Ad

OAuth2 Flows Without User Manual Actions

I have a Java application that requests data from Google Analytics and I have troubles dealing with the authentication.

I have seen that Google Analytics handles OAuth2 flows refresh_token & authorization_code.

In case of refresh_token, I need a refresh_token that can be retrieved through a manual authentication of the user in the browser.

In case of authorization_code, I need a code that can be once again retrieved through a manual authentication of the user in the browser.

Is there a way to use one of these OAuth flows without having a manual action from the user ?

I tested the client_credentials flow but it is not handled by Google Analytics

Ad

Answer

In short - no. The authorization code flow relies on the browser as a security measure for assuring that the code is redirected back to the correct party. As user authentication is part of that flow, it requires the user to take appropriate actions to authenticate. What you can try to do:

  • Try to emulate the browser behaviour using curl. This might work, though it will break when anything changes in the authentication flow from Google, so this is definitely not anything recommended for production use.

  • You can manually create an access and refresh token through the browser then save them in your app. Then your app can use the refresh token to get a new access token. This will of course require you to get a new pair once the refresh token is expired and update your code.

  • I'm not sure if Google supports device flow, but I think they do. Maybe this is something that will suit you. The Device Flow still requires manual action from the user, but this action can be performed without having to open a browser from your app.

Ad
source: stackoverflow.com
Ad