So I have an application that I want to be able to read from BigQuery and perform queries, be able to read from GSheets to form these queries and upload this data into a directory in Google Drive.
I understand how to individually do these things, but for the sake of consolidating my system, I would like to use one set of credentials for everything. Is this a good way to go about building my system? I would like to follow the "least access possible" guideline to limit visibility to the database.
Is the best way to go about this creating multiple credentials? Should I use OAuth Credentials and include relevant scopes? Or can I create one set of credentials for all of this?
I'm using python for the backend, don't think that's relevant to the question though.
The proper way to handle this is to create the project using the Google API Console and authorize all the APIs needed for this project.
Afterwards, you will have to select the APIs needed by following the steps from this article here.
In order to retrieve the credentials for the project, you will have to select the project you created and based on the type of application you plan on developing, you will have to select the type of credentials needed.
Selecting APIs & Service
Selecting Credentials
Then based on your choice, you will end up retrieving the credentials and use them in your application.
Reference
Authorize Requests.
Related
I'm mid-way through a task to migrate a legacy .NET MVC app to use Single Sign On (SSO) to make integration with a to-be-developed mobile app possible. I'm planning on using Azure AD B2C to facilitate this and based on my researched, I need to use custom policies to achieve the required functionality.
Work on this migration is proceeding very slowly. I'm finding the custom policy XML very clunky to work with. It's going to take quite some time to achieve parity with the existing system given the current velocity. I'm wondering whether it would be wise to sidestep a lot of the migration headaches by using the Microsoft Graph API in place of custom policies.
Take registration for example. It appears common to redirect the user to a SignUp.xml custom policy (or the integrated SignUpOrSignIn.xml) to handle adding the user record in the AD B2C data store. Part of this policy would involve calling a REST API to create a corresponding record for this user in the app's database (stores email settings and such). Instead of using these custom policies, my plan would be to instead take the existing registration process and simply add a step which creates the user record on the B2C side using the Microsoft Graph API.
It appears like most things I need may be achieved using the Microsoft Graph API. Things I'd need that I can see are not available are:
logging in to a user account and;
sending verification emails
Are there any other common authentication-related tasks I'm likely to need that couldn't be achieved using the Graph API?
As far as downsides, the fact I'd be handling user passwords (even if it was just to create the user and nothing else) is an obvious concern, but perhaps acceptable. The main thing I'm after is a simple SSO solution that generates secure access tokens (incl. handling reset tokens, etc). I hope then, that this could be a feasible option.
You will miss out on password reset, profile edit, SSO and token expiration etc.
A better way may be to use the base custom policies and achieve a lot of what you need by having the policy call REST API's.
What is your use case?
I'm writing an application that will be the backend for a react website. The website is to be used by our customers, but we will fully control the permissions of the user. We have decided to use Azure AD to secure requests, but will also be exposing the API for end users to use directly if desired.
My understanding is in Azure AD I will have to create an application that will allow web based implicit authentication (for the react site), as well as a native application that will allow a dameon based application to authenticate to the API.
This I believe means I will have two audience ids in my application.
I'm trying to get claims to include groups, and I can see if I edit the meta data of both applicaitons in azure AD to include "groupMembershipClaims": "SecurityGroup" I can get claims with the group IDs in, but no names.
I think I can also use appRoles to set roles the application uses, but I've yet to get that to come through as claims in the JWT, but I'm assuming it can be done, however I'd need to setup the roles on each applicaiton, then add the user twice which isn't really ideal. I also think that because my app is multi-teanated that external users could use this to set their own permissions, which isn't what I want to do.
Sorry I'm just totally lost and the documentation is beyond confusing given how frequently this appears to change!
TLDR: Do I need two applicaitons configured in azure ad, and if so whats the best way to set permissions (claims). Also is oAuth 2 the right choice here, or should I look at open id?
Right away I gotta fix one misunderstanding.
Daemon apps usually have to be registered as Web/API, i.e. publicClient: false.
That's because a native app can't have client secrets.
Of course the daemon can't run on a user's device then.
Since that's what a native app. An app that runs on a user's device.
This I believe means I will have two audience ids in my application.
You will have two applications, at least. If you want, the back-end and React front can share one app (with implicit flow enabled). And the daemon will need another registration.
I'm trying to get claims to include groups, and I can see if I edit the meta data of both applicaitons in azure AD to include "groupMembershipClaims": "SecurityGroup" I can get claims with the group IDs in, but no names.
Yes, ids are included only. If you need names, you go to Graph API to get them. But why do you need them? For display? Otherwise, you need to be using the ids to setup permissions. Names always change and then your code breaks.
I think I can also use appRoles to set roles the application uses, but I've yet to get that to come through as claims in the JWT, but I'm assuming it can be done, however I'd need to setup the roles on each applicaiton, then add the user twice which isn't really ideal. I also think that because my app is multi-teanated that external users could use this to set their own permissions, which isn't what I want to do.
Your thoughts for multi-tenant scenarios are correct. If you did want to implement these though, I made an article on it: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
Why would you need to setup the roles in multiple apps though? Wouldn't they only apply in the web app?
If the native app is a daemon, there is no user.
Overall, I can see your problem. You have people from other orgs, who want access to your app, but you want to control their access rights.
Honestly, the best way might be to make the app single-tenant in some tenant which you control. Then invite the external users there as guests (there's an API for this). Then you can assign them roles by using groups or appRoles.
If I misunderstood something, drop a comment and I'll fix up my answer.
Azure AD is of course a powerful system, though I also find the OAuth aspects confusing since these aspects are very mixed up:
Standards Based OAuth 2.0 and Open Id Connect
Microsoft Vendor Specific Behaviour
ROLE RELATED ANSWERS
This is not an area I know much about - Juunas seems like a great guy to help you with this.
OAUTH STANDARDS AND AZURE
I struggled through this a while back for a tutorial based OAuth blog I'm writing. Maybe some of the stuff I learned and wrote up is useful to you.
AZURE SPA AND API CODE SAMPLE
My sample shows how to use the Implicit Flow in an SPA to log the user in via Azure AD, then how to validate received tokens in a custom API:
Code Sample
Write Up
Not sure how much of this is relevant to your use case, but I hope it helps a little on the tech side of things...
I implemented a simple API.ai bot and I wanted to add it to google home platform but I really need help for the linking account part.
I don't understand if I need to implement an oauth2 protocol for my service or not. Is there any exemple or framework that allow implement this linking account step (any language is ok, it's just for a simple POC).
My goal is to ask my bot some informations and send him some orders to achieve simple processing on a server.
Hope that someone can help me, add a simple bot to google home to access and modify some informations in a server isn't really easy for me ^^
As #Leon noted, you will need to implement the OAuth2 server yourself. The Actions on Google documentation give details about what they are expecting and what steps you can do to implement it yourself. The Authorization Code flow is slightly preferred (additional features from the Assistant will require it in the future), but you're also allowed to use the https://developers.google.com/actions/identity/oauth2-implicit-flow if you wish since it is slightly easier.
There are several packages that are out there that allow you to provide OAuth2, but require you to build the connection to your own account database. I've seen packages for .NET and JavaScript, but it shouldn't be too difficult to find one that meets your needs or to write one yourself.
If you need to authenticate the user, then you will need your own OAuth server. How to hook that up to an action is described in the docs: https://developers.google.com/actions/develop/identity/account-linking
If however, this is just a personal project and you want to test it on your own device, then account linking is not necessary for you to get the action to work. You simply need to hook up your server logic to the action fulfillment. We recommend that you use the API.AI Actions integration. The docs cover how to do that: https://developers.google.com/actions/develop/apiai/dialogs-and-fulfillment
I am trying to develop an application, where I where fetching data from multiple clients related to some transactions. Now I want to make some analysis using the Google Spreadsheet. Is there any way by which I can achieve this using the ASP.Net MVC(using C#). Google provides OAuth and When I implement the code and when I am trying to send the data to Google spreadsheet which I receive form the clients. However, when I am doing that, for every new client, Google asks for login credential. Client enter their own credentials, and the Google sheet instead a common sheet, client own sheet is used. Thus, my purpose is not solved. Is there any way possible to do this. I does not seem to find proper documentation on Google as well. Please provide some suggestions to implement this. Thanks in advance.
This can be done very easily if you just want a read only database.
You must publish your Google Sheet to the web and, from its url, copy its id.
For example my sheet has this url: https://docs.google.com/spreadsheets/d/1IHF0mSHs1HdYpIlIzYKG3O8SnAhKU_a6nEJSz04Togk/edit
The long alphanumeric string in the middle is my sheet id. Copy it and place it instead of XXXX in the following url, as follows:
https://spreadsheets.google.com/feeds/list/XXXX/1/public/basic?alt=json"
So the final url would look like this:
https://spreadsheets.google.com/feeds/list/1IHF0mSHs1HdYpIlIzYKG3O8SnAhKU_a6nEJSz04Togk/1/public/basic?alt=json
Then you can simply access this url and get all your data as json.
Using jQuery:
var $url = 'https://spreadsheets.google.com/feeds/list/1IHF0mSHs1HdYpIlIzYKG3O8SnAhKU_a6nEJSz04Togk/1/public/basic?alt=json';
$.getJSON($url,function(data){
alert(JSON.stringify(data.feed.entry));
});
You will get a long json structure. The relevant data is in data.feed.entry. There you'll have many entries. On each one you'll have a "content" property and within it, a "$t" one. These will give you all the cells.
So for getting the first row, you will have to get data.feed.entry[0].content.$t.
Hope it helps.
This can be accomplished using Google Apps Script. In particular, you can achieve this with a "bound" script in Google Sheets (i.e. a script that was created in the context of the sheet that you wish to create as the "backend") that you then publish as a "web app" script. When you publish it, you can make it execute with the authority of the owner of the spread sheet (rather than the authority of the user who invokes the url), which will not require the end user to explicitly authorize themselves (since it is the script publisher's credentials, not the user's credentials, that are being used).
It should be noted that, while this (and generally building on top of Google Apps Script) is a reasonable approach for small-to-medium apps, you'll probably find using Google Cloud Platform (and, in this particular case, the Cloud Datastore) as the better, more scalable solution for small-to-large apps. That is, if you are prototyping or creating an internal tool that is unlikely to catch fire overnight, I'd go with whichever approach you find more convenient / simpler; if you are creating an app that could potentially experience a "success disaster", I'd go with Cloud Platform, instead.
If your sheet is public, you can do it withouth authentication. You can use google API Visualization with the query language or use the Google Sheets API.
But if your sheet is private, it is mandatory the use of OAuth2 authentication through service account credentials.
In order to do that, you have to create a service account (with owner of the project role for example). Then you have to download the client_secret.json file which will be the one you use in your code.
Finally you have to share your spreadsheet with the email you get in this file. Look in the file and you will see it.
I have made a tutorial. You can visit at http://edba.xyz/google-sheets-as-database. It is mainly based in PHP but it is easily trasportable to
other languages.
I have recently been developing a website using google sheet as backend. It is great. The speed is also appreciable.
I have integrated the custom backend which I wrote on google apps script with my Django app. So now my website stores the user information on google sheets. The google sheet code and Django app interact via Rest API which can be easily developed using doGet() and doPost() in apps script and python request on the Django side. Once the necessary structure is built( it does take some time tweaking if you are new) but then it works as a great database for your website.
Google spreadsheet is a great solution for quick prototyping database and even in some cases for production use.
People have already realized the potential and there are many tools today for turning your Google spreadsheet into a backend api
There are couple of libraries such as node-sheets for obtaining a json feed from a Google spreadsheet (read-only)
Also, if you need a complete standalone service you have some paid options like
https://sheetsu.com
And also open source options such as
https://github.com/scheduleonce/express-sheets
This can be installed on any cloud provider via Docker and you can point it to your spreadsheet and it will dynamically turn it into an api.
So if, for example, your spreadsheet has the following sheets:
| articles | products | users |
It will automatically create the 3 endpoints
GET /articles
GET /products
GET /users
It is suitable for read-only apis (you update the spreadsheet directly, not through code) that don't need to be changed too often (although you can control the update interval)
You can use Kodem.io.
Google Sheets As Backend allows you to do CRUD requets using Google Sheets.
Disclaimer: I work at Kodem
Google's Drive service is great, but their documentation is quite confusing...What I want to do is to create a portfolio site where upon request I fetch all files contained in a particular folder from my Google Drive (e.g. a photo gallery). This requires iterating through an amount of subfolders and store the file data in a JS object, XML feed or similar. Language is not so important. Simply using the "Publish to the web" feature won't do as I can only make manual requests and they're very limited.I've tried to use the Files: list provided in the SDK but it won't work without requiring OAuth 2. Found out that its possible to make a "domain-wide delegation of authority" and bypass its authorization but that would require me to set up a Google Apps domain. Seriously, all that to fetch some files?
My best guess now is to use the https://googleapis.com/auth/drive.metadata.readonly scope, but from there I'm out of ideas.