將 OAuth 2.0 用於網路伺服器應用程式

use Google\Client;  $client = new Client();  // Required, call the setAuthConfig function to load authorization credentials from // client_secret.json file. $client->setAuthConfig('client_secret.json');  // Required, to set the scope value, call the addScope function $client->addScope([Google\Service\Drive::DRIVE_METADATA_READONLY, Google\Service\Calendar::CALENDAR_READONLY]);  // Required, call the setRedirectUri function to specify a valid redirect URI for the // provided client_id $client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');  // Recommended, offline access will give you both an access and refresh token so that // your app can refresh the access token without user interaction. $client->setAccessType('offline');  // Recommended, call the setState function. Using a state value can increase your assurance that // an incoming connection is the result of an authentication request. $client->setState($sample_passthrough_value);  // Optional, if your application knows which user is trying to authenticate, it can use this // parameter to provide a hint to the Google Authentication Server. $client->setLoginHint('[email protected]');  // Optional, call the setPrompt function to set "consent" will prompt the user for consent $client->setPrompt('consent');  // Optional, call the setIncludeGrantedScopes function with true to enable incremental // authorization $client->setIncludeGrantedScopes(true);

import google.oauth2.credentials import google_auth_oauthlib.flow  # Required, call the from_client_secrets_file method to retrieve the client ID from a # client_secret.json file. The client ID (from that file) and access scopes are required. (You can # also use the from_client_config method, which passes the client configuration as it originally # appeared in a client secrets file but doesn't access the file itself.) flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file('client_secret.json',     scopes=['https://www.googleapis.com/auth/drive.metadata.readonly',             'https://www.googleapis.com/auth/calendar.readonly'])  # Required, indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. flow.redirect_uri = 'https://www.example.com/oauth2callback'  # Generate URL for request to Google's OAuth 2.0 server. # Use kwargs to set optional request parameters. authorization_url, state = flow.authorization_url(     # Recommended, enable offline access so that you can refresh an access token without     # re-prompting the user for permission. Recommended for web server apps.     access_type='offline',     # Optional, enable incremental authorization. Recommended as a best practice.     include_granted_scopes='true',     # Optional, if your application knows which user is trying to authenticate, it can use this     # parameter to provide a hint to the Google Authentication Server.     login_hint='[email protected]',     # Optional, set prompt to 'consent' will prompt the user for consent     prompt='consent')

require 'googleauth' require 'googleauth/web_user_authorizer' require 'googleauth/stores/redis_token_store'  require 'google/apis/drive_v3' require 'google/apis/calendar_v3'  # Required, call the from_file method to retrieve the client ID from a # client_secret.json file. client_id = Google::Auth::ClientId.from_file('/path/to/client_secret.json')  # Required, scope value  # Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. scope = ['Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY',          'Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY']  # Required, Authorizers require a storage instance to manage long term persistence of # access and refresh tokens. token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)  # Required, indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. callback_uri = '/oauth2callback'  # To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI # from the client_secret.json file. To get these credentials for your application, visit # https://console.cloud.google.com/apis/credentials. authorizer = Google::Auth::WebUserAuthorizer.new(client_id, scope,                                                 token_store, callback_uri)

const {google} = require('googleapis'); const crypto = require('crypto'); const express = require('express'); const session = require('express-session');  /**  * To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI  * from the client_secret.json file. To get these credentials for your application, visit  * https://console.cloud.google.com/apis/credentials.  */ const oauth2Client = new google.auth.OAuth2(   YOUR_CLIENT_ID,   YOUR_CLIENT_SECRET,   YOUR_REDIRECT_URL );  // Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. const scopes = [   'https://www.googleapis.com/auth/drive.metadata.readonly',   'https://www.googleapis.com/auth/calendar.readonly' ];  // Generate a secure random state value. const state = crypto.randomBytes(32).toString('hex');  // Store state in the session req.session.state = state;  // Generate a url that asks permissions for the Drive activity and Google Calendar scope const authorizationUrl = oauth2Client.generateAuthUrl({   // 'online' (default) or 'offline' (gets refresh_token)   access_type: 'offline',   /** Pass in the scopes array defined above.     * Alternatively, if only one scope is needed, you can pass a scope URL as a string */   scope: scopes,   // Enable incremental authorization. Recommended as a best practice.   include_granted_scopes: true,   // Include the state parameter to reduce the risk of CSRF attacks.   state: state });

return flask.redirect(authorization_url)

 https://accounts.google.com/o/oauth2/v2/auth?  scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly%20https%3A//www.googleapis.com/auth/calendar.readonly&  access_type=offline&  include_granted_scopes=true&  response_type=code&  state=state_parameter_passthrough_value&  redirect_uri=https%3A//oauth2.example.com/code&  client_id=client_id

$access_token = $client->fetchAccessTokenWithAuthCode($_GET['code']);

state = flask.session['state'] flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(     'client_secret.json',     scopes=['https://www.googleapis.com/auth/drive.metadata.readonly'],     state=state) flow.redirect_uri = flask.url_for('oauth2callback', _external=True)  authorization_response = flask.request.url flow.fetch_token(authorization_response=authorization_response)  # Store the credentials in the session. # ACTION ITEM for developers: #     Store user's access and refresh tokens in your data store if #     incorporating this code into your real app. credentials = flow.credentials flask.session['credentials'] = {     'token': credentials.token,     'refresh_token': credentials.refresh_token,     'token_uri': credentials.token_uri,     'client_id': credentials.client_id,     'client_secret': credentials.client_secret,     'granted_scopes': credentials.granted_scopes}

  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)   redirect target_url

const url = require('url');  // Receive the callback from Google's OAuth 2.0 server. app.get('/oauth2callback', async (req, res) => {   let q = url.parse(req.url, true).query;    if (q.error) { // An error response e.g. error=access_denied     console.log('Error:' + q.error);   } else if (q.state !== req.session.state) { //check state value     console.log('State mismatch. Possible CSRF attack');     res.end('State mismatch. Possible CSRF attack');   } else { // Get access and refresh tokens (if access_type is offline)      let { tokens } = await oauth2Client.getToken(q.code);     oauth2Client.setCredentials(tokens); });

POST /token HTTP/1.1 Host: oauth2.googleapis.com Content-Type: application/x-www-form-urlencoded  code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7& client_id=your_client_id& client_secret=your_client_secret& redirect_uri=https%3A//oauth2.example.com/code& grant_type=authorization_code

{   "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",   "expires_in": 3920,   "token_type": "Bearer",   "scope": "https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly",   "refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI" }

// Space-separated string of granted scopes if it exists, otherwise null. $granted_scopes = $client->getOAuth2Service()->getGrantedScope();  // Determine which scopes user granted and build a dictionary $granted_scopes_dict = [   'Drive' => str_contains($granted_scopes, Google\Service\Drive::DRIVE_METADATA_READONLY),   'Calendar' => str_contains($granted_scopes, Google\Service\Calendar::CALENDAR_READONLY) ];

credentials = flow.credentials flask.session['credentials'] = {     'token': credentials.token,     'refresh_token': credentials.refresh_token,     'token_uri': credentials.token_uri,     'client_id': credentials.client_id,     'client_secret': credentials.client_secret,     'granted_scopes': credentials.granted_scopes}

def check_granted_scopes(credentials):   features = {}   if 'https://www.googleapis.com/auth/drive.metadata.readonly' in credentials['granted_scopes']:     features['drive'] = True   else:     features['drive'] = False    if 'https://www.googleapis.com/auth/calendar.readonly' in credentials['granted_scopes']:     features['calendar'] = True   else:     features['calendar'] = False    return features

# User authorized the request. Now, check which scopes were granted. if credentials.scope.include?(Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY)   # User authorized read-only Drive activity permission.   # Calling the APIs, etc else   # User didn't authorize read-only Drive activity permission.   # Update UX and application accordingly end  # Check if user authorized Calendar read permission. if credentials.scope.include?(Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY)   # User authorized Calendar read permission.   # Calling the APIs, etc. else   # User didn't authorize Calendar read permission.   # Update UX and application accordingly end

// User authorized the request. Now, check which scopes were granted. if (tokens.scope.includes('https://www.googleapis.com/auth/drive.metadata.readonly')) {   // User authorized read-only Drive activity permission.   // Calling the APIs, etc. } else {   // User didn't authorize read-only Drive activity permission.   // Update UX and application accordingly }  // Check if user authorized Calendar read permission. if (tokens.scope.includes('https://www.googleapis.com/auth/calendar.readonly')) {   // User authorized Calendar read permission.   // Calling the APIs, etc. } else {   // User didn't authorize Calendar read permission.   // Update UX and application accordingly }

  {     "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",     "expires_in": 3920,     "token_type": "Bearer",     "scope": "https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly",     "refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"   }

files = drive.list_files(options: { authorization: credentials })

const { google } = require('googleapis');  // Example of using Google Drive API to list filenames in user's Drive. const drive = google.drive('v3'); drive.files.list({   auth: oauth2Client,   pageSize: 10,   fields: 'nextPageToken, files(id, name)', }, (err1, res1) => {   if (err1) return console.log('The API returned an error: ' + err1);   const files = res1.data.files;   if (files.length) {     console.log('Files:');     files.map((file) => {       console.log(`${file.name} (${file.id})`);     });   } else {     console.log('No files found.');   } });

 GET /drive/v2/files HTTP/1.1 Host: www.googleapis.com Authorization: Bearer access_token

 GET https://www.googleapis.com/drive/v2/files?access_token=access_token

 curl -H "Authorization: Bearer access_token" https://www.googleapis.com/drive/v2/files

 curl https://www.googleapis.com/drive/v2/files?access_token=access_token

<?php require_once __DIR__.'/vendor/autoload.php';  session_start();  $client = new Google\Client(); $client->setAuthConfig('client_secret.json');  // User granted permission as an access token is in the session. if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {   $client->setAccessToken($_SESSION['access_token']);      // Check if user granted Drive permission   if ($_SESSION['granted_scopes_dict']['Drive']) {     echo "Drive feature is enabled.";     echo "</br>";     $drive = new Drive($client);     $files = array();     $response = $drive->files->listFiles(array());     foreach ($response->files as $file) {         echo "File: " . $file->name . " (" . $file->id . ")";         echo "</br>";     }   } else {     echo "Drive feature is NOT enabled.";     echo "</br>";   }     // Check if user granted Calendar permission   if ($_SESSION['granted_scopes_dict']['Calendar']) {     echo "Calendar feature is enabled.";     echo "</br>";   } else {     echo "Calendar feature is NOT enabled.";     echo "</br>";   } } else {   // Redirect users to outh2call.php which redirects users to Google OAuth 2.0   $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php';   header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL)); } ?>

<?php require_once __DIR__.'/vendor/autoload.php';  session_start();  $client = new Google\Client();  // Required, call the setAuthConfig function to load authorization credentials from // client_secret.json file. $client->setAuthConfigFile('client_secret.json'); $client->setRedirectUri('http://' . $_SERVER['HTTP_HOST']. $_SERVER['PHP_SELF']);  // Required, to set the scope value, call the addScope function. $client->addScope([Google\Service\Drive::DRIVE_METADATA_READONLY, Google\Service\Calendar::CALENDAR_READONLY]);  // Enable incremental authorization. Recommended as a best practice. $client->setIncludeGrantedScopes(true);  // Recommended, offline access will give you both an access and refresh token so that // your app can refresh the access token without user interaction. $client->setAccessType("offline");  // Generate a URL for authorization as it doesn't contain code and error if (!isset($_GET['code']) && !isset($_GET['error'])) {   // Generate and set state value   $state = bin2hex(random_bytes(16));   $client->setState($state);   $_SESSION['state'] = $state;    // Generate a url that asks permissions.   $auth_url = $client->createAuthUrl();   header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL)); }  // User authorized the request and authorization code is returned to exchange access and // refresh tokens. if (isset($_GET['code'])) {   // Check the state value   if (!isset($_GET['state']) || $_GET['state'] !== $_SESSION['state']) {     die('State mismatch. Possible CSRF attack.');   }    // Get access and refresh tokens (if access_type is offline)   $token = $client->fetchAccessTokenWithAuthCode($_GET['code']);    /** Save access and refresh token to the session variables.     * ACTION ITEM: In a production app, you likely want to save the     *              refresh token in a secure persistent storage instead. */   $_SESSION['access_token'] = $token;   $_SESSION['refresh_token'] = $client->getRefreshToken();      // Space-separated string of granted scopes if it exists, otherwise null.   $granted_scopes = $client->getOAuth2Service()->getGrantedScope();    // Determine which scopes user granted and build a dictionary   $granted_scopes_dict = [     'Drive' => str_contains($granted_scopes, Google\Service\Drive::DRIVE_METADATA_READONLY),     'Calendar' => str_contains($granted_scopes, Google\Service\Calendar::CALENDAR_READONLY)   ];   $_SESSION['granted_scopes_dict'] = $granted_scopes_dict;      $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/';   header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL)); }  // An error response e.g. error=access_denied if (isset($_GET['error'])) {   echo "Error: ". $_GET['error']; } ?>

# -*- coding: utf-8 -*-  import os import flask import json import requests  import google.oauth2.credentials import google_auth_oauthlib.flow import googleapiclient.discovery  # This variable specifies the name of a file that contains the OAuth 2.0 # information for this application, including its client_id and client_secret. CLIENT_SECRETS_FILE = "client_secret.json"  # The OAuth 2.0 access scope allows for access to the # authenticated user's account and requires requests to use an SSL connection. SCOPES = ['https://www.googleapis.com/auth/drive.metadata.readonly',           'https://www.googleapis.com/auth/calendar.readonly'] API_SERVICE_NAME = 'drive' API_VERSION = 'v2'  app = flask.Flask(__name__) # Note: A secret key is included in the sample so that it works. # If you use this code in your application, replace this with a truly secret # key. See https://flask.palletsprojects.com/quickstart/#sessions. app.secret_key = 'REPLACE ME - this value is here as a placeholder.'  @app.route('/') def index():   return print_index_table()  @app.route('/drive') def drive_api_request():   if 'credentials' not in flask.session:     return flask.redirect('authorize')    features = flask.session['features']    if features['drive']:     # Load client secrets from the server-side file.     with open(CLIENT_SECRETS_FILE, 'r') as f:         client_config = json.load(f)['web']      # Load user-specific credentials from browser session storage.     session_credentials = flask.session['credentials']      # Reconstruct the credentials object.     credentials = google.oauth2.credentials.Credentials(         refresh_token=session_credentials.get('refresh_token'),         scopes=session_credentials.get('granted_scopes'),         token=session_credentials.get('token'),         client_id=client_config.get('client_id'),         client_secret=client_config.get('client_secret'),         token_uri=client_config.get('token_uri'))      drive = googleapiclient.discovery.build(         API_SERVICE_NAME, API_VERSION, credentials=credentials)      files = drive.files().list().execute()      # Save credentials back to session in case access token was refreshed.     flask.session['credentials'] = credentials_to_dict(credentials)      return flask.jsonify(**files)   else:     # User didn't authorize read-only Drive activity permission.     return '<p>Drive feature is not enabled.</p>'  @app.route('/calendar') def calendar_api_request():   if 'credentials' not in flask.session:     return flask.redirect('authorize')    features = flask.session['features']    if features['calendar']:     # User authorized Calendar read permission.     # Calling the APIs, etc.     return ('<p>User granted the Google Calendar read permission. '+             'This sample code does not include code to call Calendar</p>')   else:     # User didn't authorize Calendar read permission.     # Update UX and application accordingly     return '<p>Calendar feature is not enabled.</p>'  @app.route('/authorize') def authorize():   # Create flow instance to manage the OAuth 2.0 Authorization Grant Flow steps.   flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(       CLIENT_SECRETS_FILE, scopes=SCOPES)    # The URI created here must exactly match one of the authorized redirect URIs   # for the OAuth 2.0 client, which you configured in the API Console. If this   # value doesn't match an authorized URI, you will get a 'redirect_uri_mismatch'   # error.   flow.redirect_uri = flask.url_for('oauth2callback', _external=True)    authorization_url, state = flow.authorization_url(       # Enable offline access so that you can refresh an access token without       # re-prompting the user for permission. Recommended for web server apps.       access_type='offline',       # Enable incremental authorization. Recommended as a best practice.       include_granted_scopes='true')    # Store the state so the callback can verify the auth server response.   flask.session['state'] = state    return flask.redirect(authorization_url)  @app.route('/oauth2callback') def oauth2callback():   # Specify the state when creating the flow in the callback so that it can   # verified in the authorization server response.   state = flask.session['state']    flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(       CLIENT_SECRETS_FILE, scopes=SCOPES, state=state)   flow.redirect_uri = flask.url_for('oauth2callback', _external=True)    # Use the authorization server's response to fetch the OAuth 2.0 tokens.   authorization_response = flask.request.url   flow.fetch_token(authorization_response=authorization_response)    # Store credentials in the session.   # ACTION ITEM: In a production app, you likely want to save these   #              credentials in a persistent database instead.   credentials = flow.credentials      credentials = credentials_to_dict(credentials)   flask.session['credentials'] = credentials    # Check which scopes user granted   features = check_granted_scopes(credentials)   flask.session['features'] = features   return flask.redirect('/')    @app.route('/revoke') def revoke():   if 'credentials' not in flask.session:     return ('You need to <a href="/authorize">authorize</a> before ' +             'testing the code to revoke credentials.')    # Load client secrets from the server-side file.   with open(CLIENT_SECRETS_FILE, 'r') as f:       client_config = json.load(f)['web']    # Load user-specific credentials from the session.   session_credentials = flask.session['credentials']    # Reconstruct the credentials object.   credentials = google.oauth2.credentials.Credentials(       refresh_token=session_credentials.get('refresh_token'),       scopes=session_credentials.get('granted_scopes'),       token=session_credentials.get('token'),       client_id=client_config.get('client_id'),       client_secret=client_config.get('client_secret'),       token_uri=client_config.get('token_uri'))    revoke = requests.post('https://oauth2.googleapis.com/revoke',       params={'token': credentials.token},       headers = {'content-type': 'application/x-www-form-urlencoded'})    status_code = getattr(revoke, 'status_code')   if status_code == 200:     # Clear the user's session credentials after successful revocation     if 'credentials' in flask.session:         del flask.session['credentials']         del flask.session['features']     return('Credentials successfully revoked.' + print_index_table())   else:     return('An error occurred.' + print_index_table())  @app.route('/clear') def clear_credentials():   if 'credentials' in flask.session:     del flask.session['credentials']   return ('Credentials have been cleared.<br><br>' +           print_index_table())  def credentials_to_dict(credentials):   return {'token': credentials.token,           'refresh_token': credentials.refresh_token,           'granted_scopes': credentials.granted_scopes}  def check_granted_scopes(credentials):   features = {}   if 'https://www.googleapis.com/auth/drive.metadata.readonly' in credentials['granted_scopes']:     features['drive'] = True   else:     features['drive'] = False    if 'https://www.googleapis.com/auth/calendar.readonly' in credentials['granted_scopes']:     features['calendar'] = True   else:     features['calendar'] = False    return features  def print_index_table():   return ('<table>' +            '<tr><td><a href="/authorize">Test the auth flow directly</a></td>' +           '<td>Go directly to the authorization flow. If there are stored ' +           '    credentials, you still might not be prompted to reauthorize ' +           '    the application.</td></tr>' +           '<tr><td><a href="/drive">Call Drive API directly</a></td>' +           '<td> Use stored credentials to call the API, you still might not be prompted to reauthorize ' +           '    the application.</td></tr>' +           '<tr><td><a href="/calendar">Call Calendar API directly</a></td>' +           '<td> Use stored credentials to call the API, you still might not be prompted to reauthorize ' +           '    the application.</td></tr>' +            '<tr><td><a href="/revoke">Revoke current credentials</a></td>' +           '<td>Revoke the access token associated with the current user ' +           '    session. After revoking credentials, if you go to the test ' +           '    page, you should see an <code>invalid_grant</code> error.' +           '</td></tr>' +           '<tr><td><a href="/clear">Clear Flask session credentials</a></td>' +           '<td>Clear the access token currently stored in the user session. ' +           '    After clearing the token, if you <a href="/authorize">authorize</a> ' +           '    again, you should go back to the auth flow.' +           '</td></tr></table>')  if __name__ == '__main__':   # When running locally, disable OAuthlib's HTTPs verification.   # ACTION ITEM for developers:   #     When running in production *do not* leave this option enabled.   os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'    # This disables the requested scopes and granted scopes check.   # If users only grant partial request, the warning would not be thrown.   os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1'    # Specify a hostname and port that are set as a valid redirect URI   # for your API project in the .   app.run('localhost', 8080, debug=True)

require 'googleauth' require 'googleauth/web_user_authorizer' require 'googleauth/stores/redis_token_store'  require 'google/apis/drive_v3' require 'google/apis/calendar_v3'  require 'sinatra'  configure do   enable :sessions    # Required, call the from_file method to retrieve the client ID from a   # client_secret.json file.   set :client_id, Google::Auth::ClientId.from_file('/path/to/client_secret.json')    # Required, scope value   # Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar.   scope = ['Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY',            'Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY']    # Required, Authorizers require a storage instance to manage long term persistence of   # access and refresh tokens.   set :token_store, Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)    # Required, indicate where the API server will redirect the user after the user completes   # the authorization flow. The redirect URI is required. The value must exactly   # match one of the authorized redirect URIs for the OAuth 2.0 client, which you   # configured in the API Console. If this value doesn't match an authorized URI,   # you will get a 'redirect_uri_mismatch' error.   set :callback_uri, '/oauth2callback'    # To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI   # from the client_secret.json file. To get these credentials for your application, visit   # https://console.cloud.google.com/apis/credentials.   set :authorizer, Google::Auth::WebUserAuthorizer.new(settings.client_id, settings.scope,                           settings.token_store, callback_uri: settings.callback_uri) end  get '/' do   # NOTE: Assumes the user is already authenticated to the app   user_id = request.session['user_id']    # Fetch stored credentials for the user from the given request session.   # nil if none present   credentials = settings.authorizer.get_credentials(user_id, request)    if credentials.nil?     # Generate a url that asks the user to authorize requested scope(s).     # Then, redirect user to the url.     redirect settings.authorizer.get_authorization_url(request: request)   end      # User authorized the request. Now, check which scopes were granted.   if credentials.scope.include?(Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY)     # User authorized read-only Drive activity permission.     # Example of using Google Drive API to list filenames in user's Drive.     drive = Google::Apis::DriveV3::DriveService.new     files = drive.list_files(options: { authorization: credentials })     "<pre>#{JSON.pretty_generate(files.to_h)}</pre>"   else     # User didn't authorize read-only Drive activity permission.     # Update UX and application accordingly   end    # Check if user authorized Calendar read permission.   if credentials.scope.include?(Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY)     # User authorized Calendar read permission.     # Calling the APIs, etc.   else     # User didn't authorize Calendar read permission.     # Update UX and application accordingly   end end  # Receive the callback from Google's OAuth 2.0 server. get '/oauth2callback' do   # Handle the result of the oauth callback. Defers the exchange of the code by   # temporarily stashing the results in the user's session.   target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)   redirect target_url end

const http = require('http'); const https = require('https'); const url = require('url'); const { google } = require('googleapis'); const crypto = require('crypto'); const express = require('express'); const session = require('express-session');  /**  * To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI.  * To get these credentials for your application, visit  * https://console.cloud.google.com/apis/credentials.  */ const oauth2Client = new google.auth.OAuth2(   YOUR_CLIENT_ID,   YOUR_CLIENT_SECRET,   YOUR_REDIRECT_URL );  // Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. const scopes = [   'https://www.googleapis.com/auth/drive.metadata.readonly',   'https://www.googleapis.com/auth/calendar.readonly' ];  /* Global variable that stores user credential in this code example.  * ACTION ITEM for developers:  *   Store user's refresh token in your data store if  *   incorporating this code into your real app.  *   For more information on handling refresh tokens,  *   see https://github.com/googleapis/google-api-nodejs-client#handling-refresh-tokens  */ let userCredential = null;  async function main() {   const app = express();    app.use(session({     secret: 'your_secure_secret_key', // Replace with a strong secret     resave: false,     saveUninitialized: false,   }));    // Example on redirecting user to Google's OAuth 2.0 server.   app.get('/', async (req, res) => {     // Generate a secure random state value.     const state = crypto.randomBytes(32).toString('hex');     // Store state in the session     req.session.state = state;      // Generate a url that asks permissions for the Drive activity and Google Calendar scope     const authorizationUrl = oauth2Client.generateAuthUrl({       // 'online' (default) or 'offline' (gets refresh_token)       access_type: 'offline',       /** Pass in the scopes array defined above.         * Alternatively, if only one scope is needed, you can pass a scope URL as a string */       scope: scopes,       // Enable incremental authorization. Recommended as a best practice.       include_granted_scopes: true,       // Include the state parameter to reduce the risk of CSRF attacks.       state: state     });      res.redirect(authorizationUrl);   });    // Receive the callback from Google's OAuth 2.0 server.   app.get('/oauth2callback', async (req, res) => {     // Handle the OAuth 2.0 server response     let q = url.parse(req.url, true).query;      if (q.error) { // An error response e.g. error=access_denied       console.log('Error:' + q.error);     } else if (q.state !== req.session.state) { //check state value       console.log('State mismatch. Possible CSRF attack');       res.end('State mismatch. Possible CSRF attack');     } else { // Get access and refresh tokens (if access_type is offline)       let { tokens } = await oauth2Client.getToken(q.code);       oauth2Client.setCredentials(tokens);        /** Save credential to the global variable in case access token was refreshed.         * ACTION ITEM: In a production app, you likely want to save the refresh token         *              in a secure persistent database instead. */       userCredential = tokens;              // User authorized the request. Now, check which scopes were granted.       if (tokens.scope.includes('https://www.googleapis.com/auth/drive.metadata.readonly'))       {         // User authorized read-only Drive activity permission.         // Example of using Google Drive API to list filenames in user's Drive.         const drive = google.drive('v3');         drive.files.list({           auth: oauth2Client,           pageSize: 10,           fields: 'nextPageToken, files(id, name)',         }, (err1, res1) => {           if (err1) return console.log('The API returned an error: ' + err1);           const files = res1.data.files;           if (files.length) {             console.log('Files:');             files.map((file) => {               console.log(`${file.name} (${file.id})`);             });           } else {             console.log('No files found.');           }         });       }       else       {         // User didn't authorize read-only Drive activity permission.         // Update UX and application accordingly       }        // Check if user authorized Calendar read permission.       if (tokens.scope.includes('https://www.googleapis.com/auth/calendar.readonly'))       {         // User authorized Calendar read permission.         // Calling the APIs, etc.       }       else       {         // User didn't authorize Calendar read permission.         // Update UX and application accordingly       }     }   });    // Example on revoking a token   app.get('/revoke', async (req, res) => {     // Build the string for the POST request     let postData = "token=" + userCredential.access_token;      // Options for POST request to Google's OAuth 2.0 server to revoke a token     let postOptions = {       host: 'oauth2.googleapis.com',       port: '443',       path: '/revoke',       method: 'POST',       headers: {         'Content-Type': 'application/x-www-form-urlencoded',         'Content-Length': Buffer.byteLength(postData)       }     };      // Set up the request     const postReq = https.request(postOptions, function (res) {       res.setEncoding('utf8');       res.on('data', d => {         console.log('Response: ' + d);       });     });      postReq.on('error', error => {       console.log(error)     });      // Post the request with data     postReq.write(postData);     postReq.end();   });     const server = http.createServer(app);   server.listen(8080); } main().catch(console.error);

import json import flask import requests  app = flask.Flask(__name__)  # To get these credentials (CLIENT_ID CLIENT_SECRET) and for your application, visit # https://console.cloud.google.com/apis/credentials. CLIENT_ID = '123456789.apps.googleusercontent.com' CLIENT_SECRET = 'abc123'  # Read from a file or environmental variable in a real app  # Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. SCOPE = 'https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly'  # Indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. REDIRECT_URI = 'http://example.com/oauth2callback'  @app.route('/') def index():   if 'credentials' not in flask.session:     return flask.redirect(flask.url_for('oauth2callback'))    credentials = json.loads(flask.session['credentials'])    if credentials['expires_in'] <= 0:     return flask.redirect(flask.url_for('oauth2callback'))   else:      # User authorized the request. Now, check which scopes were granted.     if 'https://www.googleapis.com/auth/drive.metadata.readonly' in credentials['scope']:       # User authorized read-only Drive activity permission.       # Example of using Google Drive API to list filenames in user's Drive.       headers = {'Authorization': 'Bearer {}'.format(credentials['access_token'])}       req_uri = 'https://www.googleapis.com/drive/v2/files'       r = requests.get(req_uri, headers=headers).text     else:       # User didn't authorize read-only Drive activity permission.       # Update UX and application accordingly       r = 'User did not authorize Drive permission.'      # Check if user authorized Calendar read permission.     if 'https://www.googleapis.com/auth/calendar.readonly' in credentials['scope']:       # User authorized Calendar read permission.       # Calling the APIs, etc.       r += 'User authorized Calendar permission.'     else:       # User didn't authorize Calendar read permission.       # Update UX and application accordingly       r += 'User did not authorize Calendar permission.'    return r  @app.route('/oauth2callback') def oauth2callback():   if 'code' not in flask.request.args:     state = str(uuid.uuid4())     flask.session['state'] = state     # Generate a url that asks permissions for the Drive activity     # and Google Calendar scope. Then, redirect user to the url.     auth_uri = ('https://accounts.google.com/o/oauth2/v2/auth?response_type=code'                 '&client_id={}&redirect_uri={}&scope={}&state={}').format(CLIENT_ID, REDIRECT_URI,                                                                           SCOPE, state)     return flask.redirect(auth_uri)   else:     if 'state' not in flask.request.args or flask.request.args['state'] != flask.session['state']:       return 'State mismatch. Possible CSRF attack.', 400      auth_code = flask.request.args.get('code')     data = {'code': auth_code,             'client_id': CLIENT_ID,             'client_secret': CLIENT_SECRET,             'redirect_uri': REDIRECT_URI,             'grant_type': 'authorization_code'}      # Exchange authorization code for access and refresh tokens (if access_type is offline)     r = requests.post('https://oauth2.googleapis.com/token', data=data)     flask.session['credentials'] = r.text     return flask.redirect(flask.url_for('index'))  if __name__ == '__main__':   import uuid   app.secret_key = str(uuid.uuid4())   app.debug = False   app.run()

$client->setIncludeGrantedScopes(true);

authorization_url, state = flow.authorization_url(     # Enable offline access so that you can refresh an access token without     # re-prompting the user for permission. Recommended for web server apps.     access_type='offline',     # Enable incremental authorization. Recommended as a best practice.     include_granted_scopes='true')

auth_client.update!(   :additional_parameters => {"include_granted_scopes" => "true"} )

const authorizationUrl = oauth2Client.generateAuthUrl({   // 'online' (default) or 'offline' (gets refresh_token)   access_type: 'offline',   /** Pass in the scopes array defined above.     * Alternatively, if only one scope is needed, you can pass a scope URL as a string */   scope: scopes,   // Enable incremental authorization. Recommended as a best practice.   include_granted_scopes: true });

GET https://accounts.google.com/o/oauth2/v2/auth?   client_id=your_client_id&   response_type=code&   state=state_parameter_passthrough_value&   scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly%20https%3A//www.googleapis.com/auth/calendar.readonly&   redirect_uri=https%3A//oauth2.example.com/code&   prompt=consent&   include_granted_scopes=true

$client->setAccessType("offline");

authorization_url, state = flow.authorization_url(     # Enable offline access so that you can refresh an access token without     # re-prompting the user for permission. Recommended for web server apps.     access_type='offline',     # Enable incremental authorization. Recommended as a best practice.     include_granted_scopes='true')

auth_client.update!(   :additional_parameters => {"access_type" => "offline"} )

const authorizationUrl = oauth2Client.generateAuthUrl({   // 'online' (default) or 'offline' (gets refresh_token)   access_type: 'offline',   /** Pass in the scopes array defined above.     * Alternatively, if only one scope is needed, you can pass a scope URL as a string */   scope: scopes,   // Enable incremental authorization. Recommended as a best practice.   include_granted_scopes: true });

oauth2Client.on('tokens', (tokens) => {   if (tokens.refresh_token) {     // store the refresh_token in your secure persistent database     console.log(tokens.refresh_token);   }   console.log(tokens.access_token); });

oauth2Client.setCredentials({   refresh_token: `STORED_REFRESH_TOKEN` });

 POST /token HTTP/1.1 Host: oauth2.googleapis.com Content-Type: application/x-www-form-urlencoded  client_id=your_client_id& client_secret=your_client_secret& refresh_token=refresh_token& grant_type=refresh_token

{   "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",   "expires_in": 3920,   "scope": "https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly",   "token_type": "Bearer" }

$client->revokeToken();

requests.post('https://oauth2.googleapis.com/revoke',     params={'token': credentials.token},     headers = {'content-type': 'application/x-www-form-urlencoded'})

uri = URI('https://oauth2.googleapis.com/revoke') response = Net::HTTP.post_form(uri, 'token' => auth_client.access_token)

const https = require('https');  // Build the string for the POST request let postData = "token=" + userCredential.access_token;  // Options for POST request to Google's OAuth 2.0 server to revoke a token let postOptions = {   host: 'oauth2.googleapis.com',   port: '443',   path: '/revoke',   method: 'POST',   headers: {     'Content-Type': 'application/x-www-form-urlencoded',     'Content-Length': Buffer.byteLength(postData)   } };  // Set up the request const postReq = https.request(postOptions, function (res) {   res.setEncoding('utf8');   res.on('data', d => {     console.log('Response: ' + d);   }); });  postReq.on('error', error => {   console.log(error) });  // Post the request with data postReq.write(postData); postReq.end();

 curl -d -X -POST --header "Content-type:application/x-www-form-urlencoded" \         https://oauth2.googleapis.com/revoke?token={token}