I need to build APIs integrations to connect my Rails 6 B2B app to any other service such as Google Drive, Microsoft Excel, Zapier.
What I've done so far is to ask clients for their client_id and client_secret (or api_key), store them and then use them to authenticate to the API with OAuth2.
Storing clients' secrets is not the ideal solution. I would like to do the same thing but without asking for secrets.
Just like Trello or TypeForm are doing it.
I have no clue on how to authorize my app to read/write data of an other service without authorizing through an URL with the secrets.
Here is an example of TypeForm connecting to GoogleSheet API :
Connects to the Google account
Asks for permissions
Asks for the spreadsheet link
Writes data in the spreadsheet (form responses)
https://www.typeform.com/connect/google-sheets/send-responses-to-google-sheets/
The usual way is that you register your own "app" in the console for those API providers, and then you use your own client id/secret pair to request access to the end user's data. That's what usually brings up those authorization screens like: "jdps app1 would like to access your google account".
More information for Google APIs specifically: https://developers.google.com/identity/protocols/oauth2
Related
I have already used google sheets API before, but it seems now they have new policy, so I can't add the required scope that allows you to write data (in my case - metadata) to a spreadsheet (https://www.googleapis.com/auth/spreadsheets) without verification. (I get 403: "Request had insufficient authentication scopes.")
Is there any way to write data to a spreadsheet, even just for developing (maybe write only to a sheet that I have created as the owner of the project) without verification, or maybe I'm doing something wrong?
According to the Google Sheets API documentation:
When your application requests private data, the request must be authorized by an authenticated user who has access to that data.
Every request your application sends to the Google Sheets API needs to identify your application to Google. There are two ways to identify your application: using an OAuth 2.0 token (which also authorizes the request) and/or using the application's API key.
Therefore, the scope you are using, the https://www.googleapis.com/auth/spreadsheets is the one which allows reading and/or writing acces to the user's sheets and their properties and it requires authorization.
So what you can do to solve your issue, is to use a service account.
You should create one for your project in the API console and then your application will make authorized requests by using the account's credentials to request the access token from the OAuth 2.0 server. Hence, the authentication procedure won't be necessary every time since the application will be calling the API on behalf of the service account.
Furthermore, I suggest you take a look at these links, since they might be of help:
Authorize Request with Google Sheets API v4;
Using OAuth 2.0 for Server to Server Applications;
Using OAuth 2.0 to Acces Google's APIs.
i will develope a wordpress plugin to access google analytics and visualize the data in a widget. So i checked some existing wordpress plugins, like the famous known "Google Analytics Dashboard for WP (GADWP)" - https://wordpress.org/plugins/google-analytics-dashboard-for-wp/. I was looking for a way how the user authorizes and get refresh and access token to access ga data in behalf of the user (who installed the plugin). And there i found that this plugin (and all other google analytics wodpress plugins) publish there secret. Because in a plugin (which the user downloads) it is impossible (i think) to hide the client secret, because the user of course see's the source code.
As the google documententation describes (https://developers.google.com/identity/protocols/OAuth2WebServer): Important: Do not store the client_secrets.json file in a publicly-accessible location. In addition, if you share the source code to your application—for example, on GitHub—store the client_secrets.json file outside of your source tree to avoid inadvertently sharing your client credentials.
So in this case i think the authentication of the request is lost. If i get or guess a refresh token of any other website that uses the plugin, i will be able to exchange refresh token with access token (because i know the client id and secret) and access the ga data. I already tested that.
So i am looking for a more secure way to access the ga data in my plugin without letting everybody know my secret. Are there any solutions or hints? I thought about sending every request through my server, so nobody know's my secret, but this is also not the solution of the problem. When exchanging the authorization code and receiving the refresh token maybe i have to exchange something like a key pair that will be used to encrypt every following request? Every following request will be to get a new access code for a refresh token.
Of course every user can create his own client id and secret. But this is now very user friendly.
Maybe is it possible to create a new api project and oauth authentication via api (what you normaly do via the google api console)?
Thanks for your help and hints,
Harald
I'm building an application that needs to have access to Google Drive and Google Sheets. I want the user to go to https://mydomain.appspot.com/authenticate to go through the Google login flow and authenticate themselves so that the backend receives access tokens for both Google Drive and Google Sheets.
After that I want the backend to be able to access Drive and Sheets without user interaction. For example, I would like a scheduled task to run every hour and retrieve some data from Drive and Sheets. I want the backend to use the token it received when the user authenticated themselves.
Is this possible? I really hope so. I have been looking here and I don't really find anything that can help me. https://developers.google.com/sheets/api/guides/authorizing
The backend is developed in Java and deployed on Google App Engine.
A long lived access token is actually called a refresh token. You will need to have your users authenticate your application then you will receive a refresh token. the refresh token can then be used to request a new access token from the Google authentication servers when ever you need.
Note: Do not get yourself side tracked with serviced accounts its not the same thing. You can run automated scripts using a refresh token gained from Oauth2, googles terminology is just a little confusing.
Check out the official google java client library it should handle most of it for you. Using OAuth 2.0 with the Google API Client Library for Java
You need to setup Offline Access as defined at:
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed.
My goal is to offer a service for user of my website to store their private notes.
I want that users can trust the service, therefore the data should not be accessible for my company.
Can i realize this with google-cloud-storage and oauth-2.0 authentication? I would use the Google Cloud Storage JSON API to send the notes directly from the browser into the cloud.
What would be the basic steps to implement this?
There are a couple of ways to handle this, depending on how you want to handle authentication. If you want to make sure that your application cannot access the objects and only the users can, you'll need the users to have Google accounts and authenticate your app to act as their agent using OAuth 2.
Your app could involve a piece of JavaScript that would prompt the user to authenticate with Google and grant it access to Google Cloud Storage under their name. It would then receive a token that it could use to act as them. From there, it would upload the note using that token with an ACL granting permissions only to the uploader.
The uploaded object would go into your bucket, but it would be owned by the end user. You'd have the ability to delete it, but not to read it, and your bucket would be billed for storage and access.
The downside here is that all of your users would need to have Google accounts that they could entrust to your application for short periods of time.
Here are some details on the OAuth 2 exchange: https://developers.google.com/accounts/docs/OAuth2UserAgent
Here's the JavaScript client that does a lot of the authorization heavy lifting for you:
https://code.google.com/p/google-api-javascript-client/
And an example of using that library for authorization:
https://developers.google.com/api-client-library/javascript/samples/samples#AuthorizingandMakingAuthorizedRequests
Another alternative would be for the user to upload directly to the cloud using YOUR credentials via signed URLs, but if you went down this road, you would be able to read the notes after they were uploaded.
I'm making an application wich allows the admin to manage the files of users in the google apps domain.
Since the docList api is deprecated I used the Drive api.
How I can create a Drive service as another user while logged in as admin?
Some people suggested to use the OAuth consumer key.
But I don't know how to implement this with oauth-2.0.
You might want to check out this post: Google Drive service account returns 403 usageLimits
I used OAuth2 and a service account to accomplish pretty much the same. Keep in mind you need to use the API Console to setup your environment and ensure the service account is added to the Google Apps domain with the proper scopes to allow access.