This is a very high level question, to a high level answer too, so I'm just looking for some pointers on the right direction.
Let's say I want to build a web application to manage a user's Google Contacts. I understand this is done by allowing the user to log in with his Google Account while asking for permissions to manage his Google Contacts. So far so good.
Now I want to expose my own API layer for external browser extensions, Android clients, etc. But while I want the API clients to authenticate against Google, I don't want the applications to have full access to the user's Calendar, as the Secret Token is stored on the server.
So, how is this typically handled? I would like to do it by the book as much as possible, without having to implement a lot of security code.
Btw, while the question is too high level, feel free to point me to technical docs.
Thanks
Limited access to the user's resources can only be guaranteed by limited OAuth scopes:
https://developers.google.com/gdata/docs/auth/oauth#Scope
Some APIs, for instance the Contacts API, only provide a single scope which gives you access to all the data. In cases like this, the user can only choose between giving you access to all his contacts or none of them.
Other APIs expose different OAuth scopes, allowing the developers to only request access to a subset of the user's data. A good example of this is the Google Drive API, which has 5 different scopes for the developer to choose from:
https://developers.google.com/drive/scopes
Related
I am making a web application that will automate some actions on Google AdWords. The web application can be used by anyone that has an AdWords account.
I am a bit puzzled by the AdWords API, as it is a different from other Google APIs, in terms that it needs two additional config parameters: developerToken and clientCustomerId, a per their documentation:
https://developers.google.com/adwords/api/docs/guides/first-api-call
When constructing the AdWordsClient object, I need to provide the developerToken and clientCustomerId, in order to push data to AdWords.
My question is whether these two parameters (developerToken, clientCustomerId) need to be different for each user that will use my web application?
It seems that I am able to post data to different accounts with an unrelated developerToken, which does not make sense.
Can I get the clientCustomerId from an API endpoint, so I don't require my users to manually input tokens and ids to the web app, and do the complete authentication with oAuth?
My code is working, I am asking more of the philosophy why I need these two parameters, and if I can avoid asking the user to manually copy them from the AdWords dashboard into my application?
The developer token identifies a given Adwords API developer and is used for RMF enforcement, rate limiting and the like. As you mentioned, this is different from other Google APIs, which I think has to do with the fact that it's not a publicly available API. You always have to use the developer token that was given to you as part of your API sign-up process and are not allowed to use another developer's one (thus there's no possibility to have a user of your application enter it on their own).
The clientCustomerId parameter refers to the specific Google Ads account that you want to interact with. As a given user (identified by the OAuth2 access token that you include in your request) might have access to a whole lot of different accounts, this always needs to be included.
As for how to obtain a list of accessible account given a user's credentials, you can use the CustomerService.getCustomers endpoint for that purpose. Quoting the docs, it will "return details of all the customers directly accessible by the user authenticating the call."
Sorry if my question to too naive. But i wish to find audience level information for a particular twitter handle. Lets consider #BarackObama, i wish to find his followers by gender, age, language, location etc. I used python scripts in this link https://github.com/GnipDz/Python-Insights to achieve it.
I do have access to twitter ADS API but it still shows your application ID is not authorized when i try to run the scripts. Is there a special API or addition over Ads API to achieve this? can someone guide me as to how i can do this?
Those scripts use Twitter's enterprise (commercial) Audience API. This API does not enable you to access audiences for individual users, only aggregated data for large numbers of Twitter handles. Additionally, this is not a free-to-access API so you need to have an active enterprise subscription for this to work.
I'm not aware of any programmatic way to access this data, and particularly not for any organic account - the Engagement API enables access to Tweet engagements for the authenticated account, but you're not able to access that data for other users.
I'm creating a simple iPhone app. The basic premise is that the app will display some data (That I provide online) on the application. The data changes over time, so the app has to draw the data from online and display it. I don't have a significant programming background so I don't want to use my own server.
Thus, I thought it would be significantly easier to just put the data into some documents on a Google account and then access them programmatically via the Google Drive API. I could then update the data in my Drive account and it would get updated in the application. The key here is that I am ONLY accessing ONE account that I own MYSELF. The users' accounts are not being accessed. Therefore the goal is to never have to log in manually. It should all happen behind the scenes, aka, it should look like a server, not a google doc.
With this in mind, it doesn't make sense to show the Google Accounts sign-in page to my users as the standard OAuth2.0 tutorial shows here:https://developers.google.com/drive/quickstart-ios#step_1_enable_the_drive_api
I should be able to access my own data by somehow hardcoding in my username, password etc. Google agrees here: https://developers.google.com/drive/service-accounts#use_regular_google_accounts_as_application-owned_accounts
The above link mentions a "refresh token" that I'm supposed to save. However, I have no idea how to build and save that token, or even for that matter, where to find it.
I've gone through both the basic tutorial and the Dr. Edit Tutorial for iOS, but they both assume that the application is accessing USER accounts not application-owned accounts.
I'm not asking for someone to write the code for me (though tidbits are nice), but if you can point me to a step-by-step guide or related sample code that would help me get started that would be awesome. I'll even come back and post the code that I use!
EDIT: Since I realized that the Google Drive API wasn't something I could use for what I am trying to do, I eventually found Parse which is an awesome tool that handles all the server backend for me and is free at the basic level.
Google APIs objective-C client library doesn't support service (application-owned) accounts, because they are supposed to be used by a server-side apps, instead of clients -- you shouldn't be distributing your private key as a part of an app.
If you would like to distribute content from a service account, maybe you should write a server leg to do the authentication and pass clients credentials in a secure way for them to talk to the API on the behalf of the service account. Or, use Web publishing to make documents universally accessible without authorization and authentication if privacy is not a concern.
I am making an app for the iPhone were all the users have access to the same google drive folder for uploading files. This google drive account is managed by the company and not by the users. There for I want to skip the google login form and just give the user access. Ideal the user does not even know he/she is using google drive.
I looked at the drEdit example and looked at oauth documentation. Is it possible to use one refresh_token for all the users to grand access? So I login once, grand access, somehow store the refresh_token and hard code that in the app for future use, so that all the users use that refresh_token for access. Or are there better ideas to do this?
Kind regards,
Stijn
Thought there was a similar question to this, but can't find the one I'm looking for. Short answer is you need to be very careful how you do this. Embedding the refresh token in your app like that is inviting abuse, particularly if it is authorized for write access. Once a clever user or attacker finds that value, they can use that token to call the API however they want. If authorized for the full drive scope, that means that can also maliciously modify or delete files, secretly store their own content, etc...
If you really need to have anonymous or shared access to content stored in Drive, you're better off proxying requests through your own servers so you can control the interaction with Drive.
I'm trying to work out the best architecture for a couple of apps I'm developing.
In both apps I want to utilise google/twitter/LinkedIn/etc to provide authentication of a users identity. The app is composed of an iOS app which has an option to send data to a server which I'm writing in node.js.
I want to utilise either OAuth or OpenId to handle identifying a user against the above servers so that I don't have to put in an authentication system of my own. In other words, allowing users to re-use their ids when choosing to upload data.
I should also note that apart from identifying a user, obtaining a name and email address, I have not intention of using any of their APIs at this time.
I think I have two options:
Place the Authorisation code in the iOS client and transmit some sort of key to the server with the data which it can then verify.
Keep the iOS client fairly dumb, and handle authorisation from the node server.
I'd probably prefer the second option because it means I could centralise authentication and be able to support a web site as well. That's my current theory.
Can anyone who has done something like this give me some pointers as to the pros and cons, OAuth or OpenId, or links to some examples?
In our previous app we opted for a combination of the two approaches. We wanted to centralize our user data on our server in the event we needed to make future API calls on those services. We also wanted the native oAuth experience for the user on the client. Ie: on Android and iOS, the developer can have single sign-on / authorization run through the native Facebook app (if available), vs. popping-up a webview that serves the 'Approve' dialog. It's a better user experience in my opinion. Also for Twitter, the oAuth process may require a PIN code to be entered in the callback which should probably be handled on the client side.
You can pass the access token retrieved by the client to the server for storage and later use if you intend on making additional API calls on these services, provided you expect the token to be long-lived (ie: offline-access permission on FB).
In any case this is mostly a user experience decision.