I have been playing with the new Admin SDK in conjunction with the "upgraded authorisation experience" and wondered if someone has and experience/examples on how to use it. From what I have read, if you upgrade the authorisation experience you shouldn't need to use OAuth 2.0 and get a client ID and secret from the API console.
When you upgrade the authorisation, the API console entry is automatically created so you just have to turn on Admin SDK. Your app should then run simply using your own admin credentials.
Have I misunderstood this and if so, what is the benefit of the new authorisation experience?
I can use the Admin SDK just fine if I create a client ID and secret in the API console but this is using OAuth 2.0 then.
If someone has an example of how to use the admin sdk with OAuth 1.0 i could have a look at it would be much appreciated.
You will still need get your tokens and API key...
Take from the Directory API documentation:
If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key. You can find your application's API key in the Google APIs Console, in the Simple API Access section of the API Access pane.
If you are looking for an oAuth2 example with GAS, Arun has a nice example he posted on GitHub, see the SO posting: How to authorize with oauth 2.0 from appscript to Google APIs?
Sorry, I don't have any oAuth1 example to interface with the new APIs.
Related
I'm fairly new to programming, I've just got the basics down in terms of object oriented programming and a little bit of databases. I was just wondering if anyone could give an in-depth explanation as to what Google's credentials.JSON file does when trying to use their API. I'm using visual studios and c# if that's important.
Google's credentials.JSON contains information about your application that will identify it to google. It also gives your application some information it needs in order to find Googles oauth server and use it.
You should be aware that there are three types of files. Web, native and service account. The files are designed for use with different types of applications.
A web application would use web credentials and the code designed for authorization with a web application
A native application would use native credentials and code designed for use with authorization of a native application.
An application which would be just for server to server communication between data the developer owns and does not need to access user information would use service account credentials and the code needed for authorization with a service account.
Below is the example of the oauth credentials used for a web application.
{
"web":{
"client_id":"450547033183-5uok2fl5u.apps.googleusercontent.com",
"project_id":"developer-info-2b41cd",
"auth_uri":"https://accounts.google.com/o/oauth2/auth",
"token_uri":"https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
"client_secret":"Fu8ZmTGOMvHjqQEseZE68hg",
"redirect_uris":[
"https://developer-info-2b41cd.firebaseapp.com/__/auth/handler"
],
"javascript_origins":[
"http://localhost",
"http://localhost:5000",
"https://developer-info-2b41c.firebaseapp.com"
]
}
}
client_id Identifies the client to google so they know which oauth client this is you can create more then one set of credentials per project.
project_id your project on Google developer console.
auth_uri The Url endpoint you will need to contact google to authorize
token_uri The uri end point you will need to request the initial token.
auth_provider_x509_cert_url The location of all the oauth certificates
client_secret think of this as the password for your client id.
redirect_uris Authorized urls where you would like the authentication to be returned to.
99% of this is used by Googles Oauth2 server to authorize both your application and the user attempting to login. If your interested in how Oauth2 works i suggest reading though some of the RFC's for Oauth.
I'm having difficulties finding documentation for auth0 and microsoft graph integration. My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.
As I've understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:
I login with a SPA auth0 app (using a microsoft identity)
This is then used to authenticate to a backend server using a api registration in auth0
The backend has its seperate machine-to-machine app in auth0
Backend api uses this seperate app to get access token to auth0 management api
Current user is fetched (based on the logged in user from front end app login) from management api,
Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
Token does not work to call graph, I am unsure of where to send it next.
I am aware that the above is probably completely wrong, that's why I am here :)
My questions are:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
2) Does anyone have a link that discusses this, ideally with some code samples.
To answer your first question:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
I have had the chance to authenticate apps using the microsoft identity library called MSAl whose documentation is found here. It gives a pretty detailed way to authenticate directly from your SPA.
I have also used the microsoft javascript sdk as it comes inbuilt with token caching and refreshing so that I do not need to build that for myself.
In relation to this,
Does anyone have a link that discusses this, ideally with some code samples.
You can find the samples well described in the samples section of the SDK
I hope this helps.
I am trying to integrate quickbooks online v3 with c#.
In earlier version I could connect with appid and token.
Current version I would like to bypass the login and use API. Token is generated after logging in to qbsite.
No, this isn't possible (for what should be very, very obvious security reasons - why would anyone want to allow any person access to all of their companies financial data without any sort of login/authentication mechanism what-so-ever?).
The new v3 APIs use OAuth for authentication. The end-user is required to log in once to generate the OAuth tokens and authorize your app to access QuickBooks data.
After that authorization, you can use those tokens to access QuickBooks data any time you want.
This pretty much exactly mirrors the old qbXML connection ticket method that was previously available.
Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.
What is the preferred method of accessing the Gmail API across sessions without user input? E.g. user logs in once, some fairly-non-sensitive ID is stored on my server, and I use that ID along with my app's secret/key to access user's mailbox...
I noticed that OAuth 1.0 is now deprecated by google (I'm assuming that OAuth 1.0 enables the aforementioned login mechanism), so what should we use? Does OAuth 2.0 + IMAP work with Gmail?
I'm using a Rails 3.2.6 backend.
Without storing the user's password, the only way for full GMail access is using IMAP/SMTP with OAuth 1. With OAuth 2 you currently can only access the Atom Inbox Feed.
Though OAuth 1 was already marked deprecated by Google, it should be supported until April 2015.
UPDATE:
OAuth 2 authorization support for GMail IMAP/SMTP just recently arrived, so this is now the recommended way to go.
I don't find any information in the oAuth API docs about oAuth 1.0 being deprecated.
However oAuth 2.0 seems to be there as well for Gmail: oAuth 2.0 Playground.