I am currently working with the Google Analytics API. I have implemented ga react package, so the analytics tool can show me the required data.
As per my understanding, Google uses OAuth 2.0 to identify the user and grant access. As my application has it's own user(s) and every user is not available in google.
Is it possible to access the Google analytics API inside my application?. API should get called using an only the API key.
So is it possible to access Google analytics API with the only key?
First off let me start by saying im not sure i understand this statement
As my application has it's own user(s) and every user is not available in google.
I am going to assume that you are trying to show the users of your application the analytics data from a single analytics account which they dont have access to.
API Keys
Api keys are used to access public data only. Public data is data that is not owned by any user. Public Videos on YouTube, Google analytics meta data API, Holiday calendars on google calendar these are all examples of Public data not owned by any user.
Private data
In order to access private user data you must have the permission of the user who has access to that data. Google analytics data is private user data you own the data associated with your account. In order for your application to access that data it must have your permission to do so. Permission is grated using Oauth2.
If you will only ever be accessing your own account and you will not be accessing data owned by other users then you could consider using a service account. Service accounts are dummy users you can share your google analytics account with the service account there by preauthorizing its access and it will then be able to access the data without needing to be logged in all the time. The issue with service accounts is that it cant be used client side you will need to use server sided code for this. I am not a react developer so im not sure if thats one of the JavaScript frameworks that can also run server-sided or not.
Related
I can login with
<script src="https://accounts.google.com/gsi/client" async defer></script>
I have created an api key for google drive on the console dashboard. According to Drive js api. I should not put the key in a public webpage.
Is there a way to get my api key from after logging in with the account that owns the key via javascript?
An api key is used for accessing public apis. Unless the file you are trying to access is public you are not going to be able to access it. That tutorial also tells you to create Web application. Which will allow you to authorize your user to access their data.
Is there a way to get my api key from after logging in with the account that owns the key via javascript?
Api keys and web application credentials as which that tutorial shows you how to create are owned by you the developer. They are used to request authorization of the users of your application. So no there is no way that the users of your application could give you an api key that must be created by you the developer.
Restrict your api key
due to the fact that javascript is client side if anyone does a view source they are going to see your api key. That is why it is a good idea to setup restriction for your key in Google clound colsone
Apikeys
There are a number of ways to restrict your key
You can restrict it by API restrictions limiting what apis it can be used for.
You can set up Application restrictions which will limit things like what websites it can be used from or an ip address.
A key in production should always have restrictions applied.
I have web app with html/js. Integrated Google Picker library for gdrive. In browser dev tools/source code: developerKey, clientId, appId are being exposed. Does that pose any security risk(1) or those can be public? If not, what are possible ways to hide it?
(1) I've limited developerKey in Google Console to be used only for gdrive and nothing else.
There's no security risk because those can't be used to authenticate to your account or get private information, but someone could use your API key to make requests to Google APIs that exposed public information (Google Maps for example) and be charged for those quota expenses. To prevent that quota "theft" you have 2 options:
1) Follow the Google guidelines to restrict your API key to be used only from a specific URL or certain IP addresses.
2) Set up a backend service to authenticate each user in order to get the API key as explained in this answer.
I'm allowing users of my site to download their google analytics data at their free will for transparency sake and I don't want to deal with CCPA requests for data myself.
I'm using Node.js as my backend and was wondering if it's possible to download google analytics by client_id. I'm using a service account for my google console access.
If there's some documented api endpoint that I'm not seeing that would help a lot.
Sure you have, it came in for that purpose
The User Activity API allows a Google Analytics property owner to
retrieve all analytics measurement data associated with a single user.
Specifically, the API retrieves all of the measurement data associated
with a particular User ID or Client ID.
https://developers.google.com/analytics/devguides/reporting/core/v4/user-reporting
I'm trying to use Google Analytics API in Javascript. I want to:
Query Data for a specific website (under my control)
Use the data to build an open-to-the-public dashboard
Every example I can find requires you to use OAuth to authenticate before you can query data. Because I only want to query (not delete/modify), is there a way to use a simple API Key to grab the data I need?
Yes and No. The Google Analytics Core Reporting API is an Authenticated API and requires the use of OAuth2, authorized with the appropriate scope:
https://www.googleapis.com/auth/analytics.readonly
The API key simply identifies your Google Project, it does not necessarily grant you authorization to read the data of your Google Analytics Accounts, even if that account is associated with the same Google Login. The API key is usually public and lives on the client browsers, it would not be secure to grant access to anyone's Google Analytics Account data simply if they had access to a particular key.
What you are going to need to do is use a service account to access the data. Take a look at the Google Analytics Demos and Tools site. There they have a really good example example of using a service account server side to generate an access token and then has the JavaScript Client library make the final request. Alternatively you could build something akin to the Google Analytics Super Proxy which can query the API on your behalf and generates a public URL which can then be queried separately.
I'm working on a page that will be available to certain users where they can see shared Google Analytics data. I want to pull the data with JavaScript and I've succeeded in getting an OAuth token for the account with the GA data, but it expires in 1 hour.
How can I use this token for all users coming to the page? I don't need the users to be able to access their own GA data, just the shared data. Is there a way to make the token permanent or to refresh it?
Below I have listed three different possible solutions:
The easiest method might be to grant permission for your desired users to have read access to the view (profile) you want to share and use the embed API to authenticate those users and display that data.
You could look into using the Google Analytics Super proxy. The Google Analytics superProxy allows you to publicly share your Google Analytics reporting data. You can use it to power your own custom dashboards and widgets, transform responses to various formats, test, and much more.
Or you could look into using an authenticated service account. The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario you need a service account, which is an account that belongs to your application instead of to an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved.