Application1 -> Microservice1 (deployed on one server, also db is separate)
Application2 -> Microservice2 (deployed on other server, also db is separate)
NOTE : For Microservice1 and Microservice2 we are use same Google API credentials.
We have a one application in that we are providing user to edit it's word, ppt, excel files with Online editor.
So, we have configure Microservice which used GSuite API for user to edit there file with google online word editor.
Now, we have a scenario like when one user open file from Application1 then our application will redirect user to google login screen and once user enter it's credentials then google will check whether third-party application already registered with login user account or not, and if not then google will give consent screen to register third-party app with current user.
Once user allow third-party app then google will redirect user to our Microservice1
once callback came to our Microservice then we will store user's refresh-token to our db and user can able to edit document online.
Now, user open file from Application2 and it will redirect user to google login screen and once user enter it's same credentials which he used in above then google will check whether third-party application already registered with login user account or not, this time google found that third-party application already registered with them, and google will redirect user to Microservice2, but this time google doesn't give refresh-token and in our db also refresh-token entry not there, so we will not able to open the file in online editor.
So, is there any way to handle these kind of scenario with only single Google API Credential?
Or we need separate account which give us different Google API Credentials?
Like :
Microservice1 (One Google Account with Google API Credential)
Microservice2 (Another Google Account with Google API Credential)
Any kind of help appreciated.
Thanks in advance...
you need to create a service account, possibly with G Suite Domain-Wide Delegation of Authority.
I've been crawling the web but haven't been able to figure this out.
I want to write an app with the following behavior: it presents existing users of Google Cloud with a login window to which they enter their Cloud credentials - user and password. With those credentials, I want to programmatically access and fetch their respective billing data so I can later display it to them. This should obviously be able to serve multiple users.
I don't understand how to get past the very first step, which is - what do I do after I get the credentials? Is there a client library method to which I supply them and then gain access to the user's info?
You can use Firebase Authentication or Google Identity Toolkit, see sample here
I need to extract information from videos using YouTube Analytics and Reporting Api.
I have access to multiple YouTube Brand Accounts, when I log into YouTube with my Google Account.
Using the "Try it" for testing the API, I'm only able to retrieve data for a channel once I switch to the Brand Account that this channel belongs, otherwise I get 403 - Forbidden error.
Is there any way to extract data using the Google Account that I'm using to log in? Because once I create the credentials in developers console, they will be associated to the Google Account and not to the Brand Accounts.
My google account has Manager Role on the brand accounts.
I've search for the onBehalfOfContentOwner field to be used in requests, but I don't know how to get this ID, and I'm not sure if this is applicable in my situations, since we're talking about Brand Accounts, correct me if I'm wrong.
I fought with this just two days ago. Turns out it IS possible, it's just undocumented and works a bit differently than you'd expect:
Once I create the credentials in developers console, they will be associated to the Google Account and not to the Brand Accounts.
I had the same exact misconception when I first tried (even went so far as to find out the brand account's client_id). Turns out you don't want to use the brand's oauth info -- you want to use your own client_id/client_secret to create a refresh token on behalf of the brand account then use that to create auth tokens.
Steps:
Using your main account create an oauth client_id and client_secret via https://console.developers.google.com/apis/credentials
Edit the client_id/client_secret entry you just added and add "https://developers.google.com/oauthplayground" to the "Authorized redirect URIs" at the bottom of the page.
We're going to create a refresh token the lazy way. Go to https://developers.google.com/oauthplayground/
Click the gears on the top right corner and set access type to "offline", then click "Use your own OAuth credentials" and enter the client_id and client_secret you created in step 1.
Select the scopes you want to give it access to. Click authorize APIs.
Here's the magic bit: You'll now be asked to "Choose an account". Choose the brand account you want to access here, NOT your main account. Since you have permission to access it this'll work fine even though you're using your own client_id and client_secret
Allow the permission access when it prompts you, then you'll be brought back to the oauth playground.
Click "Exchange authorization code for tokens"
Grab the refresh token and use it like normal to generate auth tokens as needed.
Congratulations, you now have api access to the brand account!
Hope that helps.
The YouTube API is different then other google APIs. With other APIs you authenticate access to the full account. However with the YouTube API its channel based. You are going to need to authenticate your application once for each channel.
onBehalfOfContentOwner
This parameter is intended for YouTube content partners that own and
manage many different YouTube channels. It allows content owners to
authenticate once and get access to all their video and channel data,
without having to provide authentication credentials for each
individual channel. The actual CMS account that the user authenticates
with needs to be linked to the specified YouTube content owner.
You need to be a YouTube partner then you can contact your account manager and get a CMS id. I have yet to figure out what magic one must archive to become a YouTube partner.
I will give an update to #Paolo's incredible answer. In my case, I was trying to get my private videos using the Playlist.list api. I've never seen an api as poorly documented, asinine, and CONVOLUTED as youtube's api.
Context: I have a main google account for which my youtube api credentials are tied to (there is no google developer accounts for youtube brand accounts) but would like to get the private playlists (and videos) for my youtube account (a brand account). mine=true, key, channelId, onBehalfOfContentOwner, and onBehalfOfContentOwnerChannel all did NOTHING for me. I was getting either public playlists or api errors with various combinations and values of those parameters.
In the end, these were the steps I took to run a node script to get private videos from my brand account:
Go to https://console.developers.google.com/ for your main google account.
In the sidebar, go to APIs & Services, then Credentials
At the top, click +Create Credentials, then Service account
Under Service account details, enter any name, then click Create and Continue
Under "Grand this service account access to project", click continue
Under "Grant users access to this service account", click Done
On the main credentials page that loads, click the newly created service account under Service Accounts
In the tabs, click Keys
Click the Add Key button, then Create new key
Keep JSON, then click create
Save the file as client-key.json in the root of your nodejs project
Go to https://developers.google.com/oauthplayground
Scroll to bottom of scopes and select YouTube Data API v3 v3, then https://www.googleapis.com/auth/youtube and https://www.googleapis.com/auth/youtube.readonly.
In the window that pops up, click your youtube (brand) account, then allow
In the next step, click Exchange authorization code for tokens
Copy the access token
Go back to your node script and use like this:
const auth = new google.auth.GoogleAuth({
keyFile: "client-key.json",
scopes: [
"https://www.googleapis.com/auth/youtube",
"https://www.googleapis.com/auth/youtube.force-ssl",
"https://www.googleapis.com/auth/youtube.readonly",
"https://www.googleapis.com/auth/youtubepartner",
"https://www.googleapis.com/auth/youtubepartner-channel-audit",
],
})
const authClient = await auth.getClient()
google.options({ auth: authClient })
const youtube = google.youtube("v3")
const token = "your token here"
const results = await youtube.playlists.list({
part: [
"snippet",
"id",
"contentDetails",
"status",
"localizations",
"status",
],
mine: true,
auth: token,
oauth_token: token,
maxResults: 50,
})
Note mine: true and that the token must be passed to BOTH auth and oauth_token, but not key. If either parameter is missing, the call will fail. (Why? No clue. Please tell me.) Also, you must continuously renew your access token in the playground after it expires.
Now, with all of this said, I encourage you to find me an api worse than the youtube api. My guess is you'll be hard-pressed to find one even half as ridiculous as this.
P.S.
I believe there were additional things required before this such as enabling the youtube api and doing something on the OAUTH Consent Screen but I'm too exhausted with this thing to continue. Hopefully the Google console UX will be enough to guide you through those steps, though quite frankly, I doubt it.
Hope this helps and good luck, because you may actually need it.
If you follow the solution for getting a permanent refresh token and use Java, this works for me
GoogleCredential credential = new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setClientSecrets(oauth2ClientId, oauth2ClientSecret)
.build()
.setRefreshToken(oauth2RefreshToken);
this.youTubeClient = new YouTube.Builder(httpTransport, JSON_FACTORY, credential)
.setApplicationName(APPLICATION_NAME)
.build();
Required dependencies
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-youtube</artifactId>
<version>v3-rev212-1.25.0</version>
</dependency>
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId>
<version>0.18.0</version>
</dependency>
These resources might also help once you have the refresh token:
Authenticate programmatically to Google with OAuth2
https://blog.timekit.io/google-oauth-invalid-grant-nightmare-and-how-to-fix-it-9f4efaf1da35
I am developing a family of utility apps where each app could be available on desktop, mobile and the web. After some research I decided to go with pouchdb on the client and couchdb on the server to provide offline sync.
A user would be able to create an account on the web (A Laravel Spark app) to manage their app subscriptions/payments and also access the web versions of the apps. On mobile and desktop the user would sign into each app using their credentials to unlock functionality.
I am planning on taking a database per user approach in couchdb with filtered replication (based on the app the files belong to). The basic requirement is for the user can sign in once in the apps and then securely replicate to couchdb forevermore (until sign out).
What would be the best approach to take for authentication with couchdb given the use case outlined below?
Proxy all requests via Laravel for authentication
On account creation in the Laravel app create a couchdb user with a randomly generated password and when the user signs in on the app return this password authenticate future requests (are there limits on the number of users created)?
Use the Laravel app as an oauth server and make requests to couchdb direct using an oauth token.
Something else?
In the end I found the best approach to proxy all requests to CouchDB through Laravel, utilising the Passport package for API authentication.
To do this I hooked into the Spark::createUsersWith() function in the SparkServiceProvider to set up a CouchDB database on user registration via the following steps:
Generate a couchdb specific username and save it in the user record.
Create a couchdb database with the same name as that generated in step 1.
Add a design document to the database with a filter for app specific syncing.
Add a security document to only allow read/writes from the database owner (created in subsequent step).
Create a CouchDB user with the username generated in step 1.
The user can then log into the app using their username and password to receive an OAuth2 password grant token.
All syncing requests are then made with the auth token to my sync proxy controller detailed in this gist.
To save a search PouchDB can be set up to send the OAuth token automatically as follows:
this._remoteDB = new PouchDB(url, {
ajax : {
headers : {
"Authorization" : "Bearer " + localStorage.getItem("token")
}
}
});
I want to develop an application that uses the Picasa Google API for uploading images to my own account. I've already created the Service Account from the API Console and have created the code to upload the image (which works correctly given a valid access_token obtained from the OAuth2 playground).
However, when trying to obtain an access_token with the Google-api php library, this one doesn't seem to be associated to my own username (obviously, no consent screen), which throws me a 404 Not found error message when trying to access data from my personal account.
From what I've read over at https://developers.google.com/api-client-library/php/auth/service-accounts I could create an apps account to setup permissions for a whole domain. Is this, however, necessary given that I only want to access information from my own account? (the same I used to register the application in the API console). Couldn't this be done beforehand using API panel?
A service account is not you and does not by default have access to any data. Think of a service account as a dummy user. If you take the service account email address and add it as a user on a folder in your google drive it will have access to that folder on google drive. If you take the service account email address and give it access to one of your calendars on Google Calendar it will have access to the calendar.
If you set the album public I suspect it will then have access to the album. I did some Googleing and I cant see how you can add another users email address to an album on picasa.
I suggest you try using Oauth2.