It is posible to authorize youtube API with multiple scopes once? ( https://www.googleapis.com/auth/yt-analytics.readonly and https://www.googleapis.com/auth/youtube.readonly)
Multiple scopes can be given as a space delimited list.
Per the auth flow documentation
SCOPE Required. A space-delimited list of scopes that identify the resources that
your application could access on the user's behalf. These values determine
which permissions are listed on the consent page that Google displays to the user.
Yes. You can authorize with multiple scopes. If you application can do multiple actions, you would need to add the relevant scopes so that the user can be authenticated and your application can execute the desired actions.
Related
I have requested Google to approve sensitive scopes. Until now the application was accessing the basic name and email data. However, the new requested scopes do not show up on the consent screen. Google requires me to share a video with the new OAuth consent screen but I don't have a way to show the new scopes until they update it. What am I doing wrong? I have looked up other questions and resources and did not find any question specific to this problem related to the sensitive scopes.
The scopes that appear on the consent screen are sent by your code in the authorization setup. Adding them to google developer console just tells google you will be using these. Its your code that needs to request them.
If your not seeing them you haven't added the scopes to the authorization request in your code.
I am making a web application that will automate some actions on Google AdWords. The web application can be used by anyone that has an AdWords account.
I am a bit puzzled by the AdWords API, as it is a different from other Google APIs, in terms that it needs two additional config parameters: developerToken and clientCustomerId, a per their documentation:
https://developers.google.com/adwords/api/docs/guides/first-api-call
When constructing the AdWordsClient object, I need to provide the developerToken and clientCustomerId, in order to push data to AdWords.
My question is whether these two parameters (developerToken, clientCustomerId) need to be different for each user that will use my web application?
It seems that I am able to post data to different accounts with an unrelated developerToken, which does not make sense.
Can I get the clientCustomerId from an API endpoint, so I don't require my users to manually input tokens and ids to the web app, and do the complete authentication with oAuth?
My code is working, I am asking more of the philosophy why I need these two parameters, and if I can avoid asking the user to manually copy them from the AdWords dashboard into my application?
The developer token identifies a given Adwords API developer and is used for RMF enforcement, rate limiting and the like. As you mentioned, this is different from other Google APIs, which I think has to do with the fact that it's not a publicly available API. You always have to use the developer token that was given to you as part of your API sign-up process and are not allowed to use another developer's one (thus there's no possibility to have a user of your application enter it on their own).
The clientCustomerId parameter refers to the specific Google Ads account that you want to interact with. As a given user (identified by the OAuth2 access token that you include in your request) might have access to a whole lot of different accounts, this always needs to be included.
As for how to obtain a list of accessible account given a user's credentials, you can use the CustomerService.getCustomers endpoint for that purpose. Quoting the docs, it will "return details of all the customers directly accessible by the user authenticating the call."
There's a section in Google Cloud Console > APIs & Services > Credentials > OAuth Consent Screen that lets you edit a list of scopes:
However it seems to have zero bearing on the actual permissions that are asked for in the user prompt, which seem to only be influenced by what I actually pass in from my code when going through the OAuth flow. The list does not seem to update itself to reflect the actual scopes you ask for from your code, and it also does not limit the scopes that you can request from your code.
Is the list of scopes configured in the OAuth Consent Screen used for anything?
In your screenshot on the right side "Scopes for Google APIs", this is a list of scopes that your application has asked for in the past. If your app requires validation, Google will use this list as part of its process to evaluate your app. For most of the items (scopes) in the list, you can click the delete icon to remove the scope from the list.
When you create your credentials (OAuth Tokens), you specify the scopes that you want at that time. The list in your screenshot is not used to specify scopes, just to keep track of the ones that you have used.
As mentioned by #Hanley, this screen shows the list of scopes that your application has asked for in the past. If your application needs to be verified, Google will use the scope list. You can add or delete any scopes that you want. The key point is that the screen is used for verification of your application. Add or delete any scopes that you want. Once approved however, if you use a scope not approved then the approval process needs to be repeated.
When credentials are generated, this specify the scope that is needed at that time. The list updates itself based on the scopes used by the application. However, the update is not immediate.
I am building a small subscription-based e-commerce solution with spree. I would like to pull a list of subscription options (monthly, yearly etc.) from spree for users to purchase.
The issue is that the API requires an authentication token to be sent to the endpoint /api/products and therefore isn't suitable for guests hitting the site for the first time.
Is there a way I can pull the list of products from a certain category without needing authentication? I know there is the ability to disable authentication for the API but I don't really want to open up the whole API!
You can allow read-only access to your API by placing this in your config>initializers>spree.rb file:
Spree::Api::Config[:requires_authentication] = false
This will NOT open up the whole API. This will only allow read-only access without the need of appending a token. According to the spree docs:
"For actions that modify data within Spree, a user will (still) need
to have an API key and then their user record would need to have
permission to perform those actions."
More information here:
https://guides.spreecommerce.com/developer/security.html
I am thinking to embed google calendar in my website to achieve the following and was wondering if this is doable in google calendar. Otherwise I have to go find another solution.
I have groups of users with one super user, and rest are regular users as follows:
GroupA
Super User 1
Regular User 1
Regular user 2
etc
Group B
Super User 2
Regular User 3
Regular User 4
etc
Each group have their own calendar. Users in each group can not see the other group's calendar. Only able to see their own group's calendar.
Super users of each group have all access to the calendar (add, modify, delete) and have the ability to control how much access regular users have in their group. (read only? read/write etc)
All users are registered to my website, therefore I am thinking to use only one google calendar account (my own account) to create a calendar for each group. Which leads to a question of authenticating my website to google's API. I need the authentication process to be automatic, hidden away from the user and be done on the server side.
My site is built using PHP/Mysql
Q1:
I have tried the Javascript client library provided by google, however it require the user to type in username/password to log into google so that the authentication (OAuth2) process can work. As mentioned in previous paragraph, I only want the user's to log into my website, they do not need to login again into google account. This should be done on serverside.
I even went as far to create a login form with information prepopulated (hidden from the user, the username/password will be visible in "view page source") and send the request to https://accounts.google.com/ServiceLoginAuth, and make the form automatic submit once the user successfully login into my website. However this causes cross domain issues.
Q2:
I may potentially have 10's of thousands of groups registered on my website. each group may have couple hundred users. Can one single google account create that many calendars?
Q3:
Once the calendar is embedded into my website, it seems to be read-only. Is it possible to make it interactive so super users in each group can add/delete/modify events?
Any ideas/suggestions is much appreciated.
Thank you
No answers? It seems like your question is straightforward. If I understand correctly, you want to access calendars from several Google accounts/users. Each user needs to authorize this access, but they only need to do so once. You could generate these requests and send them out via email, for example. When the user grants permission, Google forwards a grant code to your specified callback_uri. The grant code is extremely volatile. It's used to request a token from Google that apparently lasts indefinitely. So there's no requirement that users continually log into Google.
In Google's calendar/simple.php example. The token is stored as a SESSION variable. Even though the token is persistent, the SESSION variable is not. Users have to grant authorization every time the SESSION variable expires. Storing persistent data in a volatile variable is absurd and probably gives the wrong impression about the OAuth2 token mechanism.
I spent a lot of time writing documentation that I couldn't find anywhere else. Please take a look if you think it might help: http://www.tqis.com/eloquency/googlecalendar.htm
What you're asking isn't possible in Google Calendar.
If you're looking to support thousands of groups and each group needs it's own calendar, then you're saying that you'd need thousands of calendars with access control and you'd need authentication to the calendar to be transparent.