Using Google sign in api - manage users permission - javascript

I understand that I can use Google Sign in button and grant access to my website only to users from my domain (using metadata tag).
My question is, once a user is logged in can I control the pages that he/she sees. For example I want some users to be admins but other users to be regular users. Each user 'type' will have access to different set of pages.
Thanks,
Shay

Google's sign-in API can only authenticate users, it can't manage authorizations. For that you'll need to either use a cloud service like Cognito (which supports Google sign-in as a federated login provider for its own temporarily-generated identity) or write your own server-side access manager that associates the sign-in token with specific permissions, and then handles the authorization of user requests.

Related

How to automate O-Auth2 web browser opening to get access token?

So I am working with google sheets API , where I need to authorize the credentials before I can hit api for my account , for that OAuth2 client provides an auth URL which opens in browser and there I have to login in Gmail account and then accept the permissions and then it redirects to a redirect URI and in it's URL there is a code.
But I want to get all this done automatically as this will be part of my backend code , and I want it be automated without me going to browser and logging in . Can this be done using puppeteer ? or anything else ?
The only option to avoid user interaction is to use a service account with domain-wide delegation. And to use this, you need to be a Workspace domain admin, and you can only act on behalf of users in your Workspace domain.
If you are not a domain admin, there's no way to avoid the workflow you mentioned, with user interaction.
Reference:
Using OAuth 2.0 to Access Google APIs

Adding Google Sign-In To Web App & Retrieve Group Membership From GSuite?

For an internal web app I'm developing in Python/Django I need to retrieve the user's group membership from GSuite and grant/deny the user access to specific webpages depending on what group they have access to.
I've read about how to add a Google Sign-in button, which works as expected: https://developers.google.com/identity/sign-in/web/sign-in
However, the user's basic profile doesn't give me the group memberships. I've checked this documentation page (https://developers.google.com/identity/sign-in/web/reference#googleusergetbasicprofile) but can't see any reference to group memberships.
Does that therefore mean I need to connect to the GSuite Admin SDK? If so, can I grant a service account read-only permission to retrieve the group memberships?
Reading this (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) and the 0Auth 2.0 authorisation scopes (https://developers.google.com/identity/protocols/oauth2/scopes#admin-directory) seems to suggest I can only grant the service account domain-wide access to administer GSuite Users, which would be a security concern.
After speaking with Google Support, they suggest to use the Groups API here:
https://cloud.google.com/identity/docs/how-to/query-memberships#python_1

Implicit Google API authorization for site using Google Cloud Search

I'm trying to authorize a user to use Google Cloud Search on our company intranet (using company domain). If the user has already authenticated with GSuite, it's as simple as calling gapi.auth2.authorize().
However, if the user has not authenticated with Google (i.e., no google cookie exists in the browser), the user is prompted to confirm the email address needed to authorize (we have the user's company email available to pass as the login_hint field to authorize()).
We want to provide a...
(1) seamless user experience across browsers. The popup solution is not seamless between browsers as some browsers automatically block popups that aren't triggered through a click.
(2) GCS capabilities that are handled without additional prompts. It's not a "search app", it's merely the search bar of an intranet site. It's also a bad user experience to have a popup window authorize for the sole purpose of searching.
Is there a way to use the api key/application ID to implicitly authorize the user behind-the-scenes so that the user can perform search without experiencing the aforementioned issues?
Yes absolutely,
Try Service Account Authorization,
You can use a Google API Client library to make API calls from backend. Here's the reference for Cloud Search this.
Instead of using access token generated by OAuth authorisation in browser, you can grant following scope to a service account and make search queries from your back end and send the results to the front end:
https://www.googleapis.com/auth/cloud_search
Check out the Cloud Search API from here.

Youtube analytics example: Keep google account signed in

I'm working with this Oauth2 example from Youtube API's documentation: https://developers.google.com/youtube/v3/code_samples/javascript?hl=es-419
The problem is: every time I execute a request it asks me for sign in with a google account.
The question is: how can I keep the user signed in? With long access token or something like that.
I'm working with a laravel app.
Thanks in advance.
You need to implement OAuth 2.0 Authorization.
The YouTube Data API supports the OAuth 2.0 protocol for
authorizing access to private user data. The list below explains some
core OAuth 2.0 concepts:
Here are some important points from YouTube API.
When a user first attempts to use functionality in your application that requires the user to be logged in to a Google Account or YouTube
account, your application initiates the OAuth 2.0 authorization
process.
Your application directs the user to Google's authorization server. The link to that page specifies the scope of access that your
application is requesting for the user's account. The scope specifies
the resources that your application can retrieve, insert, update, or
delete when acting as the authenticated user.
If the user consents to authorize your application to access those resources, Google returns a token to your application. Depending on
your application's type, it either validates the token or exchanges it
for a different type of token.
For example, a server-side web application exchanges the returned
token for an access token and a refresh token. The access token lets
the application authorize requests on the user's behalf, and the
refresh token lets the application retrieve a new access token when
the original access token expires.
Note: Important: You need to obtain authorization credentials in the Google Developers Console to be able to use OAuth 2.0
authorization.
Follow the steps in this documentation to obtain authorization credentials.
Your application must have authorization credentials to be able to use
the YouTube Data API. This document describes the different types of
authorization credentials that the Google Developers Console
supports. It also explains how to find or create authorization
credentials for your project.

Obtain user profile picture/badge for the signed-in google user

My web application uses google user-id for authentication. How do I fetch the currently signed-in user's profile picture/badge in javascript?
Note: I only have the access to the user's email address and id. I don't have the profile id.
Sounds like you're using the Users API, which doesn't offer access to profile info: Access to user's name and profile picture in the AppEngine's app.
Depending on which kind of users your app is dealing with (any gmail user, Google Apps users, Google+ users, etc) using other APIs could be attempted instead: Google+ API, Directory API, etc.
Another possibility would be switching to some other authentication method offering access to profile info. See What is the difference between Google identity toolkit, Google OAauth and Google+ sign in

Categories

Resources