There's no clear information about this, neither at Twitter developer portal either.
How to obtain user's email via Twitter API OAuth v1 or v2? Is it possible at all nowadays?
Assume that a user has been authenticated with a proper "scope" permission
This is possible in Twitter API v1.1 and OAuth 1.0A, if:
the app has "request user email address" permissions in the developer portal for OAuth 1.0A, with the account access token granted after that was set (i.e. they saw "app can request your email address" in the list when authenticating), and...
the app calls /1.1/account/verify_credentials.json with the include_email=true parameter set
This is not currently possible in Twitter API v2 with OAuth 2.0 but this is actively being worked on (and would be added via Open ID Connect in the future release when it is ready).
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
How can I use a Google Workspaces (gsuite) user's application specific password to sign into Google's OIDC (OpenId Connect) auth endpoint and request an OIDC ID Token for that user?
Background:
Google turned off support for programmatic password-based authentication to gsuite and Google Workspace saying:
“Blocking sign-ins from less secure apps helps keep accounts safe. For these reasons, Google is limiting password-based programmatic sign-ins to Google Accounts.” Google: Control access to less secure apps
As an alternative to LSA (Less Secure Apps) Google suggests that apps can use "application specific passwords" to programmatically authenticate to Google.
An app password is a 16-digit passcode that gives a non-Google app or device permission to access your Google Account. To help keep your account secure, use 'Sign in with Google' to connect apps to your Google Account. If the app that you’re using doesn’t offer this option, you can either: Use app passwords to connect to your Google Account ... Gmail: Sign in using app passwords.
Google recommends using an App Password as one solution for applications that require programatic sign ins to Google accounts:
Can’t use an app with my Google Account: Use an App Password Google: Less secure apps & your Google Account
This clearly indicates that Google intends for applications to programmatically sign into Google Accounts using app passwords but forbids programatic access for regular passwords. I can find no documentation on how to do this.
My question is: how can I use an app password of a user to sign into Google's OIDC (OIDC Connect) auth endpoint and request an OIDC ID Token for that user?
I can find examples of this being done for Google Workspace SMTP to access email. For instance Google only allows nodemailer to programmatically access gmail via the SMTP protocol using an app password. This however does not help me because SMTP being a email transfer protocol can not issue OIDC ID Tokens.
Out of scope answers:
This is not a question asking how to create GCP service accounts and use domain wide delegation to enable them to impersonate a Google Workspaces user and thereby request an OIDC ID Token for that user.
It is not a question asking how to create an OIDC confidential
client and then given that OIDC confident client access to your
Google account to request an ID Token.
I am not looking for these answers.
I'll try to connect to the content api for shopping via API.
I'de tried some different oAuth ways (e.g. "three-step-method" with access key and baerer-token) but for a spezific integration I need the "credentials-oAuth".
Currently I tried as following:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=[my client id]&
scope=https://www.googleapis.com/auth/content&
redirect_uri=[some random request bin -> added in Authorised redirect URIs ]&
response_type=code
If I call this via Postman, I'll be redirected to the login page of Google. But why?
How can I solve this problem?`
BG
David
Shopping API data is private user data. In order for your application to access private user data it must have the permission of the user who owns that data.
We use OAuth2 to do that. The user must consent to your application accessing its data. In the below image the application Google analytics windows is asking the user for permission to access their Google analytics data.
If I call this via Postman, I'll be redirected to the login page of Google. But why?
You are seeing a login screen with Postman is simple the user needs to be logged in before they can grant access to their data.
How can I solve this problem?
You dont as there is no problem the user must login to grant your client application consent to its data. This is working exactly as it should
Service accounts
Update to answer comment Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
The Google Developer Consoles (even the old version) no longer lists the Mail API in the list of available APIs.
I'm trying to develop a web application which acts on behalf of users to manage their Gmail, like Mailbox. This requires using the Gmail IMAP API with XOAUTH2 authentication with an OAuth 2.0 access token. The documentation instructs provisioning OAuth 2.0 token with a https://mail.google.com/ scope. Provisioning credentials for a web application then requesting a token with this scope yields a 403 response with an accessNotConfigured error. There are options in the developer console for configuring other APIs, but there is no option to configure access for the Mail API.
Attempting to provision the mail scope in the Google OAuth Playground using their client credentials works correctly and the resulting access token can be used to access Gmail IMAP with XOAUTH2.
Have Google disabled OAuth 2.0 authentication for Mail using new credentials, or is it just hidden? I can't find a way to contact them and ask for Mail API access.
Just create any client id it doesn't matter what API you select. When you make the authentication request send the scope of https://mail.google.com/. That will get you the access token you need to login to the imap server.
I am trying to get an access to AdWords API via OAuth.
I registered an app, created MCC account (to a different e-mail) and a test account.
I read through AdWords API documentation and don't see that I need a dev token to access an account by oauth. Just clientId, clientSecret and accessToken.
But when I try to connect to the API using google-api-adwords-dotnet library. I get "Parameter name: AdWords API requires a developer token"
What is the purpose of OAuth if I cant access the API without MCC and dev token?
Best regards,
Andrei
P.S. I can access my test account providing my dev token. But I need to access any client who granted an access to me, not just clients who are part of my MCC account.
This question was answered on AdWords API group: https://groups.google.com/forum/#!topic/adwords-api/mC7mB-YYH-Q
A developer token is required to make AdWords API calls. It's main purpose is to ensure that the developer has accepted AdWords API T&Cs, identify your requests in case we need to troubleshoot issues you are facing, etc. In the past, it was also used to identify the account to which API calls were charged, but that's no longer the case since AdWords API calls are now free.
OAuth2 tokens are used to authenticate the calls you make against a client account. You may also use ClientLogin as an alternative to OAuth2, but it is deprecated and it's use is strongly discouraged.
You need an MCC account to get a developer token, but it's not a requirement that the account you make calls to lives under that MCC. Using OAuth, you could make calls to a totally unrelated account (e.g. a client logs in from the UI), as long as you can generate an access token for the same. Right now, your developer token is under review, that's why your ability to make calls are restricted to test accounts. Once your token is approved, you should be able to make calls to any account that you have access to.