My goal is to have a program on our servers update numerous Google Sheets, from time to time, over months.
The only I could find to do this within the current iteration of the Google API was to set up two-legged OAuth, with a Google Service Account. This Service Account can impersonate any user. I just have it impersonate a bot user (e.g. sheetsbot2000#sample.com) for now.
Is there a way to do this without giving the Service Account the ability to impersonate any user? Could I constrain it to just be sheetsbot2000#sample.com?
Who owns those sheets? If it is owned by a few accounts that you have, You could manually generate a OAuth refresh token and store it with the "server program". It can use these refresh tokens to get an access token and then manipulate the sheet.
If the sheets owned by other people, you can still do the same but you'll have to get OAuth permission from them and store a refresh token.
Related
I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.
I have to read User emails (particular subfolder), One Drive, Team Channels and Sharepoint after some regular intervals at the background using Microsoft Graph API but not without having the user consent which should be taken only once when they logged in to the web based application first time and not afterwards. I am not sure where to start from and how this can be achieved? Should the token be stored forever in some database securely OR Is it the AAD?
Would really appreciate any pointers/APIs/Libraries/concepts or links which can help in moving towards this direction.
If you want to get the token without user, client credentials flow can be used. The flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.
In the client credentials flow, permissions are granted directly to the application itself by an administrator. So it is necessary to use the application permissions. You could call Microsoft Graph API with the access token.
For example, call this API to get message:
You need to add one of the application permissions to API permission(navigate to Azure Active Directory-> your application), and click grant for your tenant.
I am trying to build an application which requires to access user's google apis on their behalf once they give consent.
What I am trying to build?
An azure database is scheduled to put some data on user specified spreadsheets on their google drive.
What is the problem?
I am unable to figure out how to upload data to user specified spreadsheets when the user is offline.
What workflow do I want?
User logs in with Google Account
User gives consent to web app to access spreadsheets api (just once)
Thereafter my server should update the sheets as per the schedule without the user's interferance
User can later check back to see the updated data on their sheets.
I want to know how should I implement to get this mechanism?
Request offline access of the user get a refresh token. Store the refresh token and when ever you need to access the users account later use the refresh token to request a new access token.
I recommend looking for a google client library in your chosen language most of them handle this functionality internally.
I'm building an application that needs to have access to Google Drive and Google Sheets. I want the user to go to https://mydomain.appspot.com/authenticate to go through the Google login flow and authenticate themselves so that the backend receives access tokens for both Google Drive and Google Sheets.
After that I want the backend to be able to access Drive and Sheets without user interaction. For example, I would like a scheduled task to run every hour and retrieve some data from Drive and Sheets. I want the backend to use the token it received when the user authenticated themselves.
Is this possible? I really hope so. I have been looking here and I don't really find anything that can help me. https://developers.google.com/sheets/api/guides/authorizing
The backend is developed in Java and deployed on Google App Engine.
A long lived access token is actually called a refresh token. You will need to have your users authenticate your application then you will receive a refresh token. the refresh token can then be used to request a new access token from the Google authentication servers when ever you need.
Note: Do not get yourself side tracked with serviced accounts its not the same thing. You can run automated scripts using a refresh token gained from Oauth2, googles terminology is just a little confusing.
Check out the official google java client library it should handle most of it for you. Using OAuth 2.0 with the Google API Client Library for Java
You need to setup Offline Access as defined at:
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed.
I am creating a headless service that I intend to use to access a third party API. To do this, I need to authorize myself with this third party API using a google access token. since I want this service to run in a headless fasion (i.e. no user input), I created a special account with Google and now I want to get the access token and google id using OAuth - the caveat is that this is a headless service, so I need to do this without the 'user' entering their username / password.
how do I do this?
Regarding your comment, you can get a refresh token through the web flow. Refresh tokens never expire (although the user can revoke them) and can be used to obtain access tokens as often as needed. See https://developers.google.com/accounts/docs/OAuth2WebServer for more info.