A client application must be authenticated to use any Google Cloud platform service through its REST API; a common and important first step for all the services. This post shows how to create a Java application which encapsulates the necessary authentication logic so you do not have to recreate it time and time again with the possibility of making mistakes. For simplicity, the example shows how to authenticate command line (aka, native) client applications and authorize their access to Google Cloud Platform services. At this time the app creates authenticated clients for the following services: Google Storage, Google Drive, YouTube, and BigQuery.
This post also contains important background information that you need to know to use Google Cloud service APIs. We suggest you take look before you proceed at Background Information.
Authentication App Architecture
The Authentication app is a Java application built as a Maven project. With Maven you can define all the up-to-date dependencies by linking to the necessary Google libraries on-line. For more information see GCP Cloud Service Client Apps – Common Tasks.
Find reference information for the Google APIs libraries at Supported Google APIs (Java) . Find latest info at the Maven Repository and search for the specific Google library
The authentication application described in this post has the following architecture:
- IGoogleClientAuthentication. Defines variables and methods to authenticate clients so they can use Google service REST APIs.
- GoogleServiceClientAuthentication. This is an abstract class which contains the actual logic to obtain the credentials for the client application so it can use the requested Google service REST API. The class uses Google OAuth 2.0 authorization code flow that manages and persists end-user credentials.
- AuthenticateGoogleServiceClient. This class extends GoogleServiceClientAuthentication and implements IGoogleClientAuthentication. It creates an authenticated client object that is authorized to access the selected Google service API.
Based on the caller’ selection, it allows the creation of an authorized service to access Google service APIs such as Google Cloud Storage API or Google Drive API.
The class assumes that you already have created a directory to store the file with the client secrets. For example .googleservices/storage. The file containing the secrets is client_secrets.json.
Authentication App Workflow
The following figure shows the example application workflow:
The client application calls the authentication method for the service selected by the user passing the scope information. The AuthenticateGoogleServiceClient class performs all the steps to create an authenticated client that is authorized to use the Google service REST API, in particular it performs the following:
- Reads the client secrets. You must store these secrets in a local file, before using the application You obtain the secretes through the Google developers console and downloading the related JSON information (for native applications) from your service project. The file name used in the example is client_secrets.json, you can use any other name as long as you use the json suffix. For details about the file name, directory names, see the code comments.
- Uses Google OAuth2 to obtain the authorized service object. The first time you run the application, a browser instance is created to ask you as the project owner to grant access permission to the client. From then on, the credentials are stored in a file named StoredCredential. The name of this file is predefined in the StoredCredential class. This file is stored in the same directory where the client_secrets.json is stored. See the code comments for details. If you delete the StoredCredential file, the resource owner is asked to grant access again.
- Google OAuth2 returns the authenticated service object to the AuthenticateGoogleServiceClient which, in turn, returns it to the client application. The client can then use the authenticated object to use the Google service REST API. For example, in case of the Google Storage service, it can list buckets in the project, create buckets, create objects in a bucket, list objects in a bucket and so on.
Background Information
Enable a Google Service API
In order to use a service API in your application, you must enable it as shown next.
- In your browser, navigate to the Google Developers Console.
- Make sure to select the project to use for the service. Create one, if you do not have a project. The APIs dashboard is displayed as shown in the following picture:
- The APIs are enabled by default these days. Assure that the service API you want is enabled.
Create OAuth Client Credentials
To use the service API you have just enabled, you must create the related credentials. The following steps show how to create a OAuth client ID (credentials) to use the Google service from an “installed application” such as a console application running on the desktop.
- With the project selected, in the left pane, click on the Credentials menu item. The window which allows the creation of a client ID is displayed.
- Click the arrow on the right of the Add credentials button. The following drop-down list is displayed.
- Click on OAuth 2.0 client ID selection item. A drop-down list is displayed.
- Select Other and click the Create button.
This creates the client ID credentials you need to authenticate the client application and authorize the use of the service API. - Click on the client just created, this will display the following window:
- Click the Download JSON button, this downloads the file client_secret_[projNumber].json. You are going to copy this information in a file (for example, client_secrets.json) that is used to authenticate the client application.
Keep the client_secrets.json file in a safe place.
Using OAuth2.0 to Access Google APIs
Google APIs use the OAuth 2.0 protocol for authentication and authorization. You obtain OAuth 2.0 client credentials from the Google Developers Console, as shown before.
The credentials must be obtained in a way that is suitable to your application and applicable to the following supported scenarios:
- Using OAuth 2.0 for Web Server Applications
- Using OAuth 2.0 for Installed Applications
- Using OAuth 2.0 for Devices
- Using OAuth 2.0 for Server to Server Applications
- Google Applications Default Credentials
For more information, see Using OAuth 2.0 to Access Google APIs. For background information, see OAuth in a Nutshell.
Your client application requests can access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
For an interactive demonstration of using OAuth 2.0 with Google (including the option to use your own client credentials), experiment with the OAuth 2.0 Playground.
Add link to my example about creating OAuth2 authentication application.