I've made an app who use OAuth from Google to access to Google Sites API. It works perfectly, but I want less user action, especially the first time when you must accept google's permissions, get authorization token, to get access and refresh token.
I want to know if it's possible to avoid all this steps (for users, and do this behind the application), in the code with HTTP requests for example or google libs, and just have to inform a google account (mail/password) to get an access/refresh token.
Have you any tips or knowledge about this ?
Thanks by advance
As i was using google analytics api i made some research and the minimum process is:
user click authenticate link on your web page, then is redirected to external google webpage when is prompted securely for login and password. and nothing else.
This oauth refresh token you can automate then - read about this in google docs - there is some info about this. i made all by changing a little simple hello world analytics app from google code.
As i remember You had to know what class in php is, and changing oauth wrapper in simple apps. It can store and process refresh tokens automatically - user needs to enter login and password as i said but it can be stored in cookies, so made once.
Related
I'm building an application that needs to have access to Google Drive and Google Sheets. I want the user to go to https://mydomain.appspot.com/authenticate to go through the Google login flow and authenticate themselves so that the backend receives access tokens for both Google Drive and Google Sheets.
After that I want the backend to be able to access Drive and Sheets without user interaction. For example, I would like a scheduled task to run every hour and retrieve some data from Drive and Sheets. I want the backend to use the token it received when the user authenticated themselves.
Is this possible? I really hope so. I have been looking here and I don't really find anything that can help me. https://developers.google.com/sheets/api/guides/authorizing
The backend is developed in Java and deployed on Google App Engine.
A long lived access token is actually called a refresh token. You will need to have your users authenticate your application then you will receive a refresh token. the refresh token can then be used to request a new access token from the Google authentication servers when ever you need.
Note: Do not get yourself side tracked with serviced accounts its not the same thing. You can run automated scripts using a refresh token gained from Oauth2, googles terminology is just a little confusing.
Check out the official google java client library it should handle most of it for you. Using OAuth 2.0 with the Google API Client Library for Java
You need to setup Offline Access as defined at:
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed.
After reading the documents of Google API. I know that if a project we create needs to access private data, we should use oauth. But here is my situation. we will open a business account in Youtube, and we will create a project to push videos to our own account, we don't need to operate other user's' account. Can we use google youtube data api without OAuth?
There are two ways to access private user data with Google APIs.
Strait Oauth2. where you have a consent for asking the owner of the account if you can access it
Service accounts which are technically pre authorized by the developer.
Normally I would say because you are only accessing the one account that you own, use a service account. Unfortunately the YouTube API does not support service account authentication.
Due to the lack of service account support you will have to use Oauth2. I have done this in the past.
Authentication your script once, using a server sided language of some kind. The Authentication server will return to you a Refresh token. Refresh tokens can be used at any time to get a new access token. Access tokens are used to access Google APIs and are only valid for an hour. Save this refresh token someplace. You will then be able to allow access the YouTube account in question when ever you like.
Note: You will have to watch it. Refresh tokens can on rare occasion become invalid. I recommend having a script ready that will allow you to re authenticate the application again storing a new refresh token. Its rare that it happens but it can happen best to be pre-paired.
Oauth Play ground
Part of the point of Oauth is that it identifies your application to Google though the creation of your project on Google developer console. Things like quota and access to which APIs is controlled though that. If you spam the API they will know and shut you down. (never seen this happen)
When you request access of a user it pops up with the name of the project on google developer console. This is identified by the client id and client secrete for that project on google developer console. When I use oauth playground I get asked 'Google OAuth 2.0 Playground would like to ..'
So by using playground you are using Googles client id and client secrete to create a refresh token for yourself. If N other devs are also doing this the quota for YouTube may be used up in the course of a day. Also security wise you are now giving that project access to your data. Ignore that for a second what if google suddenly decides to remove change the client id or generate a new one. Your refresh token will no longer work. What if random dev X is using it as well and he starts spamming everything and the client id gets shut down (Think this happened last year) your going to have to wait for google to upload a new client id for the one that has now been banned.
Google OAuth 2.0 Playground might seam nice but its not for daily use IMO its good for testing nothing more. Create your own project and get your own access its not hard just requires a programing language that can handle a http Post.
My tutorial Google 3 legged oauth2 flow
So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2
I was trying to achieve an openID login with google and then get an acces token to access google apis (such google plus, or drive)
The first attemp was successful but with a big problem:
Make the openId stuff, and the user is redirected to google to identify himself, then return to my app identified.
Make the oAuth stuff with google apis, redirect the user again to identify himself and cameback with a code, then exchange the code for the access token needed to call google apis.
The user needs to identify twice. That's not good.
I read and tryed the google hybrid openId and oAuth. All links there points to the deprecated oAuth1 interface, and i cant make it work, i get the user identified but not request_token to continue the oAuth stuff.
So i have a couple of questions:
Is there a way to identify the user agains google openId and at the same time get the users consent to access google apis?
Is the hybrid protocol still working with oAuth2 and new google apis?
I'm on the good way or im missing something?
I need both openId and oAuth beacouse the application needs to be in the google marketplace and is a must to login users with openId, and i need to hit some APIs that need oAuth2 access_token.
Thanks!
Why do you need to work on both OpenID and OAuth side by side, and have two login screens? If you simply use OAuth 2.0 workflow, the user needs to key in his credentials just once and you can do anything that you want to.
Once the user consents to the login/permissions screen in the OAuth workflow, your app will get an access token. If you need any client info for, say, a welcome user screen - you just need to hit the https://www.googleapis.com/oauth2/v1/userinfo endpoint with the access token and it will give you the user's public information. So, in short you can do pretty much most of the things with the OAuth flow, and with the user logging in just once.
Good luck! Feel free to follow up with more questions.
OK, finally i have a working solution, and this is the "magic" url that make the trick for me:
String url = "https://accounts.google.com/o/oauth2/auth?"
+ "client_id="+ GoogleapiAuthHelper.CLIENT_ID +"&"
+ "response_type=code&"
+ "scope=openid%20profile%20https://www.googleapis.com/auth/plus.me&"
+ "redirect_uri="+GoogleapiAuthHelper.REDIRECT_URI+ "&"
+ "state=security_token%3Dasdalskjqwo91231029";
if( userService.getCurrentUser() != null ){
url += "&login_hint=" + userService.getCurrentUser().getEmail();
}
Steps:
First of all, identify the user with openId, the users go to login screen and type his credentials.
User return idenfied to the application
Redirect the user to the URL above. The param login_hint makes that the user dosen't need to idenfity again and the response to this url is a redirection with an oAuth code, wich you can easily exchange for the desirec access token.
After reading all Google Plus API, Google Drive API, oAuth2 and openId documentation, the doc that point me to the rigth direction was https://developers.google.com/accounts/docs/OAuth2Login?hl=es
I don't know if this is the best way to achieve openId + oAuth, but it works and i cant make it work in any other way. Hope this can help someone.
I'm trying to use OAuth with .NET (DotNetOpenAuth) to send updates to a Twitter account via a web application. I understand the basic workflow of OAuth and Twitter.
Where I'm confused if is it useful in a server web application? I don't want any user interaction.
But how it seems after an application start, the request token needs to be recreated and also an access token. This involves user interaction.
What is the correct workflow for my case?
Storing the request token or access token in config file?
Or the easist way, using HTTP basic authentication?
Thanks
If I understand you correctly your application will not be interacting with Twitter on behalf of your users but will be acting as the Twitter account for your application.
In this case there are 2 main factors to consider.
1) Do you want "from API" attached to each status as will be if you use basic auth or your applications name will happen if you use OAuth.
2) Do you want to put in the extra effort to implement OAuth.
If you decide to go with OAuth you would store your apps consumer key/secret and the accounts access token in configuration just like you would store the accounts screenname/password.
Your "request token needs to be recreated" phrase suggests you might be running into the problem where every time your user visits you need to re-authorize to Twitter, and perhaps you're looking for a way to access the user's Twitter account while he's not at your web site, and how can you do this when their token isn't fresh from being re-authorized. Is that right?
If so, the user isn't supposed to have to re-authorize Twitter every time they visit your site. The token is supposed to last a long time, which would also allow your site to access their Twitter account when they are not directly interacting with your web site. The problem may be that you haven't implemented the IConsumerTokenManager interface, but are instead using the default InMemoryTokenManager, which is for sample use only, since this memory-only token manager loses tokens every time the web app is restarted. Your own implementation of this simple interface should store and read the tokens out of some persistent storage such as a database.