we are trying to use google spreadsheets api using oauth2.0 authentication. we used the following code from google api documentation for oauth authentication
def get_credentials():
CLIENT_SECRET_FILE = 'client_secret.json'
SCOPES=[
'https://www.googleapis.com/auth/spreadsheets'
]
APPLICATION_NAME = 'Knab'
home_dir=os.path.expanduser('~')
credential_dir=os.path.join(home_dir,'.credentials')
if not os.path.exists(credential_dir):
os.makedirs(credentials_dir)
credential_path=os.path.join(credential_dir,'knab.json')
store=oauth2client.file.Storage(credential_path)
credentials=store.get()
if not credentials or credentials.invalid:
flow = client.flow_from_clientsecrets(CLIENT_SECRET_FILE,SCOPES)
flow.user_agent=APPLICATION_NAME
if flags:
credentials=tools.run_flow(flow,store,flags)
else:
credentials=tools.run(flow,store)
return credentials;
credentials=get_credentials()
http=credentials.authorize(httplib2.Http())
discoveryUrl = ('https://sheets.googleapis.com/$discovery/rest?'
'version=v4')
service = discovery.build('sheets', 'v4', http=http,
discoveryServiceUrl=discoveryUrl)
I have created oauth2 key and passing the json file (client_secret.json), everything works well, but when we run the code on a fresh
machine, it asking us to open a google link and login with credentials and click on allow. We are about to put in amazon lambda as
microservice. So, there shouldn't be manual intervention. I have tried to run with --noauth_local_webserver as command-line argument.
It's asking to visit the url and enter the code. My idea is to SSH a different machine, run a selenium code to open the url and login with
my google credentials, allow permissison and return the code back to the program. I got a idea, but don't know how to implement it,
any suggestions welcome please....
Related
One of the websites we used to get data from requires now log in via Google, I have been granted access, and want to update the app to continue working.
I've set up credentials (clientId, clientSecret) as well as service account - whichever is easier tbh.
The url I'm trying to access looks like "https://xxxxxxxxxxxxxx.appspot.com/view/company_name"
When logging in manually, I'm being informed that:
To continue, Google will share your name, email address, language preference and profile picture with iap.googleapis.com.
Trying to get it working first on:
https://developers.google.com/oauthplayground/
But each time I select scope (guessing here) Google OAuth2 API v2 (userinfo.email, userinfo.profile) and get the tokens I end up receiving following error message:
Invalid IAP credentials: Expected JWT to have 3 parts separated by a '.' but there are 2 parts
Could anyone tell me all the things I'm doing wrong here?
I am using the Google API to create a spreadsheet on google drive.
My app has a link that says 'Download To Google Doc'
The app sends a file to google docs and shares it with the user.
The user can then see it in google docs.
This all works good.
The problem is the identity of the service account sharing the doc.
It is a generated id. I want it to be branded to my app.
Is this possible?
-
You can't change the service account email address, nor can you supply a real world user name to it. The service account email address is created by Google in the Google Developer console.
The only way to change the email address would be to delete it and create a new one but again you would be stuck with the one Google Created. I suspect that the client id and email address are a pair used for identification of your application. Similar to client id and client secret, but I cant verify that.
I do see your point it would be nice if we could.
Google Service Accounts do allow you to impersonate an existing user account (for some services). I haven't tested it on Google Drive, but I have used it with the Webmaster tools API. The instructions can be found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
To sum them up, when creating the service account credentials you can specify the "sub" parameter with "The email address of the user for which the application is requesting delegated access." The account you're requesting access for must exist and have permission to access to the services you're requesting.
In the link above Google provides examples for Java, Python and HTTP/REST, here's the Python example:
credentials = SignedJwtAssertionCredentials(client_email, private_key,
'https://www.googleapis.com/auth/sqlservice.admin',
sub='user#example.org')
I'm using the Ruby google-api-client gem (0.9.pre3) and the ServiceAccountCredentials constructor does not pass the 'sub' parameter to its parent class so it has to be specified in another step:
client = Google::Auth::ServiceAccountCredentials.new(json_key_io: json_key_io, scope: scope)
client.update!(sub: 'user#example.org')
client.fetch_access_token!
service = Google::Apis::WebmastersV3::WebmastersService.new
service.authorization = client
Using this code I can authenticate using my service account and I have access to the sites
My goal is quite simple : Use php files that will log on my youtube account and upload custom thumbnails.
I already successfully used Youtube API V2 to upload videos with no problem,
but the V3 requires OAuth2.0, and I can't found a way to avoid my server keeps ask me "Please login from your google account"
I use the example from the official place, here :
And created my OAuth token (tried web application and service) but it keeps ask me to log in...
I only want the php files to log on alone, because I want to share them to some friends that will be able to change thumbnails without having a google acount or knowing my youtube/google password.
You can do so by getting a refresh token from OAuth2 Playground and setting it in your youtube object.
Here it explains a little more.
And a step by step video.
Thank you Ibrahim, it solved my problem :) !
Except you didn't mentionned that I had to use $client->refreshToken('Refresh Token'); and then start the conditional : if ($client->getAccessToken()) { [...] . Very important to the others one who could encounter the problem : You need to use google developper console https://cloud.google.com/console and specify in APIs & Ath > Credentials the exact adress of your PHP script, and set a product name and email address in Consent Screen.
I have an account with google which can login absolutely fine via www.youtube.com. However when I use the following code via the Youtube API:
$httpClient = Zend_Gdata_ClientLogin::getHttpClient(
$username = 'EXAMPLE#EXAMPLE.COM',
$password = 'EXAMPLE',
$service = 'youtube',
$client = null,
$source = 'EXAMPLE', // a short string identifying your application
$loginToken = null,
$loginCaptcha = null,
"https://www.google.com/accounts/ClientLogin");
I receive the following error: 'Authentication with Google failed. Reason: BadAuthentication'
Why would I be able to login to google & youtube with the exact same credentials but not to the API?
Maybe you have enabled 2-step verification on your gmail account,
take note of the message at the top of this page:
https://developers.google.com/accounts/docs/AuthForInstalledApps
The problem is that you're using clientLogin, witch is intended for installed applications, not web apps.
You should change this to AuthSub in order to get a token to make API calls.
That said, we have the same issue and we haven't change that (there's not enougth time to change aaaall auth changes in Google, Twitter and Facebook, isn't it?). The solution for us was to inform clients with that problem thet they have to disable the captcha by clicking this link and follow the instructions: http://www.google.com/accounts/DisplayUnlockCaptcha
That's not the right way, but it's a way
I have been studying the Google Calendar API and the docs on authentication (http://code.google.com/apis/calendar/v3/using.html#auth). It seems that the use case mentioned here is writing an application that accesses the user's calendar. However, I am writing a web page that will access the web site owner's calendar and display just that one calendar's information. So, I don't want the user to enter in their Google account information which is what oAuth wants to do.
Basically, I am looking for a way to access a single private Google calendar and authenticate to it by passing the credentials directly to the service.
There is a similar questions here: How to use OAuth with Google Calendar to access only ONE calendar?
that seems to indicate that the poster originally was passing the credentials directly. Is this feature still available? How do you handle the use case I described?
If I'm not wrong, they've launched Service Account for this now: https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Edit:
Here's the modification from their Prediction API
session_start();
require_once "google-api-php-client/src/Google_Client.php";
require_once "google-api-php-client/src/contrib/Google_CalendarService.php";
const CLIENT_ID = '...';
const SERVICE_ACCOUNT_NAME = '...';
// Make sure you keep your key.p12 file in a secure location, and isn't
// readable by others.
const KEY_FILE = '...';
$client = new Google_Client();
$client->setApplicationName("...");
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
// Load the key in PKCS 12 format (you need to download this from the
// Google API Console when the service account was created.
$key = file_get_contents(KEY_FILE);
$client->setAssertionCredentials(new Google_AssertionCredentials(
SERVICE_ACCOUNT_NAME,
array('https://www.googleapis.com/auth/calendar', "https://www.googleapis.com/auth/calendar.readonly"),
$key)
);
$client->setClientId(CLIENT_ID);
$service = new Google_CalendarService($client);
//Save token in session
if ($client->getAccessToken()) {
$_SESSION['token'] = $client->getAccessToken();
}
//And now you can use the code in their PHP examples, like: $service->events->listEvents(...)
I have the same problem. I found this 3 part tutorial that makes exactly what you want . Web page for bookings
You create a web page that writes directly into your own calendar (not the users) and that is why users don't have to give you permission to access their calendar.
This solution works for me, but you have to manage it directly with REST.
I am looking for a way to use google api php client because it seems a bit simpler. But I have not yet found a way to how to properly edit the google-api-php-client/src/config.php file to work in a way where you authenticate yourself not the actual user, because you need access to your calendar. If anyone has an idea or a script that would do that I would be very grateful.
Also take a look here:
https://github.com/googleapis/google-api-php-client#authentication-with-service-accounts
After creating a service account you can authenticate without the user prompt for adding items to a calendar your service owns.