I'm in the process of learning how to interface with OAuth. I'm using a fusion table as the back end of a database and then using google apps scripts to interface with that database. Parts of the apps script will run of time scheduled triggers while other parts will be published as a webApp. I've run into some other OAuth issues (see thread link below), but this question is much more fundamental. When reading the Google API OAuth literature, it describes different OAuth flows and I don't know which one my program is. Is my application a "web server application", "client-side", "service account" or what.
Google API OAuth info: https://developers.google.com/accounts/docs/OAuth2
Other Thread: Getting Google Apps Script to Authorize Fusion Table API
First of all, the fact that you install a trigger to run a certain function at certain times has no bearing on which Oauth Flow you should use.
Oauth is used to allow Users of your App to grant your App permission to access certain resources that normally only they would have access to.
When you include certain API calls in an App Script, Google Apps automatically presents the user with a Dialog asking for "Authorization" to use these resources on their behalf.
Therefore, in your use case of an App Script as a Front-End to a Fusion Table, you would not need to use Oauth to get Users to Grant permission.
You can Publish your Script to "act" as the User or as the Script Owner.
Related
We're trying to write an automated script (i.e. no user interactions) that pulls YouTube reporting data from API (esp. with Google Python API Client).
Currently, we have a Google user that is a Content Manager of a channel, and we can access its Creator Studio on YouTube.
So far, we have followed the official code sample, created a client secret file for the Google Account, and we're able to access the reports after approving the permissions in a browser popup. However, since we are going to port it to an automated script, this is not practical for us.
Is there a way such that we can have a "client secret file" that allows us to talk directly to Google API without the need for extra verifications?
(The OAuth playground looks promising, as we're able to generate Refresh Token and Access Token there; however, we're not sure about how to use them in the Python API Client...)
I am attempting to get get a Ruby on Rails project that uses the Google AdWords API.
What I did so far, following the steps in this guide:
I created an AdWords Manager account.
I created a test account that is part of the AdWords Manager account.
I set up the Ruby client library in my Rails project.
I then attempted to set up OAuth2 authentication with the example code from the guide.
However since the guide was written (and the video version of the guide was made) it seems that the interface has changed. I am able to create a Client ID client_secrets.json-file, or a Service Account .json file. I am able to export these and read the settings from .
I added the required settings, using an OAUTH2_SERVICE_ACCOUNT .json file.
Now, when attempting to connect, I get back the AdwordsAPIException AuthenticationError.NOT_ADS_USER.
I therefore know that the actual authentication works. However, the authorization does not.
How can I turn on AdWords API support for the oAuth credentials from my google accounts? The Google Credentials Console lists many APIs that you can turn on, but the AdWords API is not in there. The AdWords guide does not mention turning on an API at all, and only tells you to create a new Credential.
What is going on here?
The Adwords API does not need to be added to your project in the Google Cloud console (it's always enabled)—as indicated by the error message, the actual problem lies in the fact that your service account does not have access to any Adwords accounts.
As a matter of fact, the only way to use service accounts to authenticate against the Adwords API is when you're also using a G Suite domain (see the corresponding documentation, section "Prerequisites".
If you have a G Suite domain, you'll need to
Enable "G Suite Domain-wide Delegation" on your service account key
Add the project ID of the Google cloud project to your G Suite domain's authorized API client list
Use your service account to impersonate any user from your G suite domain that has Adwords access
As you can see, it's quite an involved process. My recommendation (that is shared by the above article) is to use an OAuth2 installed application flow for any user that has Adwords access. This requires to store the obtained refresh token on your end, but is more flexible (and arguably safer) than a delegation-enabled service account and easier to set up.
We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)
I'm trying to build a Google Apps Marketplace App using the new APIs only available through OAuth2. We already have an app using the old APIs, but I'm having trouble figuring out how to have the same flow with OAuth2.
In our old app, the domain administrator would install the app and give it permissions. Then, we could just make requests using our app's id/secret without user interaction. (2-legged OAuth)
How would I do this with OAuth2? None of the flows described here sound like what I'm looking for.
I'm also having hard times to find out to get this new OAuth2 login up and running.
You will have to use service accounts to make requests on behalf of the user.
Documentation is here:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
I did not yet manage to get the flow working without each user being prompted again, but this most likely is because I need offline access:
Google Apps Marketplace SDK + Domain-wide OAuth 2 SSO
I have created a project with Google Big Query.
I have one table with data. A service performs insert every hour in the table. The service uses a service account with a p12 file to authenticate without user interaction.
I have developped also a desktop application which authenticate via the browser (OAuth2Authenticator). It works well but eveyone who have a google account can login and accept to use my application, and I don't want that !
Is it possible to specify a list of authorized google accounts for a google big query project ?
Thanks,
Luc.
Yes, you can control who has access to your BigQuery datasets, as well as who is a member of the Google Developer Project that your BigQuery datasets are attached to.
If you are creating a Desktop application, the best way to provide authorization to BigQuery for specific users of a restricted dataset is to use an "installed application" Oauth2 flow. Are you currently using this flow?