Google OAuth verification of Web App with Heroku - heroku

What I have build:
A web application hosted on Heroku which reads coworkers' calendar and generates travel time events in their calendars. This way they can easily see what time they HAVE to leave to be on time for their next appointment.
I expect that 50 coworkers (at most) will use the web app. The app is not intended or made for external use.
I am using sensitive scopes (namely event writing permissions), so the web app has to be verified.
My problem:
Verification requires verified ownership of the web app domain, but I have it hosted on Heroku. I received a mail from Google's verification team which mentioned:
Please Note: Third party domain not owned by you, or domains that are hosted by a third party site, or redirects to third party sites are not permitted.
My question:
Can I use Heroku to pass the verification, or is it simply not allowed to use Heroku for web apps that use Google OAuth?

I found an answer to this problem: I Can't deploy google oauth app in heroku
I followed the steps and it worked! Google accepts the verification.
Note: in the Search Console, pick the URL prefix option and select the Meta Data verification option. I found that was the easiest to implement.

Related

Application not yet validated by Google

I'm facing an issue with new user authentication.
“Application not yet validated by Google.”
I received few weeks ago an email about new policy.
According to email, we are in internal case so no more action is required.
Did I miss something?
An unverified app is a web application or Apps Script that requests a sensitive OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive applications.
You need to go through verification before you launch a user-facing app. You can continue to build and test your application while waiting to complete verification. When your app is successfully verified, the unverified app screen will be removed from your client.
Unverified apps
OAuth Client Verification
internal
Internal apps: if your app is an internal web app for users in the same G Suite domain and the app is associated with a Cloud Organization that all of your users belong to, you don't need to go through verification. Learn more about public and internal applications.
If your new user is seeing this i would suggest you check that they are logging in with their g suite account only those accounts are going to be able to get though the verification requirement.

Can't add domain for push notifications in google developers console

I've created a new application in google developers console, my app is using the Google Calendar API and I want to be able to get push notifications on changes in the calendar. I've added and verified my domain in Web Master Tools, when I try to add the domain in the push notifications section in the console I get an error:
Error
You do not have access to the following domain: ***
I tried to do that with another application (with different google account), and I encounter the same problem, It seems like google are having a problem because it's not the first time I'm doing it and it should be pretty simple, any suggestions?
In order to add a domain to the "Push notifications" you must verify your domain in webmaster tools with a "https://" prefix, otherwise it won't work because push notifications in Google works only with "https://", that's why you need to verify it in webmaster tools with "https://" so Google can verify you have an SSL.
This will be helpful incase if you are using subdomains.
https://support.google.com/webmasters/answer/35163?hl=en&ref_topic=4564314&vid=1-635796479292102918-3720802661
When you verify that you own a domain (such as example.com using DNS verification, you've proven that you have control of the domain, all its subdomains, and all sites in those subdomains.
Similarly, if you have verified http://www.example.com (using any verification method), and then add http://www.example.com/test, you will be automatically verified as an owner of http://www.example.com/test. You'll remain a verified owner of the subdirectory even if you later delete http://www.example.com from your Search Console account.

Unable to recover Google API project and "This client ID is globally unique and is already in use."

I've been working as a consultant on an Android project that uses Google oAuth2 to authenticate and identify it's users. The Android project is in production and available for download on Google Play. The oAuth client ids and the entire Google API project was setup by me using a Google Apps e-mail address setup in my name on the client's domain.
Since the project has been released and my work with the client is finished my e-mail address has been deactivated and subsequently deleted (or so it seems, the client claims to not being able to recreate it). Since my e-mail account was set as the owner of the API project the deletion of my e-mail address has resulted in the deactivation (or deletion) of the API project as well. This has of course seriously crippled the app in question.
To get things up and running again a new e-mail address was set up for me on the client's domain and I created a new API project. The problem is that I'm unable to create the oAuth client ids since the packagename and SHA1 key are the same as for the app already live. I get the "This client ID is globally unique and is already in use" message and I seem to be stuck in a very awkward situation. I see a couple of possible solutions but I'm not sure how to proceed:
Reactivate the original e-mail address in the hope that the API project is still linked to that account
Reactivate the Google API project with the help of a Google engineer and assign it to an e-mail account on the client's domain
Delete the client ids from some Google database with the help of a Google engineer and setup a new API project and release a new version of the app.
Worst case: accept the loss, change package name, release a new app and kindly ask users to migrate to the new app.
I've read that Google monitors the google-oauth tag here on SO and I hope to get some help either from the SO community or Google itself. Many thanks in advance!
In the future, please coordinate for long-term ownership of the project, since the Google accounts that own the project are an important aspect of Google's authorization system. For instance, the owner of the project signs ToS for accessing the APIs on behalf of users.
I will follow up with you to find a way to sort out this issue.

Using OAuth 2.0 for Devices - Google API - Google Drive

I took a look in some docs at developers.google and some questions here in stackoverflow and I really would like to found an objective answer about use the Google OAuth Server to authenticate an application and grant access to download docs into a Google Drive account with NO BROWSER interaction.
As far as I could look, docs like "Using OAuth 2.0 for Server to Server Applications", "Using OAuth 2.0 for Devices", answers here, I couldn't found an article saying "Is possible to authorize an application to get files from a common Google Drive account in Devices with no browser...".
Anyone have tried and had success in this jorney?
The Devices flow is meant for applications that run on devices where no browser is present (fancy example could be a wristwatch that shows new G+ notifications) and requires the user to do manual steps on a device that has a browser. Also this is for getting access to data on the user's account.
UPDATE:
As you say you have an embedded application running without a browser available and want to access data on behalf of a user, this is definitely the way to go. This however still needs the user to login (once) on another device with a browser. After you got an access token using this flow, you can then access the Google Drive API either manually or by using some library.
So you want to access data on Google Drive that belongs to a special account and only your application can access it without a browser involved?
A Service Account (the Server-to-Server flow) would be exactly what you need. These however are only for usage on a web server, as otherwise your private keyfile would have to be deployed to a client, where it could easily be extracted.
One thing you could do is use your own web server that fetches data from your Google account using a Service Account and have a client application that only connects to your own web server. This has of course also its downsides, especially when it comes to locking down your web server so no third party clients could access it.
It can be done, but a browser does need to be used. I've successfully gotten OAuth 2.0 working on an IBM i (AS/400, iSeries, System i, whatever the name is today) which doesn't have a browser. I've so far implemented the Calendar and Google Cloud Print APIs.
During the OAuth 2.0 negotiation you will be returned a URL and a code. You need to display the URL for the user to go to, then the code to enter to grant authority for that specific API/scope. I have an example in our documentation here:
http://docs.bvstools.com/home/greentools-for-google-apps/docs/g4g-base-commands/g4gregsvc
But, the issue now is that the drive API is not yet available to devices. But, Google has said that soon it should be.

Making an OAuth connection from a Windows application to a Google App Engine application

We have a Windows 7 Task Tray application that needs to access services in our Google App Engine application, and we are having difficulty making the OAuth connection between them work. For some reason our OAuth libraries that work with the Twitter and Tumblr OAuth implementations do not seem to work in this scenario with Google. Google is returning a 400 bad request response to the last step in the OAuth authorization sequence.
To debug the problem I am trying to use Google's OAuth 1.0 Playground page (http://googlecodesamples.com/oauth_playground/index.php). But I can't figure out what should be entered for the "scope" in step 1. If I enter the name of our GAE server the sequence will fail with the error message "Invalid scope". Clearly, choosing one of the provided scopes (the Google API services) is not an option for us.
Can anybody tell me how the OAuth scope designation should be set when accessing Google App Engine hosted services?
just for reference look at this blog,looks helpful in your case
http://ikaisays.com/2011/05/26/setting-up-an-oauth-provider-on-google-app-engine/
I think this Google Official Docs explains best how to set up an endpoint to your own appengine application. You question isn't very specific, but take note of the following that is being written in this document:
The scope of an authorization, how much the consumer is allowed to access, is for all of a single app. App Engine only supports whole-app scopes, and does not support more granular scope requests. When Google Accounts prompts the user to authorize a consumer, the prompt explains that the consumer is requesting permission to access the full app.
And did you set up OAuth on your domain?
The consumer performs OAuth actions using a set of standard web service endpoints. These endpoints use reserved paths on your app's domain. For example, if your app uses a Google Apps domain of www.example.com, the endpoints for the OAuth protocol begin as follows:
https://www.example.com/_ah/OAuth...

Resources