Working with the gapi google api client for javascript. We have our current operations working atop gapi.client which we can hold the tokens for the user and simply supply them to gapi.client prior to running operations.
The issue is that for additional functions with other API's, we need to use a process with the gapi.auth2 object that grants the additional permissions. We have the tokens, and the user's consent, but calling gapi.auth2.init seems to force another signin.
Example: gapi.client.setToken({access_token: access});
How can I set the tokens we already have in gapi.auth2 so that I can perform the grant?
Related
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
service account - server to server interaction only works with workspace domains. No authorization popup required.
Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.
We have a webapp that integrates with a number of Google APIs (calendars, contacts, drive). We have an integrations panel where the user can selectively check on each integration. When a new integration is enabled we save the new refresh token Google returns and flag the old one as inactive. Great so far.
The problem is when we request a new scope (incremental), Google seems to correctly add the scope to the User (if we check granted scopes from the frontend it shows the correct list), but if we check scopes from the access token it will only list profile and whatever we just requested.
So if someone enables Calendar, that refresh token will have 'profile' and 'calendar', but if they then enable Drive, the new refresh token will have only 'profile' and 'drive', not 'calendar'. This is especially problematic for our Drive worker, as it will generate a lovely slew of errors as it tries to build out a User's Drive with a valid refresh token but invalid scopes.
On the backend, I'm using the setIncludeGrantedScopes(true) method before I cash in the code, and as far as I know the front end is doing what it should (it does seem to have the expected scopes), but the refresh token is not inclusive.
Tips/tricks/gotchas/etc?
So, it turns out that this was a fairly simple solution, but was documented in only one place: when the front-end requests an additional scope, it must also send up all current scopes.
Failing to do this will cause the returned refresh token to represent only the scopes included in the grant request, while the app will incrementally gain scopes as expected.
I have started building a C# asp.net website that will have the ability to post directly into Yammer (we have Yammer Enterprise). I have used the REST api to create a post and have also been able to create in impersonation token to post on behalf of other users. It works fine, but reading the documentation, the tokens seem to have an indefinite lifetime. Forgive me is this is a stupid question, but is there an expectation that as a developer, I should store the token locally (eg in a SQL table) and reuse local version for future API calls?
If the API call fails, then I assume I regenerate the token and re-store for future use?
Thanks
Andy
Yes, these tokens don't expire until an account is suspended or deleted in Yammer, or the user manually revokes the app. Until that changes you need to be very careful with handling these tokens. Applying encryption, permissions, and other techniques to secure your app is the best way to protect them.
You might also consider storing the time when the token was acquired or last used. Then delete the token after a period if it hasn't been used. That will protect the user.
In your UI make it clear what your app does with Yammer so that users authorizing it are aware of what they are opting into.
I'm working with 3 Google API Services(Analytics, Webmasters, PageSpeed). I have a single Google API client ID(with all 3 services activated) and common Google API PHP SDK in my server.
User of this aplication should be able to grant and revoke access for each service independently at any point of time depending on his usage. Is this possible?
Testcase:
If user wants to use only analytics service initially, he should be able to grant access for only analytics and later if he wants to use pagespeed service also, he should be able to grant for pagespeed also without compromising access for analytics. If he wants to use analytics & webmasters later, he should be able to revoke only pagespeed access without compromising the access for analytics or webmasters.
When you request an access token, you specify the resources you want access to. If later you need to access another resource, you request another token for that resource.
You can simplify your implementation by setting the include_granted_scopes to true when requesting the token. This will include all previous authorizations so you only need to deal with the new token.
AFAIK there's no way to revoke access to specific scopes, even though the documentation mentions that "When you revoke a token which represents a combined authorization, all of the authorizations are revoked simultaneously;". This actually happens even when revoking individual tokens. Also, the Google account user interface does not allow the user to specify which permissions he wants to keep, it's only possible to revoke all access from an application.
See the docs for incremental authorization.