Purpose: This document describes the generic OAuth 2.0 functions offered by the Google OAuth Client Library for Java. You can use these functions for authentication and authorization for any Internet services.
For instructions on using GoogleCredential to do OAuth 2.0 authorization with
Google services, see
Using OAuth 2.0 with the Google API Client Library for Java.
Summary: OAuth 2.0 is a standard specification for allowing end users to securely authorize a client application to access protected server-side resources. In addition, the OAuth 2.0 bearer token specification explains how to access those protected resources using an access token granted during the end-user authorization process.
For details, see the Javadoc documentation for the following packages:
com.google.api.client.auth.oauth2
(from google-oauth-client)com.google.api.client.extensions.servlet.auth.oauth2
(from google-oauth-client-servletcom.google.api.client.extensions.appengine.auth.oauth2
(from google-oauth-client-appengine)Before using the Google OAuth Client Library for Java, you probably need to register your application with an authorization server to receive a client ID and client secret. (For general information about this process, see the Client Registration specification.
Credential is a thread-safe OAuth 2.0 helper class for accessing
protected resources using an access token. When using a refresh token,
Credential also refreshes the access token when the access token expires using
the refresh token. For example, if you already have an access token, you can
make a request in the following way:
public static HttpResponse executeGet(
HttpTransport transport, JsonFactory jsonFactory, String accessToken, GenericUrl url)
throws IOException {
Credential credential =
new Credential(BearerToken.authorizationHeaderAccessMethod()).setAccessToken(accessToken);
HttpRequestFactory requestFactory = transport.createRequestFactory(credential);
return requestFactory.buildGetRequest(url).execute();
}
Most applications need to persist the credential’s access token and refresh
token in order to avoid a future redirect to the authorization page in the
browser. The CredentialStore implementation in this
library is deprecated and to be removed in future releases. The alternative is
to use the DataStoreFactory and DataStore
interfaces with StoredCredential, which are provided by
the Google HTTP Client Library for Java.
You can use one of the following implementations provided by the library:
AppEngineDataStoreFactory persists the
credential using the Google App Engine Data Store API.MemoryDataStoreFactory “persists” the credential
in memory, which is only useful as a short-term storage for the lifetime of
the process.FileDataStoreFactory] persists the credential in a file.AppEngineCredentialStore is deprecated and is being removed.
We recommend that you use
AppEngineDataStoreFactory with
StoredCredential. If you have credentials stored in the
old way, you can use the added helper methods
migrateTo(AppEngineDataStoreFactory) or
migrateTo(DataStore) to migrate.
Use DataStoreCredentialRefreshListener and
set it for the credential using
GoogleCredential.Builder.addRefreshListener(CredentialRefreshListener).
Use the authorization code flow to allow the end user to grant your application access to their protected data. The protocol for this flow is specified in the Authorization Code Grant specification.
This flow is implemented using AuthorizationCodeFlow.
The steps are:
AuthorizationCodeFlow.loadCredential(String),
based on the user ID, to check if the user’s credentials are already known.
If so, you’re done.AuthorizationCodeFlow.newAuthorizationUrl()
and direct the end user’s browser to an authorization page where they can grant
your application access to their protected data.AuthorizationCodeFlow.newTokenRequest(String).AuthorizationCodeFlow.createAndStoreCredential(TokenResponse, String)
to store and obtain a credential for accessing protected resources.Alternatively, if you are not using
AuthorizationCodeFlow, you may use the lower-level
classes:
DataStore.get(String) to load the credential from the
store, based on the user ID.AuthorizationCodeRequestUrl to direct the
browser to the authorization page.AuthorizationCodeResponseUrl to process the
authorization response and parse the authorization code.AuthorizationCodeTokenRequest to request an
access token and possibly a refresh token.Credential and store it using
DataStore.set(String, V).DataStoreCredentialRefreshListener and set
it for the credential using
Credential.Builder.addRefreshListener(CredentialRefreshListener).This library provides servlet helper classes to significantly simplify the
authorization code flow for basic use cases. You just provide concrete subclasses
of AbstractAuthorizationCodeServlet
and AbstractAuthorizationCodeCallbackServlet
(from google-oauth-client-servlet) and add them to your web.xml file. Note
that you still need to take care of user login for your web application and
extract a user ID.
Sample code:
public class ServletSample extends AbstractAuthorizationCodeServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
// do stuff
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(),
new NetHttpTransport(),
new GsonFactory(),
new GenericUrl("https://server.example.com/token"),
new BasicAuthentication("s6BhdRkqt3", "7Fjfp0ZBr1KtDRbnfVdmIw"),
"s6BhdRkqt3",
"https://server.example.com/authorize").setCredentialDataStore(
StoredCredential.getDefaultDataStore(
new FileDataStoreFactory(new File("datastoredir"))))
.build();
}
@Override
protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
// return user ID
}
}
public class ServletCallbackSample extends AbstractAuthorizationCodeCallbackServlet {
@Override
protected void onSuccess(HttpServletRequest req, HttpServletResponse resp, Credential credential)
throws ServletException, IOException {
resp.sendRedirect("/");
}
@Override
protected void onError(
HttpServletRequest req, HttpServletResponse resp, AuthorizationCodeResponseUrl errorResponse)
throws ServletException, IOException {
// handle error
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(),
new NetHttpTransport(),
new GsonFactory(),
new GenericUrl("https://server.example.com/token"),
new BasicAuthentication("s6BhdRkqt3", "7Fjfp0ZBr1KtDRbnfVdmIw"),
"s6BhdRkqt3",
"https://server.example.com/authorize").setCredentialDataStore(
StoredCredential.getDefaultDataStore(
new FileDataStoreFactory(new File("datastoredir"))))
.build();
}
@Override
protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
// return user ID
}
}
The authorization code flow on App Engine is almost identical to the servlet
authorization code flow, except that we can leverage Google App Engine’s
Users Java API. The user needs to be logged in for the Users Java
API to be enabled; for information about redirecting users to a login page if
they are not already logged in, see
Security and Authentication (in web.xml).
The primary difference from the servlet case is that you provide concrete
subclasses of AbstractAppEngineAuthorizationCodeServlet
and AbstractAppEngineAuthorizationCodeCallbackServlet
(from google-oauth-client-appengine). They extend the abstract servlet classes
and implement the getUserId method for you using the Users Java API. AppEngineDataStoreFactory (from
Google HTTP Client Library for Java) is a good option for
persisting the credential using the Google App Engine Data Store API.
Sample code:
public class AppEngineSample extends AbstractAppEngineAuthorizationCodeServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
// do stuff
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(),
new UrlFetchTransport(),
new GsonFactory(),
new GenericUrl("https://server.example.com/token"),
new BasicAuthentication("s6BhdRkqt3", "7Fjfp0ZBr1KtDRbnfVdmIw"),
"s6BhdRkqt3",
"https://server.example.com/authorize").setCredentialStore(
StoredCredential.getDefaultDataStore(AppEngineDataStoreFactory.getDefaultInstance()))
.build();
}
}
public class AppEngineCallbackSample extends AbstractAppEngineAuthorizationCodeCallbackServlet {
@Override
protected void onSuccess(HttpServletRequest req, HttpServletResponse resp, Credential credential)
throws ServletException, IOException {
resp.sendRedirect("/");
}
@Override
protected void onError(
HttpServletRequest req, HttpServletResponse resp, AuthorizationCodeResponseUrl errorResponse)
throws ServletException, IOException {
// handle error
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(),
new UrlFetchTransport(),
new GsonFactory(),
new GenericUrl("https://server.example.com/token"),
new BasicAuthentication("s6BhdRkqt3", "7Fjfp0ZBr1KtDRbnfVdmIw"),
"s6BhdRkqt3",
"https://server.example.com/authorize").setCredentialStore(
StoredCredential.getDefaultDataStore(AppEngineDataStoreFactory.getDefaultInstance()))
.build();
}
}
Simplified example code taken from dailymotion-cmdline-sample:
/** Authorizes the installed application to access user's protected data. */
private static Credential authorize() throws Exception {
OAuth2ClientCredentials.errorIfNotSpecified();
// set up authorization code flow
AuthorizationCodeFlow flow = new AuthorizationCodeFlow.Builder(BearerToken
.authorizationHeaderAccessMethod(),
HTTP_TRANSPORT,
JSON_FACTORY,
new GenericUrl(TOKEN_SERVER_URL),
new ClientParametersAuthentication(
OAuth2ClientCredentials.API_KEY, OAuth2ClientCredentials.API_SECRET),
OAuth2ClientCredentials.API_KEY,
AUTHORIZATION_SERVER_URL).setScopes(Arrays.asList(SCOPE))
.setDataStoreFactory(DATA_STORE_FACTORY).build();
// authorize
LocalServerReceiver receiver = new LocalServerReceiver.Builder().setHost(
OAuth2ClientCredentials.DOMAIN).setPort(OAuth2ClientCredentials.PORT).build();
return new AuthorizationCodeInstalledApp(flow, receiver).authorize("user");
}
private static void run(HttpRequestFactory requestFactory) throws IOException {
DailyMotionUrl url = new DailyMotionUrl("https://api.dailymotion.com/videos/favorites");
url.setFields("id,tags,title,url");
HttpRequest request = requestFactory.buildGetRequest(url);
VideoFeed videoFeed = request.execute().parseAs(VideoFeed.class);
...
}
public static void main(String[] args) {
...
DATA_STORE_FACTORY = new FileDataStoreFactory(DATA_STORE_DIR);
final Credential credential = authorize();
HttpRequestFactory requestFactory =
HTTP_TRANSPORT.createRequestFactory(new HttpRequestInitializer() {
@Override
public void initialize(HttpRequest request) throws IOException {
credential.initialize(request);
request.setParser(new JsonObjectParser(JSON_FACTORY));
}
});
run(requestFactory);
...
}
These are the typical steps of the the browser-based client flow specified in the Implicit Grant specification:
BrowserClientRequestUrl, redirect the end
user’s browser to the authorization page where the end user can grant your
application access to their protected data.Sample usage for a web application:
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
String url = new BrowserClientRequestUrl(
"https://server.example.com/authorize", "s6BhdRkqt3").setState("xyz")
.setRedirectUri("https://client.example.com/cb").build();
response.sendRedirect(url);
}
According to the OAuth 2.0 bearer specification, when the server
is called to access a protected resource with an expired access token, the
server typically responds with an HTTP 401 Unauthorized status code such as
the following:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
error="invalid_token",
error_description="The access token expired"
However, there appears to be a lot of flexibility in the specification. For details, check the documentation of the OAuth 2.0 provider.
An alternative approach is to check the expires_in parameter in the
access token response. This specifies the lifetime in
seconds of the granted access token, which is typically an hour. However, the
access token might not actually expire at the end of that period, and the server
might continue to allow access. That’s why we typically recommend waiting for a
401 Unauthorized status code, rather than assuming the token has expired based
on the elapsed time. Alternatively, you can try to refresh an access token
shortly before it expires, and if the token server is unavailable, continue to
use the access token until you receive a 401. This is the strategy used by
default in Credential.
Another option is to grab a new access token before every request, but that requires an extra HTTP request to the token server every time, so it is likely a poor choice in terms of speed and network usage. Ideally, store the access token in secure, persistent storage to minimize an application’s requests for new access tokens. (But for installed applications, secure storage is a difficult problem.)
Note that an access token may become invalid for reasons other than expiration,
for example if the user has explicitly revoked the token, so be sure your
error-handling code is robust. Once you’ve detected that a token is no longer
valid, for example if it has expired or been revoked, you must remove the access
token from your storage. On Android, for example, you must call
AccountManager.invalidateAuthToken.