Requires that you already have a project configured with web client credentials.
In order to get the user to consent (which gives is a code we will later exchange for an access token), we need to hand the user a URL.
https://developers.google.com/identity/protocols/OpenIDConnect#sendauthrequest
What is not so documented here is, that you really want to prompt for consent (in case the user has already authenticated once) and you want to ask for access_type=offline
Hand the url to the user.
Example:
https://accounts.google.com/o/oauth2/v2/auth?client_id=6214dddddddddddddd7hnvbhij4a.apps.googleusercontent.com&redirect_uri=https://hookb.in/Pxddddddddddddd3ZU0j0WBGq7w&response_type=code&scope=https://www.googleapis.com/auth/analytics.readonly&prompt=consent&access_type=offline
This gives you a user code, which we will now exchange for access _token + refresh_token using this:
https://developers.google.com/identity/protocols/OpenIDConnect#exchangecode
This gives us a response like this:
{ "access_token": "ya29.GluuBvGQ-238S6Y0Dq-FYrgDddddddddddddddddddddFA_iB3iv85_hklCaqT3v9lhwgW-lAVvrWaLJUSOxnkBhCjjBhTZz06qWHsDyOJonaZd", "expires_in": 3600, "refresh_token": "1/xCT3kKuccccccccccccccccccccccccS158hrpVM", "scope": "https://www.googleapis.com/auth/analytics.readonly", "token_type": "Bearer" }
Voila – we now have an access token and a refresh token!