I figured it out. There are two steps:

First, before you can actually access any of the user’s information, you have to upgrade your Request Token to an Access Token. This is the third step of the OAuth process (user authorization on Google’s page being the second); I was confused about what the last step was exactly and was under the impression that the user was completing the second and third steps on Google’s page. Google’s OAuth Playground helped clear that up. Anyways, after Google (or whoever your Service Provider is) redirects the user back to your app, you use the oauth_verifier and oauth_token to upgrade the Request Token into an Access Token. Don’t forget to use your oauth_token_secret (in addition to your consumer_secret_key) to generate the signature for this last request! That little detail cost me a lot of time! See the answer to this question for more information on how to do that correctly.

Now, if you are like me, and want to have Google handle which email address the user signs in with (as opposed to gather that info yourself within your app), you will need to make another request before you can access the user’s inbox. In my opinion, this is where Google’s documentation really fails, as it seems that you will need the user’s google id (gmail address) to use any of their APIs, yet it is possible to complete the OAuth process without ever getting it from the user. This is what led to my confusion and was the point of my question. I’m still not 100% clear on how you are supposed to do is, but what I’ve done for now is add ‘https://www.google.com/m8/feeds/‘ to my scope, and call ‘https://www.google.com/m8/feeds/contacts/default/full?max-results=0‘ to get an empty xml contact list that happens to contain the user’s gmail address in it. You can then parse the XML to get the user’s email and go about your merry way. It may also be possible (and perhaps preferable) to get the user’s email using the ‘https://www.googleapis.com/auth/userinfo#email‘ scope, but I haven’t tried that yet.