Karl's Code

and other code related stuff

Google Contacts - Installed App Workflow HOWTO

Installed apps typically mean apps that are not web apps. Using the installed app authentication flow is sometimes better than using a Service Account.


  • don’t need your admin to assign special “impersonate” permissions to the service account (once assigned it can impersonate anyone in the domain)
  • don’t need a Google Domain (see link ???)
  • app can use the refresh token to continue to fetch from Google API’s until the user is revoked.


  • A user needs to accept the Scope of the app, not too bad as once accepted it can continue to use the refresh token to keep accessing the API
  • con you can’t choose the OAuth2 redurect_URI just get magig top of page or http://localhost (any port you want) so no good for webapps… but then they have a Web-AppClient if you want that.

Create a project in Google Dev Console

The Google page explaining how to use it is here but here is a concreate example.

  1. Click “Create a client ID” -> “Installed application”
  2. This give you a client with these details:-

    Client ID for native application

    CLIENT ID 758647508586-0vnrjg9dv7gr9h1qvqle58rd4kq0lu45.apps.googleusercontent.com CLIENT SECRET _Br_xUcZSfgmsuPrRmxkavV9

    urn:ietf:wg:oauth:2.0:oob http://localhost

  3. Request the authentication code I’m requesting auth for the contacts API see the scope (here

  4. The request is made up of :-
  5. The Google oath code request URI = https://accounts.google.com/o/oauth2/auth
  6. The Google ContactAPI read/write scope = https://www.google.com/m8/feeds
  7. The redirect uri to put the code in the page title and code div = urn:ietf:wg:oauth:2.0:oob see googledocs
  8. response_type = code
  9. client_id = the Client_ID found in the dev console, see above


  10. look at the response there will be a code in the page title and also in a div with id=‘code’ in the page like below


  11. now we have the authorisation code we need to exchange it for an access token, this is done with a POST see here

    POST https://accounts.google.com/o/oauth2/token


  12. parse the result (see below) we’ll need to store the access_token and the refresh_token.

    { “access_token” : “ya29.OwAPW_yxF27ZMB4AAACPwV13K2FYvOqzrCppl-9wp4poGBiYfvl6ibeqHPwYgg”, “token_type” : “Bearer”, “expires_in” : 3600, “refresh_token” : “1/m8wiWvc63swre62YXwrECE-SEqlQBf1Vb62Zb28-3lE” }

  13. Use the access token to finally make a Google API call

  14. here I’m calling the Contacts API asking for all contacts (for the user who authenticated in step 1)
  15. you can add the token in a header or as a parameter (header is better as it won’t be stored in the URL)


    Authorization: Bearer ya29.OwAPW_yxF27ZMB4AAACPwV13K2FYvOqzrCppl-9wp4poGBiYfvl6ibeqHPwYgg


    curl https://www.google.com/m8/feeds/contacts/default/full?access_token=ya29.OwAPW_yxF27ZMB4AAACPwV13K2FYvOqzrCppl-9wp4poGBiYfvl6ibeqHPwYgg

    or curl -H “Authorization: Bearer ya29.OwAPW_yxF27ZMB4AAACPwV13K2FYvOqzrCppl-9wp4poGBiYfvl6ibeqHPwYgg” https://www.google.com/m8/feeds/contacts/default/full

  16. Read the results :-) Enjoy.