I'm creating a server side app which is able to access (Create, edit & delete files) specific folder in my google drive. I was able to achieve it with both OAuth and service account but I wanted do it without OAuth or service account like in official docs. When I tried use API Key It gives a login required error. How I fix it?
srv, err := drive.NewService(
ctx,
option.WithAPIKey(key),
option.WithScopes(drive.DriveFileScope),
)
Error:
googleapi: Error 401: Login Required, required
The first thing you need to understand is the difference between private and public data.
Public data is data that is not owned by anyone that anyone can access. Holiday calendars on Google calendar. If a user uploads a public Videos to YouTube you also don't need permission to access. We use a Public API key to access public data.
Private data is something else. Private data is data that is owned by a user. For your application to be able to access it you need the consent of the owner of the data or someone who has access to it. A users files on Google drive and their google drive account are private user data. You do need permission to access because they are private user data.
You are getting the following error message because
googleapi: Error 401: Login Required, required
If you check Files.create you will notice that it tells you that you need permission to access it.
To answer your question you can not use a public api key to access a users private google drive account. You could read a file that they had set to public using an api key. However to read, write and create files on a users private google drive account. You are not going to be able to create and edit files. For that you would need the users permission.
Oauth2
If you are trying to access the accounts of your users then you need to switch to Oauth2 and request their consent to access their drive account. Once you have a refresh token you will be able to access their account from your server system.
service account
If you are accessing an account that you the developer control. If you are not going to be accessing the accounts of your users then what you should be doing is looking into using a service account. Have a look and open a new question if you have any issues.
Should you be using a service account
security
Authorization is not there to bother you. It is there to ensure that your data and the data of your users is secure. Don't try to find ways to circumnavigate security. Learn to work with it.
like in official docs.
There is nothing in the official docs that stats that you can access private user data with a public api key. Go (isn't going to / cant) change the underling security imposed upon us by Google to access their systems. That being you need user consent to access private user data.
Related
Using this nodeJS example, I could get the data from a public sheet.
But how do I get the data from a non-public sheet owned by me (my google a/c) ?
Is there some way to send in the username and password as arguments ?
I don't want OAuth way as I want the data to be pulled from the sheet & displayed on a public webpage.
The other option I can think of is to have OAuth2 done once write a script to handle refresh tokens automatically as a cron every hour ?
Since this is a file that you the developer own i would recommend using a service account
If you share the file with the service account it will then have permissions to access it without you needing to go though the oauth2 steps of authorizing your application.
On google cloud console simply create Service account credentials
const {google} = require('googleapis');
const auth = new google.auth.GoogleAuth({
keyFile: '/path/to/your-secret-key.json',
scopes: ['https://www.googleapis.com/auth/spreadsheets'],
});
Then change your auth code slightly. Open the service account key file and look for the service account email address its the only one witha # in it. Share the file with the service account like you would any other user in google drive web app.
Once it has access you shouldn't need to authorize the app again.
I have a video on Google drive API upload file with Nodejs + service account which might help you a bit you just need the authorization code. Everything else you have should work as is.
Is it possible to create an event on behalf of my own application?
I tried using API Key but that doesn't work. I want all the event to be under my app's account. I don't want to make the user login. I just want to create new google Meet links.
No you must be authorized to write to a users calendar
if you check the documentation for events.insert you will notice a section called authorization
This section tells you what authorization scopes you need in order to be able to write to a users google calendar. A user must grant your application access to their data before your application will be able to write to it.
API keys are only used for accessing public data, for example the public google calendar holiday calendars you can read from them with an api key.
However to access private user data you need to be authorized.
It seems that when I have a valid user's access token, I can call this api https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=xxx to retrieve the user info, without any API key.
I want to double check are there any limitation in getting user info via this API, instead of using the official Google API client? e.g. rate limit?
An API key is used to access public information. Holiday calendars for example or public videos on youtube. Files uploaded to Google drive set public could also be accessable with an api key.
Oauth2 is used to access private user data, you can access public data with it as well like the items listed above. But to access private user data like the data contained behind the user info end point you would need an a valid access token.
There shouldnt be any limitations to using the userinfo endpoint that i am aware of I would expect that to be out side of all quota limitations.
I am trying to use google api for getting new emails from gmail account. However reading the docs I found that there are two types to access api the first one without authorization (with json credential) and second one one is Service Account (with p12 certificate and secretkey)
Can not understand what the difference between this access? What exactly should I use?
Thanks
Oauth2 is the first type you are looking at. With Oauth2 a consent screen is displayed to the user who must approve your access. Usage you want to access a users Gmail account, you want to access a users google calendar, you want to access a users google drive.
With a service account access is pre-authorized by taking the service account email address and adding it as a user for data in question. Usage: You want to allow other users to upload files to your google drive account, you would add the service account email address to a folder on google drive then the service account will be able to upload to that folder with out having to prompt any user for permissions.
Use Oauth2 when you want to access a users account, use a service account when you want to access an account controlled by you the developer.
If you want to access a users Gmail account you need to use Oauth2 you cant grant another user access to your Gmail so there is no way to give a service account access to it.
I want to develop an application that uses the Picasa Google API for uploading images to my own account. I've already created the Service Account from the API Console and have created the code to upload the image (which works correctly given a valid access_token obtained from the OAuth2 playground).
However, when trying to obtain an access_token with the Google-api php library, this one doesn't seem to be associated to my own username (obviously, no consent screen), which throws me a 404 Not found error message when trying to access data from my personal account.
From what I've read over at https://developers.google.com/api-client-library/php/auth/service-accounts I could create an apps account to setup permissions for a whole domain. Is this, however, necessary given that I only want to access information from my own account? (the same I used to register the application in the API console). Couldn't this be done beforehand using API panel?
A service account is not you and does not by default have access to any data. Think of a service account as a dummy user. If you take the service account email address and add it as a user on a folder in your google drive it will have access to that folder on google drive. If you take the service account email address and give it access to one of your calendars on Google Calendar it will have access to the calendar.
If you set the album public I suspect it will then have access to the album. I did some Googleing and I cant see how you can add another users email address to an album on picasa.
I suggest you try using Oauth2.