I'm trying to authorize a user to use Google Cloud Search on our company intranet (using company domain). If the user has already authenticated with GSuite, it's as simple as calling gapi.auth2.authorize().
However, if the user has not authenticated with Google (i.e., no google cookie exists in the browser), the user is prompted to confirm the email address needed to authorize (we have the user's company email available to pass as the login_hint field to authorize()).
We want to provide a...
(1) seamless user experience across browsers. The popup solution is not seamless between browsers as some browsers automatically block popups that aren't triggered through a click.
(2) GCS capabilities that are handled without additional prompts. It's not a "search app", it's merely the search bar of an intranet site. It's also a bad user experience to have a popup window authorize for the sole purpose of searching.
Is there a way to use the api key/application ID to implicitly authorize the user behind-the-scenes so that the user can perform search without experiencing the aforementioned issues?
Yes absolutely,
Try Service Account Authorization,
You can use a Google API Client library to make API calls from backend. Here's the reference for Cloud Search this.
Instead of using access token generated by OAuth authorisation in browser, you can grant following scope to a service account and make search queries from your back end and send the results to the front end:
https://www.googleapis.com/auth/cloud_search
Check out the Cloud Search API from here.
Related
I'm developing a (so far) intra-company website that needs authentication (i.e. a limited set of users are allowed to use it). I don't want to force the users to have a new username/password pair for only this service. The company already uses company-branded Google Mail for e-mail, so every user already has a Google account: my "cunning plan" is let Google authenticate the users.
I found this great question and answer so I know (or at least have an idea) on how to verify on the server side that the web session was authenticated by Google. What I don't know: how to get that accessToken on the client side? How to detect if the user already logged in to Google, and if not, how to present the Google login form to the user?
I found the Using OAuth 2.0 to Access Google APIs documentation, but I don't quite understand this sentence: "The authorization sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the type of access being requested.". What is this URL?
I'm fairly new to web development and JavaScript, unfortunately.
"The authorization sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the type of access being requested.".
Your application will need to open a webpage which will display a consent screen to the user. This page is opened on Googles identity server not your own. You have probably seen this before.
The url is built up using the client id and redirect URI that you set up on your project in the Google developer console.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
you might find this blog post interesting Google 3 Legged OAuth2 Flow
I am new to GMail JS API and I was trying to read gmail emails using Javascript according to the quickstart tutorial given explained on below link
https://developers.google.com/gmail/api/quickstart/js
I have followed all the instructions given on the page but I am getting below
error
did I miss something???
Please help me resolve this error
Thanks in advance!!!
You may refer with this thread. Make sure that you are authenticated to the API properly.
To do this, there are two ways:
use OAuth - the Server redirects the user to google's servers, where they can login, grant permission to your app, and pass a token back to
you
Service Accounts. These are a little bit more complicated:
First, you'll have to setup an app (done)
second, you'll have to setup a service account. This is how your app authenticates to google. you've done that, and the certificate
you've got contains the private key to authenticate
third, the user needs to grant your application access to act on behalf of them. This is the point you haven't done yet.
Also, as stated here, certain scopes simply aren't supported for the oauth2 for devices flow.
Additional references:
Invalid scope error when trying to access gmail api
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.
OAuth invalid scope
Apps Script keeps asking for offline permission with Youtube's API
In Google Apps Script, access to YouTube Reporting API is Forbidden
These are very similar questions however, I am logged in as the owner. The script is in the owner's drive.
My problem
I have been trying to access YouTube Analytics Reports from the Content Owner using GAS(Google Apps Script). There are two accounts a Brand account (holds the data i.e. the video content) and a User account. They both use the same credentials(email & pwd). When authorizing as the user, I get a 403(forbidden). When authorizing as the brand, I am asked to authorize offline access again and again, stopping me from ever being able to make a request.
What I've tried...
Running from Node, using OAUTH Playground tokens, and it works. But I need to stick with GAS.
Using google-script-oauth2: to hard code credentials (similarly to the Node solution) but I couldn't set the refresh token. I got a 401(invalid credentials) - I believe the bearer token was expired
Setting up credentials for and enabling both youtube and youtube analytics APIs
scrapping old credentials and attaching a new project to GAS
removing auth in privacy settings and re-authenticating
toggling a use unsafe scripts option and repeating step 3
switching between contentOwner and channel parameters for the ids param
NOTE: I have two OAUTH2 credentials app script and the web client both are set as Web Applications.
GAS Code
function test(){
YouTubeAnalytics.Reports.query("contentOwner==id", "2017-03-01", "2017-03-31", "likes");
}
Final Thoughts
I believe there is a disconnect between the Brand and the user such that the brand is not given the same access to the OAUTH 2 token. Therefore, it never generates a refresh token. So, the request sees that I am the authorized channel owner but it can't finish the OAUTH flow.
If this is true, why, and how do I fix it? If not, what do you think could be the error?
I just realized the script is in the user account and not the brand account. Would that affect the validation?
Also on the actual channel, the user is listed as the Primary Owner.
I think the problem has to do with Apps Script's limited OAuth scopes. Open the Script Editor and navigate to Resources->Advanced Google Services and you'll see that YouTube's Reporting API is not supported. However, you can get around this by using Service Accounts. They are a pain to set up but once you get them up and running you can explicitly request the scopes required to make authorized calls on the API from GAS.
Here are a few links to get you started:
Using OAuth 2.0 for Server to Server Applications
OAuth 2.0 Scopes for Google APIs
For Using OAuth 2.0 for Server to Server Applications you'll want to scroll down to the section titled Preparing to make an authorized API call. Select the HTTP/REST tab and it should walk you thru the steps you'll need to setup a service account (you'll need to create a JWT - JSON Web Token from your Google console for use in your API calls). You'll also need to retrieve the needed OAuth scope urls for YouTube's Reporting API from the second link provided. Once you're all set up you'll be able to make requests to the API directly from Apps Script using URLFetchApp. Best of luck with your project.
One more thing. Check out Google's API Explorer listing for the YouTube Reporting API. You can get the URL endpoints (and request methods) you'll need to use in your UrlFetchApp calls by playing with the Explorer.
UPDATE 4/28/2017
Also be sure to enable the YouTube Reporting API from your Google API Console.
I understand that I can use Google Sign in button and grant access to my website only to users from my domain (using metadata tag).
My question is, once a user is logged in can I control the pages that he/she sees. For example I want some users to be admins but other users to be regular users. Each user 'type' will have access to different set of pages.
Thanks,
Shay
Google's sign-in API can only authenticate users, it can't manage authorizations. For that you'll need to either use a cloud service like Cognito (which supports Google sign-in as a federated login provider for its own temporarily-generated identity) or write your own server-side access manager that associates the sign-in token with specific permissions, and then handles the authorization of user requests.
My application using JavaScript to connect to get access the Google drive API.(see https://developers.google.com/drive/quickstart-js). First time it ask the user permission. At the time Google may give *access_token* to my application. I want to use the token to access the Google drive data in future(That time the user may not be sign-in in Google account). Is it possible? if possible how to do?
Is it possible to the application to ask Google "please I want to get permission of the user user#example.com"? It will be useful at the time of multiple-signing
EDIT: Exactly my question is "Offline access is possible in JavaScript-API?" See It is possible in PHP-API: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
The JavaScript API uses the OAuth 2.0 Client flow which only returns an access token. If you set approval_prompt=auto in your request URL, the consent page for a given set of scopes will only be shown the first time the user goes through the sequence, so he will not have to grant access to your app again:
https://developers.google.com/accounts/docs/OAuth2UserAgent