0 client, which you
 # configured in the API Console. If this value doesn't match an authorized URI,
 # you will get a 'redirect_uri_mismatch' error.
 REDIRECT_URI = 'http://example.com/oauth2callback'@app.route('/')
 def index():
   if 'credentials' not in flask.session:
     return flask.redirect(flask.url_for('oauth2callback'))  credentials = json.loads(flask.session['credentials'])  if credentials['expires_in'] <= 0:
     return flask.redirect(flask.url_for('oauth2callback'))
   else: 
     headers = {'Authorization': 'Bearer {}'.format(credentials['access_token'])}
     req_uri = 'https://www.googleapis.com/youtube/v3/channels/list'
     r = requests.get(req_uri, headers=headers)
     return r.text @app.route('/oauth2callback')
 def oauth2callback():
   if 'code' not in flask.request.args:
     state = str(uuid.uuid4())
     flask.session['state'] = state
     # Generate a url that asks permissions for the Drive activity
     # and Google Calendar scope. Then, redirect user to the url.
     auth_uri = ('https://accounts.google.com/o/oauth2/v2/auth?response_type=code'
                 '&client_id={}&redirect_uri={}&scope={}&state={}').format(CLIENT_ID, REDIRECT_URI,
                                                                           SCOPE, state)
     return flask.redirect(auth_uri)
   else:
     if 'state' not in flask.request.args or flask.request.args['state'] != flask.session['state']:
       return 'State mismatch. Possible CSRF attack.', 400    auth_code = flask.request.args.get('code')
     data = {'code': auth_code,
             'client_id': CLIENT_ID,
             'client_secret': CLIENT_SECRET,
             'redirect_uri': REDIRECT_URI,
             'grant_type': 'authorization_code'}    # Exchange authorization code for access and refresh tokens (if access_type is offline)
     r = requests.post('https://oauth2.googleapis.com/token', data=data)
     flask.session['credentials'] = r.text
     return flask.redirect(flask.url_for('index'))if __name__ == '__main__':
   import uuid
   app.secret_key = str(uuid.uuid4())
   app.debug = False
   app.run()

$client->setIncludeGrantedScopes(true);

In Python, set the include_granted_scopes keyword argument to true to
ensure that an authorization request includes previously granted scopes. It is very possible that
include_granted_scopes will not be the only keyword argument that you set, as
shown in the example below.

authorization_url, state = flow.authorization_url(
     # Enable offline access so that you can refresh an access token without
     # re-prompting the user for permission. Recommended for web server apps.
     access_type='offline',
     # Enable incremental authorization. Recommended as a best practice.
     include_granted_scopes='true')

auth_client.update!(
   :additional_parameters => {"include_granted_scopes" => "true"}
 )

const authorizationUrl = oauth2Client.generateAuthUrl({
   // 'online' (default) or 'offline' (gets refresh_token)
   access_type: 'offline',
   /** Pass in the scopes array defined above.
     * Alternatively, if only one scope is needed, you can pass a scope URL as a string */
   scope: scopes,
   // Enable incremental authorization. Recommended as a best practice.
   include_granted_scopes: true
 });

In this example, the calling application requests access to retrieve the
user's YouTube Analytics data in addition to any other access that the user
has already granted to the application.

GET https://accounts.google.com/o/oauth2/v2/auth?
   scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyt-analytics.readonly&
   access_type=offline&
   state=security_token%3D138rk%3Btarget_url%3Dhttp...index&
   redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
   response_type=code&
   client_id=client_id&
   include_granted_scopes=true          

If your application needs offline access to a Google API, set the API client's access type to
offline:

$client->setAccessType("offline");

After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.

In Python, set the access_type keyword argument to offline to ensure
that you will be able to refresh the access token without having to re-prompt the user for
permission. It is very possible that access_type will not be the only keyword
argument that you set, as shown in the example below.

authorization_url, state = flow.authorization_url(
     # Enable offline access so that you can refresh an access token without
     # re-prompting the user for permission. Recommended for web server apps.
     access_type='offline',
     # Enable incremental authorization. Recommended as a best practice.
     include_granted_scopes='true')

After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.

If your application needs offline access to a Google API, set the API client's access type to
offline:

auth_client.update!(
   :additional_parameters => {"access_type" => "offline"}
 )

After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.

If your application needs offline access to a Google API, set the API client's access type to
offline:

const authorizationUrl = oauth2Client.generateAuthUrl({
   // 'online' (default) or 'offline' (gets refresh_token)
   access_type: 'offline',
   /** Pass in the scopes array defined above.
     * Alternatively, if only one scope is needed, you can pass a scope URL as a string */
   scope: scopes,
   // Enable incremental authorization. Recommended as a best practice.
   include_granted_scopes: true
 });

After a user grants offline access to the requested scopes, you can continue to use the API
client to access Google APIs on the user's behalf when the user is offline. The client object
will refresh the access token as needed.

Access tokens expire. This library will automatically use a refresh token to obtain a new access
token if it is about to expire. An easy way to make sure you always store the most recent tokens
is to use the tokens event:

oauth2Client.on('tokens', (tokens) => {
   if (tokens.refresh_token) {
     // store the refresh_token in your secure persistent database
     console.log(tokens.refresh_token);
   }
   console.log(tokens.access_token);
 });

This tokens event only occurs in the first authorization, and you need to have set your
access_type to offline when calling the generateAuthUrl
method to receive the refresh token. If you have already given your app the requisiste permissions
without setting the appropriate constraints for receiving a refresh token, you will need to
re-authorize the application to receive a fresh refresh token.

To set the refresh_token at a later time, you can use the setCredentials method:

oauth2Client.setCredentials({
   refresh_token: `STORED_REFRESH_TOKEN`
 });

Once the client has a refresh token, access tokens will be acquired and refreshed automatically
in the next call to the API.

To refresh an access token, your application sends an HTTPS POST
request to Google's authorization server (https://oauth2.googleapis.com/token) that
includes the following parameters:


Fields




client_id
The client ID obtained from the API Console.


client_secret
The client secret obtained from the API Console.




grant_type
As
defined in the
OAuth 2.0 specification,
this field's value must be set to refresh_token.


refresh_token
The refresh token returned from the authorization code exchange.

The following snippet shows a sample request:

 POST /token HTTP/1.1
 Host: oauth2.googleapis.com
 Content-Type: application/x-www-form-urlencodedclient_id=your_client_id&
 client_secret=your_client_secret&
 refresh_token=refresh_token&
 grant_type=refresh_token

As long as the user has not revoked the access granted to the application, the token server
returns a JSON object that contains a new access token. The following snippet shows a sample
response:

{
   "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
   "expires_in": 3920,
   "scope": "https://www.googleapis.com/auth/drive.metadata.readonly",
   "token_type": "Bearer"
 }

Note that there are limits on the number of refresh tokens that will be issued; one limit per
client/user combination, and another per user across all clients. You should save refresh tokens
in long-term storage and continue to use them as long as they remain valid. If your application
requests too many refresh tokens, it may run into these limits, in which case older refresh tokens
will stop working.

To programmatically revoke a token, call revokeToken():

$client->revokeToken();

To programmatically revoke a token, make a request to
https://oauth2.googleapis.com/revoke that includes the token as a parameter and sets the
Content-Type header:

requests.post('https://oauth2.googleapis.com/revoke',
     params={'token': credentials.token},
     headers = {'content-type': 'application/x-www-form-urlencoded'})

To programmatically revoke a token, make an HTTP request to the oauth2.revoke
endpoint:

uri = URI('https://oauth2.googleapis.com/revoke')
 response = Net::HTTP.post_form(uri, 'token' => auth_client.access_token)

The token can be an access token or a refresh token. If the token is an access token and it has
a corresponding refresh token, the refresh token will also be revoked.

If the revocation is successfully processed, then the status code of the response is
200. For error conditions, a status code 400 is returned along with an
error code.

To programmatically revoke a token, make an HTTPS POST request to /revoke
endpoint:

const https = require('https');// Build the string for the POST request
 let postData = "token=" + userCredential.access_token;// Options for POST request to Google's OAuth 2.0 server to revoke a token
 let postOptions = {
   host: 'oauth2.googleapis.com',
   port: '443',
   path: '/revoke',
   method: 'POST',
   headers: {
     'Content-Type': 'application/x-www-form-urlencoded',
     'Content-Length': Buffer.byteLength(postData)
   }
 };// Set up the request
 const postReq = https.request(postOptions, function (res) {
   res.setEncoding('utf8');
   res.on('data', d => {
     console.log('Response: ' + d);
   });
 });postReq.on('error', error => {
   console.log(error)
 });// Post the request with data
 postReq.write(postData);
 postReq.end();

The token parameter can be an access token or a refresh token. If the token is an access token and it has
a corresponding refresh token, the refresh token will also be revoked.

If the revocation is successfully processed, then the status code of the response is
200. For error conditions, a status code 400 is returned along with an
error code.

To programmatically revoke a token, your application makes a request to
https://oauth2.googleapis.com/revoke and includes the token as a parameter:

 curl -d -X -POST --header "Content-type:application/x-www-form-urlencoded" \
         https://oauth2.googleapis.com/revoke?token={token}

The token can be an access token or a refresh token. If the token is an access token and it has a
corresponding refresh token, the refresh token will also be revoked.

If the revocation is successfully processed, then the HTTP status code of the response is
200. For error conditions, an HTTP status code 400 is returned along
with an error code.