After another day of fiddling with this and reading a few very complicated blogposts seemingly implementing one entire OAuth2 flow, I figured out how to it with just the Google Cloud setup and a single curl:

Setting up a Project on Google Cloud Console

  1. Head over to The Google Could Dashboard and create a new Project. If you already have one you want to use skip ahead to the next part.

  2. First add the API you want to use. I’ll be using CalDAV.

  3. Next configure the OAuth2 screen. This asks you a bunch of scary questions, because Google thinks you’re developing the next big thing.

    • Add the scope of the API you want to access. I want to read the CalDAV api, so I’ll be using https://www.googleapis.com/auth/calendar.readonly. Note this down, you’ll need it again and there won’t be a nice selection box next time.
    • Add yourself as a test user
    • Just fill everything requiring an email with yours

Getting the “Password”

Don’t worry, it’s actually just a refresh-token and some client credentials. And it expires every eternity, but for our intents and purposes it’s just a magic string.

Creating a client

Under “credentials” add an OAuth Client ID. As type choose Webapp and add https://developers.google.com/oauthplayground as a redirect URI. When you click save you should get a client-id and a client-secret.

Getting the refresh token

Next head over to the OAuth2 Playground we just authorized and log in using the client we just created:

  1. Under settings (the cog in the top right)
    1. tick “use own credentials”
    2. enter client ID and secret of the client we just created
  2. on the left paste the access scope you want, this has to be one of the ones added to your applications OAuth2 screen. https://www.googleapis.com/auth/calendar.readonly in my case.
  3. “Authorize APIs” and log into your google account. Note that you have to click the alternate option on the second screen, otherwise you cancel the process (and have to click “authorize APIs” again).
  4. “Exchange Authorisation code for tokens”. In theory you’re done now, but I said there’s a magic String:
  5. “Refresh access” token. Now it should display you the POST request it just issued to get a new access_token. The body of that query is the magic string.

Getting the access token

With the magic string from above we can now just:

curl https://oauth2.googleapis.com/token -X POST -d 'client_secret=....'

to get the token!

Using the token:

just add header

Authorization: Bearer {access_token}

to whatever request you want to make. Many htp libraries also support some kind of bearer={access_token} argument somewhere.

Happy automating your google things :-)

Caveats and alternate options

  • Every eternity or when google had some kind of security issue, the refresh token expires and you have to go to the OAuth2 Playground again to get another one.
  • If you only need the token to work for a week, you can skip all the Google Cloud setup: Just don’t use your own credentials in the Playground. The ones provided are valid for a week (according to the prompt when you authorize)

References

I didn’t come up with this, I just removed to coding from the below guides: