I am developing application which is required to upload file into Google Drive.
I started learning API from following link.
https://developers.google.com/drive/ios/quickstart
Currently,I have to login first time for upload file. But in my application, every time there is same account will be used for uploading file.
So, is there any way by which I can bypass GTMOAuth2ViewControllerTouch (login screen).
Please help me.
I will be very thankful for your replay.
Most Google APIs currently require an OAuth 2 token, and so far that is available only via the user-directed sign-in flow, which is what gtm-oauth2 provides.Some older Google APIs do support the ClientLogin protocol, in which the username and password are supplied directly by the application, but the newer APIs do not.
Remember that hardcoding any account authorization(especially an account password) into an application's binary is a security risk and
is poor practice.
Related
I'm writing an open-source stand-alone desktop app in Java that handles photos, and I'm adding a feature to let users upload pictures to their Google Photos account, but I'm faced with an authentication/security question.
I've registered my project to use the Google Photo API and have downloaded my credentials JSON file. I've been able to use it successfully with the samples from the java-photoslibrary Github project, so all is good.
However, the credentials file contains a "client_secret" key which, if I'm not mistaken, should not be disclosed (am I correct here ?). But those credentials have to somehow be distributed with the app and, as it is open-source, will be basically public. So my question is: How can I authenticate my app's user to his/her Google Photo account without disclosing my app's secret key ?
Note: I've integrated Dropbox upload, and their procedure for desktop apps clearly explains how to authenticate without embedding the secret key in the Desktop app using OAuth's token flow. Is there an equivalent for Google Photos ?
Thanks.
Edit: made some progress (see my own answer below), but after I finally got time to implement it, I realized that after user has authorized the app and a valid code has been returned (Yay!), step 5 (Exchanging the code for a token) again requires the client_secret ! :-(
I tried the call without it but I'm receiving a "client_secret is missing" error, so that's not a typo.
After more search (with the [google-oauth] keyword instead of [oauth-2.0], which says it all), it seems "secret" does not mean it is actually "secret" in Google world. In other terms, it's OK to embed it in your apps because, well, it's secret but it cannot be used in a malicious way (hopefully)...
See answers to these related questions:
Safely distribute OAuth 2.0 client_secret in desktop applications in Python
Why does Google provide a client secret for a Native application?
Integrate oauth2 with native (iOS/Android) mobile application
One Google page even mentions that "In this context, the client secret is obviously not treated as a secret."
Come on Google, explain me how security works :-)
OK I think I found the answer.
Similar to Dropbox, Google can use OAuth 2 with PKCE, they just use the full spelling "Proof Key for Code Exchange", that's probably why I didn't find it at first :-). The details are here:
https://developers.google.com/identity/protocols/oauth2/native-app#obtainingaccesstokens
I didn't find the equivalent process in the Google APIs, but those API are megabytes of classes so I may have missed it. Basically, all it takes is just sending a few requests and listening to the response, so I think I'll implement it from scratch (and will probably also get rid of Dropbox's client libs as the process is so similar).
Hope it helps...
Edit: that doesn't address the point because after the clean PKCE procedure, the app still has to send its private key to exchange the authorization code for a token. See edit in my question
I want to upload files to Google Drive using the Google.Apis.Drive.v3 in asp.net MVC. I want my visitor to upload the files to my google drive, I will set the credentials of my google drive in code. Can anyone help me to get this work?
I tried the quick start sample for upload but it asks for the credentials every time. Or it uses the cached credential.
How can I upload a file without knowing the user about the credential?
According to this documentation, you need to get the access credentials to enable the Google Drive. If you want to programmatically access users data without any manual authorization on their part, then perform Google Apps Domain-Wide Delegation of Authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0. You can also check on this link which might help.
I am using the Gmail API in iOS with the code that is given on the link
https://developers.google.com/gmail/api/quickstart/ios?ver=swift
and I tried running the application on an iPhone but every time, when I start the application it is asking for a Google login for authorization.
The page at Google Developers says that:
Authorization information is stored in your Keychain, so subsequent executions will not prompt for authorization.
So my question is that for my application is the Keychain value not being stored, if so how can I correct it and if not what can be the possible error in the code that is in the link provided above?
I'm creating a simple iPhone app. The basic premise is that the app will display some data (That I provide online) on the application. The data changes over time, so the app has to draw the data from online and display it. I don't have a significant programming background so I don't want to use my own server.
Thus, I thought it would be significantly easier to just put the data into some documents on a Google account and then access them programmatically via the Google Drive API. I could then update the data in my Drive account and it would get updated in the application. The key here is that I am ONLY accessing ONE account that I own MYSELF. The users' accounts are not being accessed. Therefore the goal is to never have to log in manually. It should all happen behind the scenes, aka, it should look like a server, not a google doc.
With this in mind, it doesn't make sense to show the Google Accounts sign-in page to my users as the standard OAuth2.0 tutorial shows here:https://developers.google.com/drive/quickstart-ios#step_1_enable_the_drive_api
I should be able to access my own data by somehow hardcoding in my username, password etc. Google agrees here: https://developers.google.com/drive/service-accounts#use_regular_google_accounts_as_application-owned_accounts
The above link mentions a "refresh token" that I'm supposed to save. However, I have no idea how to build and save that token, or even for that matter, where to find it.
I've gone through both the basic tutorial and the Dr. Edit Tutorial for iOS, but they both assume that the application is accessing USER accounts not application-owned accounts.
I'm not asking for someone to write the code for me (though tidbits are nice), but if you can point me to a step-by-step guide or related sample code that would help me get started that would be awesome. I'll even come back and post the code that I use!
EDIT: Since I realized that the Google Drive API wasn't something I could use for what I am trying to do, I eventually found Parse which is an awesome tool that handles all the server backend for me and is free at the basic level.
Google APIs objective-C client library doesn't support service (application-owned) accounts, because they are supposed to be used by a server-side apps, instead of clients -- you shouldn't be distributing your private key as a part of an app.
If you would like to distribute content from a service account, maybe you should write a server leg to do the authentication and pass clients credentials in a secure way for them to talk to the API on the behalf of the service account. Or, use Web publishing to make documents universally accessible without authorization and authentication if privacy is not a concern.
Where and for how long are the tokens held when using the iOS Box SDK? Are they placed into a keychain or elsewhere?
I found the following line in the "OneCloud on iOS" web page under the "Web API Library" section.
"Second, the web API Library uses Keychain to store sensitive
information such as the Auth Token."
That seems to conflict with following on the "Authentication in your iOS app" web page.
"The user is now fully logged in and you can use this auth token with
every API call that requires it. You may store the authentication
token for future use, so that the user does not need to
re-authenticate with your application every time they use it. Please
use the Keychain (of the Security framework) for this."
The first page you're referring to refers to when you're using our iOS SDK.
The second page you're referring to refers to when you're building your own API integration from scratch.