I'm trying to set up a service that helps manage a user's youtube account, including scheduled video uploads even when the user is not logged in. I'm having some weird issues with authentication, and I can't seem to find a way to fix it.
My omniauth initializer:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
{
name: 'google',
scope: 'http://gdata.youtube.com, email, profile, plus.me, youtube, youtube.upload',
prompt: 'consent',
access_type: 'offline',
image_aspect_ratio: 'square
}
end
The brunt of my code for authorization:
YOUTUBE_SCOPE = 'https://www.googleapis.com/auth/youtube https://www.googleapis.com/auth/youtube.upload'
account = User.find(1234)
client = Google::APIClient.new(application_name: 'YouTube Delivery',
application_version: '1.0.0')
api = client.discovered_api('youtube', 'v3')
client.authorization.client_id = ENV['GOOGLE_CLIENT_ID']
client.authorization.client_secret = ENV['GOOGLE_CLIENT_SECRET']
client.authorization.grant_type = 'refresh_token'
client.authorization.refresh_token = account.refresh_token
client.authorization.scope = YOUTUBE_SCOPE
client.authorization.fetch_access_token! if client.authorization.expired?
All of this code appears to work. A user can sign in, and I've verified that the proper permissions are being asked for. A user is also prompted to give offline consent. I get back a refresh token, and I am able to get new access tokens with the refresh token when the current token is expired. No problems there.
The problems come in when I try to upload a video to youtube when the user is not present:
video = Video.find(1234)
request_body = {
snippet: {
title: video.title,
description: video.youtube_description,
tags: video.tags
},
status: { privacyStatus: 'private' }
}
response = client.execute!(
api_method: api.videos.insert,
body_object: request_body,
media: Google::APIClient::UploadIO.new(video.local_path, 'video/*'),
parameters: {
uploadType: 'resumable',
part: 'snippet,status'
},
authorization: client.authorization
)
This is where google throws back Google::APIClient::AuthorizationError: Unauthorized
Per the google docs, I can test the access token I have by running:
curl https://www.googleapis.com/youtube/v3/channels?part=id&mine=true&access_token=ACCESS_TOKEN
For me, this returns:
{ "error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}
],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}}
I've made sure I've added the following apis to my project in the google api console: contacts, google+, youtube data, youtube analytics. I've also checked that all of my environment variables are properly set.
Not really sure where to go from here. Any guidance would be greatly appreciated!
My rails version: 4.1.6
Related
I'm trying to retrieve authenticated user blogs (granted scope):
var token = await firebase.auth().currentUser.getIdToken();
fetch('https://www.googleapis.com/blogger/v3/users/self/blogs', {
"headers": {
"Authorization": "Bearer " + token
},
"method" : "GET",
"muteHttpExceptions": true
}).then( r => console.log(r) );
but i get error:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Invalid Credentials",
"domain": "global",
"reason": "authError",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
Could you tell me please what I'm missing to achieve this without using back end ?
A Firebase Authentication ID token is a JWT. Blogger expects an OAuth 2 token, which the Firebase Authentication token isn't.
While it is possible within Firebase to create an ID Token based on an OAuth token, the reverse isn't possible. You will have to sign in the user with an OAuth 2 provider instead, and pass that token to blogger.
I'm trying to talk to the Google Calendar API using Ruby. I followed this guide to gain consent from a user, and I saved their authorization token and refresh token. I'm following this guide to call the actual API, but I can't find any instructions anywhere about what specifically to actually do with the token. I assume I'm supposed to include it in the API request somewhere, but where?
Anyone use Google Calendar with Oauth before?
I've never used this API nor used Ruby.
But maybe this is part of the documentation you need to read.
https://developers.google.com/identity/protocols/OAuth2InstalledApp#callinganapi
You add a header in your Http request.
In Java (sorry i really don't know anything about Ruby) I do something that looks like this :
headers.add("Authorization", "Bearer " + token);
Hope this helps
You need to follow the Google Calendar API Quickstart which has function to trigger authentication flow (def authorize)
This function will create a token file that includes the access token and refresh token
It will refresh automatically the token when necessary and authorize your calendar service
Once you have an authorized service, you can use it to perform any calls to the API
Sample how to interlink the quickstart with the guide for event creation:
# This part is from the quickstart and includeds token creation and authorization flow
require "google/apis/calendar_v3"
require "googleauth"
require "googleauth/stores/file_token_store"
require "date"
require "fileutils"
OOB_URI = "urn:ietf:wg:oauth:2.0:oob".freeze
APPLICATION_NAME = "Google Calendar API Ruby Quickstart".freeze
CREDENTIALS_PATH = "credentials.json".freeze
# The file token.yaml stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
TOKEN_PATH = "token.yaml".freeze
SCOPE = Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY
##
# Ensure valid credentials, either by restoring from the saved credentials
# files or intitiating an OAuth2 authorization. If authorization is required,
# the user's default browser will be launched to approve the request.
#
# #return [Google::Auth::UserRefreshCredentials] OAuth2 credentials
def authorize
client_id = Google::Auth::ClientId.from_file CREDENTIALS_PATH
token_store = Google::Auth::Stores::FileTokenStore.new file: TOKEN_PATH
authorizer = Google::Auth::UserAuthorizer.new client_id, SCOPE, token_store
user_id = "default"
credentials = authorizer.get_credentials user_id
if credentials.nil?
url = authorizer.get_authorization_url base_url: OOB_URI
puts "Open the following URL in the browser and enter the " \
"resulting code after authorization:\n" + url
code = gets
credentials = authorizer.get_and_store_credentials_from_code(
user_id: user_id, code: code, base_url: OOB_URI
)
end
credentials
end
# Initialize the API
service = Google::Apis::CalendarV3::CalendarService.new
service.client_options.application_name = APPLICATION_NAME
service.authorization = authorize
require "google/apis/calendar_v3"
require "googleauth"
require "googleauth/stores/file_token_store"
require "date"
require "fileutils"
OOB_URI = "urn:ietf:wg:oauth:2.0:oob".freeze
APPLICATION_NAME = "Google Calendar API Ruby Quickstart".freeze
CREDENTIALS_PATH = "credentials.json".freeze
# The file token.yaml stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
TOKEN_PATH = "token.yaml".freeze
SCOPE = Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY
##
# Ensure valid credentials, either by restoring from the saved credentials
# files or intitiating an OAuth2 authorization. If authorization is required,
# the user's default browser will be launched to approve the request.
#
# #return [Google::Auth::UserRefreshCredentials] OAuth2 credentials
def authorize
client_id = Google::Auth::ClientId.from_file CREDENTIALS_PATH
token_store = Google::Auth::Stores::FileTokenStore.new file: TOKEN_PATH
authorizer = Google::Auth::UserAuthorizer.new client_id, SCOPE, token_store
user_id = "default"
credentials = authorizer.get_credentials user_id
if credentials.nil?
url = authorizer.get_authorization_url base_url: OOB_URI
puts "Open the following URL in the browser and enter the " \
"resulting code after authorization:\n" + url
code = gets
credentials = authorizer.get_and_store_credentials_from_code(
user_id: user_id, code: code, base_url: OOB_URI
)
end
credentials
end
# Initialize the API
service = Google::Apis::CalendarV3::CalendarService.new
service.client_options.application_name = APPLICATION_NAME
service.authorization = authorize
# this part uses service to create an event
event = Google::Apis::CalendarV3::Event.new(
summary: 'Google I/O 2015',
location: '800 Howard St., San Francisco, CA 94103',
description: 'A chance to hear more about Google\'s developer products.',
start: Google::Apis::CalendarV3::EventDateTime.new(
date_time: '2015-05-28T09:00:00-07:00',
time_zone: 'America/Los_Angeles'
),
end: Google::Apis::CalendarV3::EventDateTime.new(
date_time: '2015-05-28T17:00:00-07:00',
time_zone: 'America/Los_Angeles'
),
recurrence: [
'RRULE:FREQ=DAILY;COUNT=2'
],
attendees: [
Google::Apis::CalendarV3::EventAttendee.new(
email: 'lpage#example.com'
),
Google::Apis::CalendarV3::EventAttendee.new(
email: 'sbrin#example.com'
)
],
reminders: Google::Apis::CalendarV3::Event::Reminders.new(
use_default: false,
overrides: [
Google::Apis::CalendarV3::EventReminder.new(
reminder_method: 'email',
minutes: 24 * 60
),
Google::Apis::CalendarV3::EventReminder.new(
reminder_method: 'popup',
minutes: 10
)
]
)
)
result = service.insert_event('primary', event)
puts "Event created: #{result.html_link}"
All you need to interlink those two code parts is to change the name
from client to service or vice versa.
I have a firebase project which Im trying to authenticate from my rails server creating a custom token with the library ruby-jwt as it says on the docs, but i keep getting the same error:
auth/invalid-custom-token, The custom token format is incorrect. Please check the documentation.
The credentials.json is from the service account I made in google console, uid is sent from the front end to the api.
def generate_auth_token(uid)
now_seconds = Time.now.to_i
credentials = JSON.parse(File.read("credentials.json"))
private_key = OpenSSL::PKey::RSA.new credentials["private_key"]
payload = {
:iss => credentials["client_email"],
:sub => credentials["client_email"],
:aud => 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',
:iat => now_seconds,
:exp => now_seconds+(60*60), # Maximum expiration time is one hour
:uid => uid.to_s,
:claims => {:premium_account => true}
}
JWT.encode(payload, private_key, 'RS256')
end
it looks like this in jwt.io
{
"iss": "defered#defered.iam.gserviceaccount.com",
"sub": "defered#defered.iam.gserviceaccount.com",
"aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
"iat": 1486824545,
"exp": 1486828145,
"uid": "4",
"claims": {
"premium_account": true
}
}
It looks like the accepted answer found a way to link authentication from Firebase to Rails, but the original question seems to be asking how to link Rails authentication to Firebase (which is what I was trying to do).
To keep your authentication logic in Rails (ex: from Devise) and share it with Firebase, first get a Firebase server key as a .json file from your Service Accounts page in your project's settings.
You'll only need the private_key and client_id from this file, which I recommend storing as environment variables so they're not potentially leaked in source code.
Next, make a Plain ol' Ruby object (PORO) that will take in a User and spit out a JSON Web Token (JWT) that Firebase can understand:
class FirebaseToken
def self.create_from_user(user)
service_account_email = ENV["FIREBASE_CLIENT_EMAIL"]
private_key = OpenSSL::PKey::RSA.new ENV["FIREBASE_PRIVATE_KEY"]
claims = {
isCool: "oh yeah"
}
now_seconds = Time.now.to_i
payload = {
iss: service_account_email,
sub: service_account_email,
aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
iat: now_seconds,
exp: now_seconds + (60*60), # Maximum expiration time is one hour
uid: user.id,
# a hash to pass to the client as JSON
claims: claims
}
JWT.encode payload, private_key, "RS256"
end
end
Now send this JWT to authenticated users through javascript in your application layout:
window.firebaseJWT = "#{FirebaseToken.create_from_user(current_user)}";
In your frontend code, you can now use this token to authenticate users:
firebase
.auth()
.signInWithCustomToken(window.firebaseJWT)
.catch(error => {
console.error(error);
});
Remember to sign them out of firebase when they sign out of your application:
firebase
.auth()
.signOut()
.then(() => {
// Sign-out successful.
})
.catch(error => {
console.error(error);
});
I found a better way to authenticate, I'm just sending the token that firebase gives you and verifying it on rails with the information I need and that's it.
Check if your secret key is wrapped in double quotes and not single as they contain '\n' escape sequences. An auth/invalid-custom-token error is thrown if the secret key is not as specified in the documentation.
I have an app which syncs to OneDrive. If the user is using Office365 via GoDaddy and I have a grant_type of 'refresh_token', it doesn't return the refresh_token back, which in turn, won't let me refresh the token I currently have. I've tried adding access_type="offline" and prompt="consent" when doing a POST request to no avail. Help?
Here's my code:
credentials = OpenStruct.new
params = {
client_id: client_credentials[:key],
redirect_uri: redirect_url,
client_secret: client_credentials[:secret],
refresh_token: refresh_token,
grant_type: 'refresh_token',
resource: resource_id,
access_type: 'offline',
prompt: 'consent'
}
RestClient.post(client.token_url, params) # doesn't return refresh_token
Based on the request, it seems you were refresh the token. Based on the OAuth 2.0 code grant flow, there is no parameter about access_type and prompt. You can refer below for the support parameter:
And here is the post for your reference:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
I'm trying to use the Ruby gem 'google_drive'. Before using that gem, I'm obtaining the user's token via the gem omniauth-google-oauth2.
When I try to use google_drive as follows:
def google_oauth2(current_user)
session = GoogleDrive.login_with_oauth(self.token)
# Gets list of remote files.
session.files.each do |file|
p file.title
end
end
I get the following error:
Sending HTTP get https://www.googleapis.com/drive/v3/files?fields=%2A
Caught error Authorization failed. Server message:
{
"error": "invalid_request",
"error_description": "Required parameter is missing: grant_type"
}
Error - #<Signet::AuthorizationError: Authorization failed. Server message:
{
"error": "invalid_request",
"error_description": "Required parameter is missing: grant_type"
}>
Completed 500 Internal Server Error in 128ms (ActiveRecord: 0.4ms)
How can I resolve this?
Update
Omniauth code being used to store the google oauth 2 tokens:
def google_oauth2
auth_hash = request.env['omniauth.auth']
#authentication = Authentication.find_or_create_by(
user_id: current_user.id,
provider: auth_hash["provider"],
uid: auth_hash["uid"]
)
#authentication.update_attributes(
:token => auth_hash['credentials']['token'],
:refresh_token => auth_hash['credentials']['refresh_token'],
:provider_description => auth_hash["info"].email
)
flash[:notice] = "google_oauth2 authed."
redirect_to '/'
end
Working solution to access google drive api without requiring a config.json. This solution uses the refresh token obtained from the google auth 2 omniauth strategy:
require 'google/apis/drive_v2'
auth = Signet::OAuth2::Client.new(
token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
client_id: "XXX-XXX",
client_secret: "XXX",
refresh_token: self.refresh_token # Get this from the omniauth strategy.
)
auth.fetch_access_token!
x = Google::Apis::DriveV2
drive = x::DriveService.new
drive.authorization = auth
files = drive.list_files
This took me .5 day. I hope it helps someone else out there! :)