I just stated reading about OAuth and cannot find an answer to this question.
If I do sign-in with google on an application, then google will tell the application who I am. So is it possible that someone from google i.e. a google employee (assuming he knows my username and password because google has all my data) can impersonate me and get all my data from that application?
Related
I need to authenticate to an API using OAUTH2, however, it has to be made programmatically, no user typing stuff in a browser is permitted.
This seems like such a simple use case, but I haven't found anything online, the only thing close to it was this post, and the only answer is "yeah, you don't want to use a web browser, but what if you do?"... This doesn't help.
So, please, opening a web browser is not an option, I just want to know if Google provides any way to authenticate purely through code.
Thank you!
In order to achieve your goal, I would like to propose to use the Service account. When the Service account is used, the access token can be retrieved without using the browser.
As the points for using the Service account, please check the following points.
The Service account is not your own Google account.
For example, as one of several situations, if you want to manage a file in your Google Drive using the Service account, please share the file with the Service account. By this, the Service account can access to the file in your Google Drive.
References:
OAuth2ServiceAccount
Several cases using the Service account
Google Drive Access - Service Account or OAuth - To read/write user files
Google service account not being authorized for calendar API
Service Account for google sheets returns not found
Apologies if this is a newbie question but I'm hoping someone can offer some advice.
I am fulfilling my Google Assistant intents via an Express app. I would like for users of my action to be able to get and modify data from their Strava account. Strava supports Google Authentication and I wondered if I could use node libraries such as Passport (https://www.npmjs.com/package/passport-strava-oauth2) to allow users to sign in to their strava account so that my action can make calls for their data?
I have a welcome intent that gets some Google profile data so wondering if I can pass through some details from this response?
googleApp.intent('Default Welcome Intent', (conv) => {
conv.ask(new Permission({
context: 'Hi, can I get your details from your Google account?',
permissions: 'NAME'
}));
});
Yes, but probably not in the way you're looking at.
The Permission helper requests access to specific types of information - name and location. You're looking to establish more of an identity relationship (using their email address or Google account).
You can do this using Account Linking.
If you're sure you're using Google Sign In on the Strava side then things are even easier and you can take advantage of Google Sign In for Assistant. With this, once they sign in, your Action will get an Identity Token which you can use to get information including their Google ID and the email address associated with the signed-in Google account. They only need to sign-in once - afterwards, you'll be given an Identity Token whenever they connect.
If your Strava project and your Action are both using the same Google Cloud Project, things get even easier for your users. Once they have signed in on either client, they're signed in on the other one. So you'll know who they are immediately through the Identity Token.
I'm trying to figure out a way to authenticate using google Oauth without using the google sign in page. I would like to have a separate sign in page for my UI. And my backend will get the email and password from the and authenticate with google. But the problem i'm running into is that when I'm using google oauth it tries to open the google sign in page. Is there a way to achieve this without using the google sign in page ?
Thank you !
You really don't want to do this. One of the big selling points of OAuth2 is that you can delegate the ownership of identity and credential management. Users shouldn't give their Google passwords to anyone, except Google :)
I'm building a web application with the google adwords API (ASP.NET Client library v14.5.0).
I'm using the builtin OAuth libraries to authenticate a user. Everything is working fine, but now I want to get user information, such as emailaddress and name from the user thats logged in.
Does somebody knows how this works?
Thanks!
Patrick
AdWords API doesn't provide this information, you could try getting the User profile information instead. See https://developers.google.com/accounts/docs/OAuth2Login#userinfocall for details.
I would like my application to programmatically update my user's gmail/google talk status on their behalf but I dont want to store their password because of the privacy risk
Does anyone know if/how it is possible to use Oauth or some other form of authentication that does not require password storage.
The Google data api docs I have seen support a range of services but dont seem to support Google Talk/Gmail beyond the Google Contacts api.
The Google Talk API seems to explicitly state that username and password are required but I could be mistaken
If it helps, my application is built on App Engine so I can at least use the built in user class to determine their username and email without storing their password but this doesnt seem to give me access to the user's status
Any tips or pointers to apps/code that seems to accomplish this would be helpful. Thanks!
This may not be what you are looking for but it might be a step in the right direction for you.
"the Google Contacts Data API now supports OAuth."
http://groups.google.com/group/oauth/browse_thread/thread/75ee6d973930c791
The post says that "This is our first step towards OAuth enabling all Google Data APIs." And it's quite old so maybe they'll have information about the Gmail API.
Hope it helps.