๐ token: Command-line tool to generate OAuth2 tokens for Google Workspace using a service account.
google-oauth2-token
is a convenient and secure way to generate OAuth2 tokens for Google Workspace (formerly G Suite) by utilizing a service account key. It simplifies the process of acquiring and managing access tokens, making it easier for developers and system administrators to authenticate with Google APIs.
- Generate OAuth2 tokens for Google Workspace.
- Supports impersonation of superadmin users.
- Easy-to-use command-line interface.
- Cross-platform compatibility (Linux and macOS).
This project has been tested successfully on the following configurations:
- Go version:
go1.20.6 darwin/arm64
- macOS version:
macOS 13.4.1
- Product Version Extra:
(c)
- Build Version:
22F770820d
- Clone the repository:
git clone https://github.com/cldcvr/google-oauth2-token.git cd google-oauth2-token
- Build the binary
go build
- Run the binary to generate the OAuth2 token, where
[email protected]
is the user with appropriate permissions in the Google Workspace tenantcredentials.json
is the service account key filescope1,scope2,scope3
are the scopes. For example,https://www.googleapis.com/auth/admin.directory.user.readonly
./token -email [email protected] -file credentials.json -scopes scope1,scope2,scope3
- In the output you'll get the token in plaintext, which can be used in Postman or
cURL
commands. For example:curl -s -XGET \ -H "Authorization: Bearer ya29.GOOGLE_OAUTH2_TOKEN" \ -H 'Accept: application/json' \ --compressed \ "https://admin.googleapis.com/admin/directory/v1/users/[email protected]?projection=full"
- Go to the Google Cloud Console and log in with your Google Workspace administrator account.
- Click on the project dropdown and select a project or create a new one.
- Navigate to "IAM & Admin" -> "Service Accounts" in the left-hand sidebar.
- Click on the "Create Service Account" button.
- Enter a name and optional description for the service account.
- Choose the appropriate role(s) for the service account. For example, you might want to grant it the "Service Account Token Creator" role to generate OAuth2 tokens.
- Click on the "Continue" button.
- Optionally, add users who should have access to this service account. Typically, it's best to keep the list minimal.
- Click on the "Done" button to create the service account.
- In the list of service accounts, locate the service account you just created and click on the three dots (โฎ) next to it.
- Select "Manage keys" from the dropdown.
- Click on the "Add Key" button.
- Choose the key type as "JSON" and click on the "Create" button.
- The key file will be downloaded to your local machine. Keep it secure, as it grants access to your Google Workspace resources.
- Determine the necessary scopes (permissions) required for your service account to access Google Workspace APIs. Refer to the API documentation to identify the scopes needed for your specific use case.
- Once you have identified the scopes, go to the Google Admin console and log in with your Google Workspace superadmin account.
- Navigate to "Security" -> "Access and data control" -> "API Controls" -> "Manage Domain wide delegation" -> "Add new"
- In the "Client ID" field, paste the Client ID (e.g.,
118428936071234567890
) from the service account key file. - In the "OAuth Scopes" field, add the required scopes, separated by commas (
,
). - Click on the "Authorize" button to grant the specified scopes to the service account.
This documentation is licensed under the Apache License. See the LICENSE file for details.
Contributions and feedback are welcome! Let's make OAuth2 token generation easier for everyone. ๐
#oauth2 #googleworkspace #serviceaccount #golang #cli-tool #opensource