Database Reference
In-Depth Information
The only thing that the refresh token does is enable you to create more
access tokens. Because the refresh token is a long-lived credential, you want
to keep it secret. That means sending it only to the Google Authorization
Server, not an API such as BigQuery directly. Instead, you send another
request to the Authorization Server, providing your refresh token in order to
get a new token: an
access token
.
The access token, finally, is what you use to access BigQuery. At a raw, HTTP
level, the access token should be passed in the
Authorization
header
as a
Bearer
token. The file
auth.py
, included in the downloads for this
chapter, performs the OAuth2 authentication dance and prints out an HTTP
Authorization
header containing the access token. For example:
$
python auth.py
Authorization: Bearer
ya29.1.AADtN_V2kFUrjX8wghCSPJng7XR2k7t…
You can run the
auth.py
command from within a
curl
command to fetch
the access token and set it as the Authorization header in an HTTP request.
The following command lists projects available for use with BigQuery; it is a
good test to see whether authentication worked.
$
curl -H \
"$(python auth.py)"\
The access token, however, has two limitations: It has a limited scope,
meaning that it is valid only to access BigQuery, and it has a limited lifetime,
usually approximately 5 minutes. (This is what the
token_expiry
field in
the credentials object refers to). After your access token expires, you need
to call the Authorization Server with your refresh token to get a new access
token.
Split tokens may seem strange; however, you do often encounter them in
physical access situations. For example, when you go to the Department
of Motor Vehicles to get a driver's license in the United States, you need
to bring your birth certificate. This is your long-lived, secure credential.
You use this credential to acquire a driver's license, which has a limited
