There is a web application that I use regularly, and it uses Google OAuth for login. What I mean by that is that I get the following screen when I visit the application after a considerable amount of time.
Now, I want to develop an application, that directly makes a call to an API that this application makes a call to. But it turns out, the credentials that I send in the POST request work as long as I am logged into this application, but not after that. So, is there a way that I can log into this application programmatically, say every 2 hours?
I guess you are looking for "offline access". When you send the request, you are sending an access token that expires after an hour.
With offline access, the first time you log in, you will get a refresh token (you need to store it in your database) that allows you to generate new access tokens (without you being present) when old tokens have expired.
I suggest you to take a look on this link.
Hope this helps.
Related
My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.
I have an application that needs to stream a specific users twitter data and search for specific hash-tag data then mass distribute an email, but if I'm understanding things correctly every time I want to connect, I have to redirect to an authorization page. All this should be in the background. Is there a way I can have the application authorize once, then always stream the data using spring social, if not, are there any alternatives?
OAuth uses tokens that expire. So no matter what, your users will still have to periodically log in via Twitter and go through the OAuth process again to get a fresh token. They will only have to authorize your app the first time, so subsequently they should get sent right back to your app (assuming this is a Web app). You might want to look at using ReconnectFilter, again assuming you're making a Web app:
http://docs.spring.io/spring-social/docs/current/apidocs/org/springframework/social/connect/web/ReconnectFilter.html
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.
Background
I'm working on an app that will run on a device which does not contain a browser, but I want to get the users google tasks through the google api.
Because of the lack of browser, they can't authenticate on the device, so I have it set up in such a way that they visit a website and authenticate there, then the device makes http requests to the website to get the data it needs.
Problem
Once I got everything working this system works out OK, the problem is it only works for a day or so before the user has to visit the website again to refresh their access token.
It would be great if the user could be authenticated for very long periods of time, or even forever (not sure if that's possible or secure). Can I get some suggestions on what people think is the best way to accomplish this kind of long term athentication?
Refresh tokens?
I've heard there is a way to store the user's refresh token in a database and somehow use that to refresh their access token. If this sounds like a good way, can anyone point me in the direction of an example to get this to work?
I've been using the google api client library for ruby
Thanks a lot!
You're on the right track with the refresh tokens. I can't help too much with the Ruby API, and honestly I just did this calling the REST api directly, but this doc should help you understand the actual calls you need to make.
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Note that for a lot of their examples you need to remove the newlines for them to work.
Basically like you said, you need to send the user to https://accounts.google.com/o/oauth2/auth with the access-type=offline parameter for them to give consent. This comes back with an authorization code, which you send to /o/oauth2/token. This comes back with an access token and a refresh token. You can use the access token immediately, and you store the refresh token, which never expires. When the access token expires you send the refresh token to /o/oauth2/token (note that the grant_type changes to refresh_token) to get a new access token.
When we sign into gmail in one tab and orkut in another(remember both can only be of the same account. Logging into one automatically logs into another). if we log out from gmail and then go to the tab in which orkut is already open, after remaning in the page for a few seconds the page automatically logs out. How is this done? i assume this is through page refresh but would like to know of any better way since i dont want to transfer so much data again and again.
Google's Single Sign On server knows that your account has been logged out, so next time any Google service validates your credentials, it returns that you've logged out so the app can act accordingly.
And about how to do it without having to refresh the whole page, it's very likely a XHR (AJAX request) which actually makes the page log out. It's probably not an explicit 'check for credentials' request, but any regular request that those apps have programmed by default (check for email on GMail, check for new friends or whatever on Orkut) that triggers the credentials check.