The Illustrated Guide to Google OAuth with Temboo

Powerful Google APIs open up a world of functionality to your application. Temboo offers official support for services like Gmail, Calendar, Sheets, Analytics, BigQuery, Compute Engine, Drive, and more, so generating optimized code to connect with Google is simple. All Google APIs with Temboo support can be found on the Google bundle page in our code generation library.

In order to write data to a Google Sheet or send an email via Gmail, you must first authorize your application to access a Google API via a Google account. Google uses the industry standard protocol for authorization, OAuth 2.0, and this guide will get you through the process for setting up Google APIs using Google OAuth in no time.

What this Guide is For

The OAuth flow we outline here is intended for applications that run on embedded devices, or any other application that only needs to access a single Google Account. Examples of such applications are:

A monitoring device that sends sensor-based alerts via a dedicated Gmail address
An application that streams data directly into a dedicated BigQuery database for analysis
A device that retrieves its operation schedule from a single Google Calendar, and posts calendar events triggered by sensor readings

Using Google OAuth: The Step-by-Step Guide

Register your Application with Google

Before you can use OAuth, you need to register an application with Google. When you do, you will receive credentials that your application will use to make requests to Google.

Here’s how to set up your application with Google:

1.) You’ll need a Google account. If you don’t already have one, you can sign up here.

2.) Login to Google’s Developer Console, and create a new Project if you haven’t done so already.

3.) In the Dashboard tab of the API Manager, click the ENABLE API button.

Step one of enabling an API for your project

4.) You will see a list of Google APIs that you can enable. For each API your application will be using, click on it, then click the ENABLE button at the top of its page.

Step two of enabling an API for your project

5.) In the Credentials tab of the API Manager, click on the OAuth consent screen link.

Where to find the OAuth consent screen configuration

6.) Fill out the Email Address and Product Name fields. All other fields are optional. When you’re done, save the configuration.

7.) Go back to the Credentials tab and click Create credentials, and select OAuth Client ID from the menu.

Choosing OAuth Client ID from the Create credentials menu

8.) A form will appear on the next page. For the Application Type, choose Web application.

9.) Edit this Callback URL to contain your Temboo account name, and specify it as the Authorized Redirect URI:

Configuring your application type and specifying the redirect URL

10.) Click Create and you’ll receive a Client ID and Client Secret. Save these values to use later. You’ll need them for all of your application’s interactions with Google.

Authorize Your Application to Access an Account

Next is the OAuth process itself, which will authorize the application you’re building to access Google account privileges, like the ability to send an email with Gmail. OAuth is a two-part process consisting of an initialization step and a finalization step.

Part 1: Initialize the Google OAuth Process

To initialize the OAuth process, your application must specify which account privileges it is requesting, e.g. writing to a Google Sheet, or sending email versus reading email. Then, a user must grant your application those privileges for their account. Google will return a URL to a web page where the user will be able to grant permission, as well as information needed to complete the OAuth process.

The following animation shows the steps you’ll need to take on the Temboo site to start the OAuth process. We’ll go through it step by step.

The steps for Initializing the OAuth process

1.) Go to Google > OAuth > InitializeOAuth in the Temboo Code Generation library.

2.) In the INPUT section of the page, enter the Client ID of the application you registered with Google.

Entering your Client ID on the Choreo page

3.) The Scope input specifies which account privileges your application is requesting. The Scopes you choose will determine not only which Google services your application may access, but the level of access it will have, for example, the ability to send email via Gmail versus having read-only access to the inbox.

You should only specify Scopes for privileges your application actually needs. For example, you should not request permission to send email if your application only needs read-only access to the inbox. For more information, see the Google API Services User Data Policy.

The Scope(s) you’ll need for any APIs your application will be using may be found from that API’s link on the Temboo library Google bundle page. For an exhaustive list of Google API Scopes and the level of access they provide, see Google’s API Documentation.

4.) In the bottom corner of the INPUT section, click the Run Now button to run Initialize OAuth from the Temboo website.

5.) Google will respond with a Callback ID and Authorization URL, which appear in the OUTPUT section of the page.

Output returned by the OAuth Initialize Choreo

6.) Save the Callback ID to use with the second half of the OAuth process.

7.) Click on the Authorization URL returned by the Initialize OAuth Choreo. You may be prompted to select which Google account you’ll be authorizing access to. Click Allow to grant the application access to your Google account. This will take you to a blank web page, which you can close.

Note: Google has put security measures in place to help protect users from malicious applications. You may see a warning screen that the app requesting privileges has not yet been verified by Google. If you see this screen, click on Advanced and follow the instructions to authorize your own application to access your account anyway. See more details on unverified apps in Google’s documentation.

Granting your app permission to access account privileges

Part 2: Finalize the Google OAuth Process

The second half of the OAuth process is Finalize OAuth, which will return tokens specific to the user’s account. Your application will use these together with its application credentials (the Client ID and Client Secret) every time it needs to access those account privileges.

The following animation shows the steps you’ll need to take on the Temboo site to complete the OAuth process. We’ll go through the process step by step.

The steps to run the Finalize OAuth Choreo

1.) Go to Google > OAuth > FinalizeOAuth in the Temboo code generation library.

2.) In the INPUT section, enter the Callback ID returned by the Initialize OAuth step earlier, as well as your application’s Client ID and Client Secret (obtained earlier from the Google Developer Console).

3.) In the bottom corner of the INPUT section, click the Run Now button to run Finalize OAuth from the Temboo website.

4.) Look in the OUTPUT section. Among other things, you will find a Refresh Token. Your application can use this Refresh Token along with the Client ID and Client Secret to authorize your application to access privileges from this Google account.

Need to deal with more than one Google account?

If your application has multiple users and needs to allow each user to authorize access to their own account, then this OAuth flow will not work for your application. You will need to build the OAuth process into the application itself so that each user may log in for themselves. You can use the code that is auto-generated on the OAuth Initialize and Finalize Choreo pages to speed up your development time.

You will want to verify your app with Google so long as the authorization screen is user-facing. See more details on unverified apps and the verification process in Google’s documentation.

What’s Next?

Working with Google APIs

Now you’re ready to put your application’s new privileges to work. Use your new Refresh Token along with your application’s Client ID and Client Secret to run any Choreos in our library for your chosen Google APIs.

Illustration of Temboo email alert from temperature sensor

Want to see what the next steps in working with Google APIs look like? Try out our Email Alert Quickstart Guide to see how to set up sensor-triggered email alerts with Temboo and Gmail start-to-finish.

Google Sheets is a great resource for both prototyping and building complete applications. Learn more about why you might want to use Google Sheets for IoT sensor data.

Learn More about OAuth

If you’re curious about how OAuth works, check out the Google Documentation on Using OAuth 2.0 to Access Google API, and Aaron Parecki’s simplified overview of the OAuth 2 spec, OAuth 2 Simplified.