63

Is there any way in which I can generate access token to test oauth for logging in with gmail?

I have created a google app, and got the client and secret ids.

I know facebook will allow you to do so from this url https://developers.facebook.com/tools/accesstoken/

Is there any method like this for Google?

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189
user123456
  • 2,524
  • 7
  • 30
  • 57

5 Answers5

36

Use the Google OAuth playground:

Request:

POST /oauth2/v3/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded

code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=8819981768.apps.googleusercontent.com&
client_secret={client_secret}&
redirect_uri=https://oauth2-login-demo.appspot.com/code&
grant_type=authorization_code

(Successful) Response:

{
  "access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
  "expires_in":3920,
  "token_type":"Bearer"
}

I also highly recommend reading the Google OAuth 2.0 documentation

forkdbloke
  • 1,505
  • 2
  • 12
  • 29
coderMe
  • 2,099
  • 3
  • 18
  • 20
  • 74
    This doesn't help IMO, you simply have the same problem because you can't programatically generate a code. Now the question becomes "How to get a dummy google authorization code...". Facebook offers the ability to create a test user, and instantly get an access token for that user by calling https://graph.facebook.com/v2.4/{app-id}/accounts/test-users using your app token. – joelittlejohn Aug 04 '15 at 16:32
  • 4
    I'd just vote up for @joelittlejohn's answer. The playground still wants a user interaction. – Andrevinsky Apr 06 '18 at 14:41
  • 2
    In the end I achieved this by saving browser cookies and attaching them to the authorize request in my tests. They last a long, long time. – joelittlejohn Apr 06 '18 at 18:33
  • @joelittlejohn could you explain more about your solution here https://stackoverflow.com/q/51962057/1356559 – Amr Lotfy Aug 24 '18 at 00:04
  • I've added an answer outlining the 'cookie' approach. – joelittlejohn Dec 24 '19 at 14:22
7

The best solution to this currently is to log in to a Google account, capture the Google cookies for this session, then use these same cookies to acquire an authorization code in your tests later. Each time the test runs, it can create an authorization code and exchange this for an access token. I've found these cookies can last 6 months or more.

I did the following to achieve this using Chrome:

  1. Open a Chrome private browing session
  2. Open https://myaccount.google.com and log in using your chosen Google credentials
  3. Open the Chrome Dev Tools (Ctrl-Shift-I), Network tab, and select 'Preserve log'
  4. Do your OAuth login flow to log in with Google
  5. In the Chrome Dev Tools 'Network' tab you will see a request that went to https://accounts.google.com/o/oauth2/auth.... Copy this full URL.
  6. Select this request and select the Cookies tab. Copy all the cookies. You should have cookies for ACCOUNT_CHOOSER, APISID, CONSENT, GAPS, ...

Now during your test, you can do an HTTP GET request to the URL you captured above, and in the request you should include the cookies you captured above. You should get a 302 response with code=... in the URL shown in the Location header.

Finally, in your test you can exchange this code for an access and refresh token using a POST to https://www.googleapis.com/oauth2/v4/token.

The Google OAuth playground doesn't help us here, since you still need some manual interaction to generate the authorization code (the playground is not 'automated').

joelittlejohn
  • 11,665
  • 2
  • 41
  • 54
1

Don't forget that you should be able to mock google OAuth. In other words, in most test situations (except for monitoring and certain types of load testing), it should be possible to simulate a successful connection to Google OAuth and the corresponding callback. In order to do that you may just have to use methods already present in the testing tool you are using.

Even if this answer does not directly answer the subject, I think it was necessary to write it here to allow some people to consider this workaround, adapted to the majority of automated test situations.

bZx
  • 111
  • 1
  • 4
0

If you just want to test out an API with any oauth token as stated in the question title (not necessarily one acquired from a test user login flow), then you could make curl calls using a service account and the oauth2l utility as outlined in GCP docs here:

https://cloud.google.com/service-usage/docs/getting-started

Similarly, you can grant permissions to the service account the same as you would a regular test user.

encrest
  • 1,757
  • 1
  • 17
  • 18
0

You need refresh token to programmatically get access token, refresh token is almost non-expiring: https://developers.google.com/identity/protocols/oauth2#5.-refresh-the-access-token,-if-necessary.

Some more info about refresh token limitation (https://usefulangle.com/post/51/google-refresh-token-common-questions):

When does a refresh token expire?

Refresh tokens do not expire, unless there are few special conditions :

  • The user has removed your Google application.
  • The refresh token has not been used for six months.
  • The user changed password and the refresh token contained Gmail scopes. This means that the refresh token will be invalidated only when he had previously given the permisions for managing his Gmail, and then later changed his password. For the rest of Google services like Youtube, Calendar etc, a changed password will not invalidate the refresh token.
  • The application generated a new refresh token for the user for more than 50 times.

How to get refresh token - see my answer: https://stackoverflow.com/a/68844709/1046909

MingalevME
  • 1,827
  • 1
  • 22
  • 19