I'm working on one school app. I'm able to create events using google calender API with NodeJS. I created the clientID and secretID on the school google account. Every time event is created, only the admin has access to start the meeting. But I want teachers(who are creating the event) to be the organizer. How can I achieve this?
The organizer field of an event is a read-only field. You can use the move action to move the event and change the organizer but this can only be done if the authenticated user has write access to the destination calendar.
A solution would be to use a service account and perform domain wide delegation. In this way you will be able to impersonate the user in question and organize the event wanted.
According to the Service accounts documentation:
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
As for performing domain-wide delegation, you might want to take a look into this:
In enterprise applications you may want to programmatically access users data without any manual authorization on their part. In G Suite domains, the domain administrator can grant to third party applications domain-wide access to its users' data — this is referred as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
Reference
Calendar API - Events:move;
Service Accounts;
Calendar API - Perform G Suite Domain-Wide Delegation of Authority;
Using OAuth 2.0 for Server to Server Applications.
Related
Should I use a Service Account or an OAuth 2.0 Client ID?
I'm struggling to understand Google's documentation on authenticating for their APIs. I'm creating a basic application that will help users add and modify Google Calendar events for a single Google account (the account is shared between all users). I only need the application to access that one account, it'll never need to access any others.
It seems to me that Service Account would be best for this, but Google's documentation suggests Service Accounts should only be used for automated processes (unless I'm misunderstanding). For instance this page contains the following, describing when to use Service Accounts.
Would my application qualify as acting on the users behalf?
If so, I would want to use OAuth Client ID credentials, which will ask the user to sign in to a google account. In this case, is there a way I can guarantee they only sign in to the one account I want modified?
I can't find any decent documentation on the OAuth authentication requests to figure this out myself. If there is any could you point me there?
I'm sure I'm misunderstanding something basic here, but thank you for any help!
First off you should know that you can only use service accounts with Google aclendar api if you have a google workspace domain account.
You can then set up a calendar and a domain user that the service account can act on behalf of to control the access of that calendar.
Assuming that your application is going to preform all actions on this calendar then yes i would say that you could use a service account for this. If your app bacly has a ui with a calendar on it your just using google calendar to store the data.
However if you intend to share this calendar with the users themselves, this way they could see it within their own google Calendar account. Im not sure a service account would be the way to go.
If you want the users to be able to see it and make changes then you may want to just use Oauth2. Grant them access to the calendar and then request access to their calendar account.
Drawback to that option is going to be the verification process. You will get access to all the users calendars and your going to need write access.
If you can go with a service account you really should consider it it will save you a lot of hassle with verification.
I am able to create an event in Google Calendar using Service account and Google Calendar API, where Project and Service Account is created in Google Workspace admin account and in the same account, I have enabled domain-wide delegation property. I haven't created separate calendar and haven't given access to Service account. If I use my workspace-google account in createDelegated(), with this event is getting created in 'abc#myworkspace.com' calendar and 'created by' property is also the same for every attendee I have added.
GoogleCredentials googleCredentials = GoogleCredentials
.fromStream(new FileInputStream(CREDENTIALS_FILE_PATH)).createScoped(SCOPES)
.createDelegated("abc#myworkspace.com");
So my question is what if I need to create event for non-workspace google account(lets say def#gmail.com)
Can I pass 'def#gmail.com' into the createDelegated()? If I do, I am getting,
Error getting access token for service account: 400 Bad Request
So how to create event for non-workspace google account?
Note : App type is still 'Internal' in OAuth consent screen.
Could someone explain what am I missing here?
A service account with domain-wide delegation can only be used for domains
A Google Workspace account is a domain, a personal consumer account is not a domain.
Consequently, you can not perform a request on behalf of a consumer account user via a service account.
Instead, you would need to create the event directly as def#gmail.com similar to the documentation sample.
No you can only delgate to an account on your domain
createDelegated("abc#myworkspace.com");
You can not delgate to a standard google account as there would be no way for you to configure the permissions
perform-google-workspace-domain-wide-delegation-of-authority
Perform Google Workspace Domain-Wide Delegation of Authority
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the Google Workspace Terms of Service.
Owner vs attendee.
A service account properly delegated. Will have permission to create an event on behalf of a user in the domain that they have been delegated permission.
Example: I have delegated permission to my service account to user User1#myDomain.com. For all intensive purposed the service account now has all permissions of User1. So the service account can create a new event on behalf of user1 and invite anyone to the event they choose.
As there is no way to set up deligation to user2#gmail.com there is no way for the service account to act like this user as it is a standard gmail user.
The only way for an application to create an event on behalf of user2#gmail.com would be to use Oauth2 and request consent of User2#gmail.com to access their private data. Then the application would be able to create a new event on behalf of User2#gmail.com.
Remember this is creating an event. There is nothing stopping the service account delegated as user1#mydomain.com from inviting user2#gmail.com to the event. user2#gmail.com will then be notified that they have been invited to the event they can then decide if they want to attend or not if they accept it then it will appear in their google calendar account. Notice how user2#gmail.com had to manually accept this. User1#mydomain.com did not have to manually accept that the event was created in their google calendar as the service account was acting on their behalf.
I need to read/insert events into a specific calendar, using Google API. All registered users (in my app) can read and insert events into the calendar. I don't have to authenticate each user with OAuth 2.0, because the app will not read the user data - only specific account data.
I'm a professor and all my students can read and insert in my calendar. So, they do not need to login (Google Account) to do it, because it's a single account's data.
Is there a way to set a unique key for the main account?
OAuth2 doesn't makes me sense.
Maybe you need a service account here. It is an account that belongs to your application instead of to an individual end-user. Your application calls Google APIs on behalf of the service account, and user consent is not required. (In non-service-account scenarios, your application calls Google APIs on behalf of end-users, and user consent is sometimes required.)
The Calendar API can use the Delegating domain-wide authority to the service account. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Apps domain would use a service account to access the Google Calendar API on behalf of users.
For more information, check these threads:
Delegating domain-wide authority to the service account
How to list Google Calendar Events without User Authentication
Embed Google Calendar only users logged into my website (not necessarily through Google) can see
I have an app using s2s connection with google calendar api. I need to create an event in different users calendars. To make it possible the user should go to the calendar's settings and share their calendar to the service account.
But I would like to simplify this for the user - so that they don't need to go to their calendar settings. I don't have an interface for the user interaction - it's a bot.
How can I access the user's calendar in another way?
Maybe you can change the role set by the user to the calendar. According to this documentation, the owners of a calendar can share the calendar by giving access to other users. The sharing settings of a given calendar are represented by the ACL collection (access control list) of that calendar. Each resource in the ACL collection grants a specified grantee a certain access role. So the user can make you the writer or owner of their calendar, so that you can access it.
Another way is by using Delegating domain-wide authority to the service account,
If you have a Google Apps domain—if you use Google Apps for Work, for
example—an administrator of the Google Apps domain can authorize an
application to access user data on behalf of users in the Google Apps
domain. For example, an application that uses the Google Calendar API
to add events to the calendars of all users in a Google Apps domain
would use a service account to access the Google Calendar API on
behalf of users. Authorizing a service account to access data on
behalf of users in a domain is sometimes referred to as "delegating
domain-wide authority" to a service account
I'm trying to create contacts in my google account using the 2lo (2 legged oauth), to achieve this Ive created a service account using my test account AAAAAAA#gmail.com, this step creates a "new email address" for the service, something like: XXXXXXX#YYYYYYYY.iam.gserviceaccount.com.
I'm able to access the google api with this account without the user intervention (2lo), and when I create a new contact using the api, this contact is related to XXXXXXX#YYYYYYYY.iam.gserviceaccount.com and not to the account I used to create the service account AAAAAAA#gmail.com, I can't see the created contact using my test account (AAAAAAA#gmail.com).
Is it possible to create a contact on my AAAAAAA#gmail.com account using a service account? what steps shou;d I follow?
Thanks
No, you cannot create contact. You need service account, which is an account that belongs to your application instead of an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved.
If you want to access user data for users in your Google Apps domain, then delegate domain-wide access to the service account. Then, your application prepares to make authorized API calls by using the service account's credentials to request an access token from the OAuth 2.0 auth server.
You may follow the steps listed here: . It shows how to create a service account.