I have a .Net core web Api calling google drive api. The google drive api should authenticate the api call with Okta and authorize. How can this be achieved?
Should i setup the auth application in Okta dashboard and generate client id and authentication token?
Which before calling google api will be used to get bearer token from Okta and shared with the google api?
Will be registered with google admin console and generate the tokens?
The domain of the api will be google.api.com ... so no where it is going to Okta for authentication
What you do with your Okta site will be after you have gained access to the google api on behalf of your users. a bearer token from Okta will not grant you access to a google api you need to go though googles authorization server to get that.
In order to access the Google Drive api and access private user data. The owner of that data will need to authorize your access.
To do this we use something called Oauth2. The issue you will have is begin that you say you are using a web api to call Google you will need to create a web application on the side where your users can authorize your application to access their data. You will need to register your application with google on Google Developer console. Create a web client credentials. Then when the user has authorized your application to access their data you will will need to store the refresh token in your system associated with the user.
Then your web api will be able to access the users data by loading the refresh token and requesting a new access token.
There is currently only one sample web-applications-asp.net-core-3 for .net core web applications it doesn't show how to store the refresh token you will need to work that out.
I do have a video on setting up asp .net core with the google people api it might give you a starting point How to get a Google users profile information, with C#. as well as one on how to create a How to create Google Oauth2 web application credentials in 2021.
Related
I am writing a google drive desktop application and I am using OAuth 2 to get credentials. I can get creds for just reading, but not changing files. As it is a desktop application, there is no site. It is written in https://developers.google.com/identity/protocols/oauth2/native-app, that I need to "supply a local redirect URI to handle responses from Google's authorization server". So, should the client also be a server and listening on some port locally? If I want to have the app verified, I need to provide Authorized domains and other stuff, but it is a desktop application, again. Or maybe there is a way to allow users to use the app, but with a warning on a consent screen for example for development purposes.
Also how to hide the credentials, that I use to get the token? If I publish the app with the credentials, everybody can just steal them and use them
In order to develop a desktop application which will use the Drive API you will have to use credentials of the web app type for which you will later provide the appropriate redirect URI.
By using OAuth 2.0 in your application, you are the only one who has access to the credentials for the application - unless you share them.
According to the Google OAuth 2.0 documentation:
You start by obtaining the OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
For the login process, when the users will log-in to your application, they will use their own credentials and then they will have to authorize the application you have built in order to be able to use the Drive API.
Reference
OAuth 2.0 for Mobile & Desktop Apps;
Using OAuth 2.0 to Access Google APIs;
A client has requested implementation of the new Google Photos API as a feed of their photos on the website.
The issue arises whereas the library only supports OAuth 2.0 to authorise the library requests. Meaning that each visitor needs to authenticate themselves prior to seeing the photos.
Authorization
Like other Google REST APIs, the Library API uses OAuth 2.0 to handle authentication and authorization. Your app can request access to the user's Google Photos library via the various authorization scopes provided by the API.
Note that the Library API does not support service accounts; to use
this API, users must be signed in to a valid Google Account.
Does anyone know a way that I can authenticate the library for all web traffic? I want to use Google Photos as a CMS for images and have a constant feed on the site.
Since the Google Photo APIs requires OAuth 2.0 User Credentials, you will not be able to use this API as a CMS for you website.
Each API request requires an OAuth Token and this token can only be obtained by a person authenticating with Google Accounts. The OAuth Flow requires the user to authenticate and grant permission to their personal Google Account.
In addition this API requires that you create OAuth Client Secrets which is used to track your app.
I'll try to connect to the content api for shopping via API.
I'de tried some different oAuth ways (e.g. "three-step-method" with access key and baerer-token) but for a spezific integration I need the "credentials-oAuth".
Currently I tried as following:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=[my client id]&
scope=https://www.googleapis.com/auth/content&
redirect_uri=[some random request bin -> added in Authorised redirect URIs ]&
response_type=code
If I call this via Postman, I'll be redirected to the login page of Google. But why?
How can I solve this problem?`
BG
David
Shopping API data is private user data. In order for your application to access private user data it must have the permission of the user who owns that data.
We use OAuth2 to do that. The user must consent to your application accessing its data. In the below image the application Google analytics windows is asking the user for permission to access their Google analytics data.
If I call this via Postman, I'll be redirected to the login page of Google. But why?
You are seeing a login screen with Postman is simple the user needs to be logged in before they can grant access to their data.
How can I solve this problem?
You dont as there is no problem the user must login to grant your client application consent to its data. This is working exactly as it should
Service accounts
Update to answer comment Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
I'm working with a company that is using the Google Apps free subscription. This company has a web site. They want to let users who have Google Apps accounts in their domain to authenticate into the web site via OAuth.
My question is, where do I find the ClientId and ClientSecret needed to do OAuth?
Thank you!
OAuth 2.0 for Client-side Web Applications will allow you to authenticate users using Oauth2. This will allow the users to grant your application access to their private data.
You will need to go to Google Developer console and create credentials on this page Credentials
Open the Credentials page in the API Console.
Click Create credentials > OAuth client ID.
Complete the form. Set the application type to Web application. Applications that use JavaScript to make authorized Google API requests must specify authorized JavaScript origins. The origins identify the domains from which your application can send API requests.
So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2