Using OAuth2 for Google APIs with PHP

I’ve been working on something recently where I’m pulling information from lots of places onto a dashboard. Each API has its own little quirks so I’m trying to write up the ones that weren’t idiot-proof, mostly so I can refer back to them later when I need to maintain my system!

I’ve written about Google and OAuth before, but that was OAuth v1.0, and they are introducing OAuth2 for their newer APIs; in this example I was identifying myself in order to use the Google Plus API (which turns out not to do anything you’d expect it to do, but that’s a whole separate blog post!).

OAuth 1 vs OAuth 2

OAuth 2 doesn’t need an extension or any particular library as it doesn’t have the signing component that OAuth 1 had, and OAuth 2 also has fewer round trips. It does require SSL however, because the requests are in the clear.

As for pretty much everything, you first of all need to register for an API key; Google offers an APIs Console which is where you’ll find and create all the details you need to use.

Use Identification

For a server-side application like this, we’ll use the authorization grant flow of OAuth 2, which involves sending the user over to google to log in and grant access to our application (note there is no request token requirement in OAuth 2). We send them with our API key and a callback URL – google sends them back with a code. Here’s my code which forwards the user to request access:

$url = "https://accounts.google.com/o/oauth2/auth";

$params = array(
    "response_type" => "code",
    "client_id" => "yourkey.apps.googleusercontent.com",
    "redirect_uri" => "https://localhost/oauth2callback.php",
    "scope" => "https://www.googleapis.com/auth/plus.me"
    );

$request_to = $url . '?' . http_build_query($params);

header("Location: " . $request_to);

The user will be forwarded back to us at the URL we specified in the redirect_uri field, and when they arrive, they’ll have a code parameter on the URL which we need to grab. We then use this code to get the actual access token to use with the service. Here’s the code from my application which does this bit:

if(isset($_GET['code'])) {
    // try to get an access token
    $code = $_GET['code'];
    $url = 'https://accounts.google.com/o/oauth2/token';
    $params = array(
        "code" => $code,
        "client_id" => "yourkey.apps.googleusercontent.com",
        "client_secret" => "YourSecret",
        "redirect_uri" => "https://localhost/oauth2callback.php",
        "grant_type" => "authorization_code"
    );

    $request = new HttpRequest($url, HttpRequest::METH_POST);
    $request->setPostFields($params);
    $request->send();
    $responseObj = json_decode($request->getResponseBody());
    echo "Access token: " . $responseObj->access_token;
}

Note that this example uses functionality from the pecl_http extension

Once we have the access token, we can use the API and google will know who we are and which third party application is being used to access our data – which is what OAuth is for. The documentation for the Google Plus API is, as for all Google APIs, pretty good, and hopefully this helps you put the initial pieces together so you can get on to the interesting stuff!

9 thoughts on “Using OAuth2 for Google APIs with PHP

  1. Pingback: Lorna Mitchell’s Blog: Using OAuth2 for Google APIs with PHP | Scripting4You Blog

  2. Thanks so much – I was able to build a quick little test client that accessed by REST API. And I had never written *any* PHP code before finding this example – so your code was wonderfully clear and easy to understand.

    • There’s been a new version of the pecl extension and I’ve not made friends with it! I use guzzle for everything now, it’s a great tool and easy to use

  3. Thanks, this is great, really simplifies the authentication. Once I have the token, how do I get the email address or unique user ID that allows me to build access into my web application.

Leave a Reply

Please use [code] and [/code] around any source code you wish to share.

This site uses Akismet to reduce spam. Learn how your comment data is processed.