Skip to content

OAuth One-off

There I was late Friday afternoon counting the seconds until the weekend when an urgent email dinged my inbox. Alas, another Google product had bitten me in the ass again.

This time the culprit was Google Photos. More precisely, it was the death of Picasa and its API which Google had acquired back in 2004 and had only recently merged into Google Photos. “Thanks Google,” I muttered trenchantly. Of course I was fully aware that Picasa would be killed off eventually. This is one thing that Google does quite often actually.

Regardless the client needed their 477 albums (approximately 10K photos) back on their website as quickly as possible. Simply using the Google Photos API would have required hours of monotonous grinding to update our references to each album since Google had assigned new IDs to everything. IDs, which I might add, that were not readily accessible outside of the Google Photos API.

Scraping Away

I hastily began working on a Ruby script that would migrate the albums and associated photos to another popular service the client was already using. However, to scrape data from the Google Photos API, OAuth 2.0 was required. This would involve a complex authorization flow that includes user login and consent.

Being that this was a one-off migration, there was no way in hell I was going to build out a full OAuth 2.0 flow. After a little more research it seemed that the only thing I really needed to make requests to the Google Photos API was a short-lived access token. In order to get that though I still needed to go through the OAuth 2.0 flow.

Time to Play

Luckily Google has just the tool for generating these access tokens called OAuth 2.0 Playground. Even better the Google Developers team has posted an instructional video. After walking through the steps in the video, voila! I had my access token, which I could drop into any Google Photos API request with an Authorization header like so:

Authorization: Bearer [your access token]

The only real downside is that the access token is only valid for 60 minutes. The OAuth Playground starts a countdown timer to let you know exactly when it will expire. It is easy to refresh the access token when needed. This is assuming you leave the tab open or copy the url for later reference. It is worth noting that the short validity might be specific to Google Photos API.

Another Way to Play

For those who do a lot of work with APIs, I would highly recommend Paw. The OAuth 2.0 authentication flow is baked in. This is great because of the vast set of options and configurations available, making it work with any API. Paw also makes it easy to grab the generated access token if you want to use it another app or script.