Google API OAuth2 - oauth-2.0

I am trying to build an ETL integration with google sheets. On the front end i was able to promt user to grant access to their drive and sheets but what i would like to do is to somehow be able to then later run a scheduled sync from cloud funtions in Firebase to access their sheets and sync the data to another endpoint. How can i use use the permissions grant to do this on the backend without having to authenticate again? I cannot find any articles about this on the web or in the gapi documentation.

If you specify the offline_access scope in the authorization request, you should receive a refresh token from the authorization server, if the user grants you that permission.
With that refresh token, you can get a new access token from the authorization server, without the involvement of the user.
Note that the refresh token typically has an expiration date too.

Related

Using oauth2 by server in behalf of client

I am trying to build an application which requires to access user's google apis on their behalf once they give consent.
What I am trying to build?
An azure database is scheduled to put some data on user specified spreadsheets on their google drive.
What is the problem?
I am unable to figure out how to upload data to user specified spreadsheets when the user is offline.
What workflow do I want?
User logs in with Google Account
User gives consent to web app to access spreadsheets api (just once)
Thereafter my server should update the sheets as per the schedule without the user's interferance
User can later check back to see the updated data on their sheets.
I want to know how should I implement to get this mechanism?
Request offline access of the user get a refresh token. Store the refresh token and when ever you need to access the users account later use the refresh token to request a new access token.
I recommend looking for a google client library in your chosen language most of them handle this functionality internally.

How do you authenticate with Adwords using a previously cached access token?

I am developing a python app where I'd like to access my AdWords account using the installed app flow, and would like to use the best practice mentioned in the Distributed Apps section on that page. My AdWords API usage boils down to:
Initiate an Oauth2 flow, and retrieve a refresh token and access token when a user logs in to my website, and gives me permission to access their AdWords account
Use the retrieved refresh token and access token to access some basic AdWords information from the user, and save these tokens for later usage
Retrieve the access token saved in step #2, to periodically make AdWords api calls on behalf of the user
If the access token has expired, use the refresh token saved in step #2 to mint a new access token.
Step #1 is easy, and well documented here:
flow = OAuth2WebServerFlow(client_id='your_client_id',
client_secret='your_client_secret',
scope='https://www.googleapis.com/auth/calendar',
redirect_uri='http://example.com/auth_return')
auth_uri = flow.step1_get_authorize_url()
credentials = flow.step2_exchange(code)
Step #2 is also well documented here:
oauth2_client = oauth2.GoogleRefreshTokenClient(
client_id, client_secret, refresh_token)
adwords_client = adwords.AdWordsClient(
developer_token, oauth2_client, user_agent,
client_customer_id=client_customer_id)
But I can't figure out how to authenticate using just the access token. The googleads.adwords.AdWordsClient class is essential here, because that's my way of interacting with the AdWords API. But I can't seem to figure out how to instantiate that class without a GoogleRefreshTokenClient object. And instantiating the GoogleRefreshTokenClient object requires a refresh token and not an access token. I don't want to instantiate an GoogleRefreshTokenClient object every time I need to make an AdWords API call, because that will force me to generate a new access token every time, making me violate Google Terms of Service.

Long lived access token for Google OAuth 2.0

I'm building an application that needs to have access to Google Drive and Google Sheets. I want the user to go to https://mydomain.appspot.com/authenticate to go through the Google login flow and authenticate themselves so that the backend receives access tokens for both Google Drive and Google Sheets.
After that I want the backend to be able to access Drive and Sheets without user interaction. For example, I would like a scheduled task to run every hour and retrieve some data from Drive and Sheets. I want the backend to use the token it received when the user authenticated themselves.
Is this possible? I really hope so. I have been looking here and I don't really find anything that can help me. https://developers.google.com/sheets/api/guides/authorizing
The backend is developed in Java and deployed on Google App Engine.
A long lived access token is actually called a refresh token. You will need to have your users authenticate your application then you will receive a refresh token. the refresh token can then be used to request a new access token from the Google authentication servers when ever you need.
Note: Do not get yourself side tracked with serviced accounts its not the same thing. You can run automated scripts using a refresh token gained from Oauth2, googles terminology is just a little confusing.
Check out the official google java client library it should handle most of it for you. Using OAuth 2.0 with the Google API Client Library for Java
You need to setup Offline Access as defined at:
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed.

Is it possible to authenticate server to server with Google Calendar API?

So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2

What does "offline" access in OAuth mean?

What exactly does the word "offline" mean with regard to the offline access granted by an OAuth server?
Does it mean that the resource server will return data about the user even when the user is logged out of the third-party application or when the user is logged out of the OAuth resource server such as Facebook or Google or Twitter?
Offline access is IMO a really bad name for it, and I think its a term only
Google uses its not in the RFC for OAuth as far as I remember.
What is Google offline access?
When you request offline access the Google Authentication server returns a
refresh token. Refresh tokens give your application the ability to
request data on behalf of the user when the user is not present and in front of
your application.
Example of an app needing offline access
Let's say I have a Super Awesome app that downloads your Google Analytics Data,
makes it into a nice PDF file and emails it to you every morning with your
stats. For this to work my application needs to have the ability to access
your Google Analytics data when you are not around, to give me permission to do
that. So Super Awesome app would request offline access and the
authentication server would return a refresh token. With that refresh token
Super awesome app can request a new access token whenever it wants and get your
Google Analytics data.
Example of an app not needing offline access
Let's try Less Awesome app that lets you upload files to Google Drive. Less
Awesome app doesn't need to access your Google drive account when you're not
around. It only needs to access it when you are online. So in theory it
wouldn't need offline access. But in practice it does, it still gets a refresh
token so that it won't have to ask you for permission again (this is where I
think the naming is incorrect).
Helpful quote from the OpenStack documentation:
If a refresh token is present in the authorization code exchange, then it
can be used to obtain new access tokens at any time. This is called
offline access, because the user does not have to be present at the browser
when the application obtains a new access token.
The truth about offline access
The thing is that in a lot of cases the authentication server will return the
refresh token to you no matter what: You don't have to actually ask for anything –
it gives it to you. Giving you the ability to access the users data when they
aren't around. Users don't know that you could access their data without them
being there. It's only the JavaScript library and I think the PHP library
that hide the refresh token from you, but it's there.
Example
By just posting (i.e. HTTP POST request):
https://accounts.google.com/o/oauth2/token?code={AuthCode}&
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
Here is the response:
{
"access_token": "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}
I now have offline access to this users data, and I never told them that I
would have it. More details be found in this short article: Google 3 legged
OAuth2 flow.
Useful reading
Using OAuth 2.0 for Web Server Applications
Understanding Refresh Tokens
By design the access tokens returned by the OAuth flow expire after a period of time (1 hour for Google access tokens), as a safety mechanism. This means that any application that wants to work with a user's data needs the user to have recently gone through the OAuth flow, aka be online. Requesting offline access provides the application a refresh token it can use to generate new access tokens, allowing it to access user data long after the data has gone through the OAuth flow, aka when they are offline.
Getting offline access is needed when your application continues to run when the user isn't present. For instance, if there is some nightly batch process, or if your application responds to external events like push notifications. However if you only access user data while the user is actively using your application then there is no need for offline access. Just send the user through the OAuth flow every time you need n access token, and if they've previously granted access to your application the authorization page will instantly close, making the process nearly invisible to the user.
For Google APIs, you can request offline access by including the parameter access_type=offline in the authorization URL you present to your users. Offline access, and hence refresh tokens, is requested automatically when using the Installed Application flow.

Resources