I'm writing a command-line tool in python to post/edit/delete Blogger posts. Since the authentication uses OAuth2 I've requested an API credentials on Google API. It comes in the form of a client_id.json file.
{
"installed": {
"client_id": "<removed>",
"project_id": "<removed>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://www.googleapis.com/oauth2/v3/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "<removed>",
"redirect_uris": [
"urn:ietf:wg:oauth:2.0:oob",
"http://localhost"
]
}
}
I plan to make the app open source.
If someone has the file, does that mean he can access everyone who allowed the app to manage their blog?
Are separate users expected to generate their own API key?
No you cant and here is why.
I plan to make the app open source.
If someone has the file, does that mean he can access everyone who allowed the app to manage their blog?
Yes if someone has your credentials file they can do what ever they want. Using your account and posibly spaming your developer account causing you to loose access to your account see Can I really not ship open source with Client ID?
Are separate users expected to generate their own API key?
No anyone who downloads your open source project and wants to use it will be required to make their own credentials file on google developer console. as per TOS you are not allowed to share your credentials file with another user.
Related
I want to integrate google sheet with Laravel 8 without any third party tool or connector. I know its simple for many but i am not able to get through. Highly appreciate for your effort and answers!
Requirements:
Google OAuth Keys.
Google Service Account.
Enabling Google Drive API and Google Sheets API.
revolution/laravel-google-sheets Laravel package.
Steps:
Step 1: Installing revolution/laravel-google-sheets package
composer require revolution/laravel-google-sheets
# publish package files
php artisan vendor:publish --provider="PulkitJalan\Google\GoogleServiceProvider" --tag="config"
Step 2: Setup Google API OAuth Key
Navigate to Google Developers Console
Create a Google project or select already existed project.
Click Create credentials followed by OAuth client ID.
If necessary, Configure consent screen.
Set the type to Web Application.
Copy client_id and client_secret and set in .env:
GOOGLE_CLIENT_ID=XXXXXX-XXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=XXXXXX-XXXXXXXXXXX-XXXXXXXXXXXXXXXX
Step 3: Setup Google Service Account
Navigate to Google Developers Console
Create a new Service account key from Credentials.
Give your service account a name.
Under Grant this service account access to project step click on Select a Role dropdown and choose Project from left side and Editor from right side as shown in this image
Click Continue then Done.
Edit the service account and go to Keys tab.
Create a new Key of type JSON, and copy the json file to your project storage directory and rename it as credentials.json -or any other name you like.
Add credentials.json file path to .env as following
GOOGLE_SERVICE_ENABLED=true
GOOGLE_SERVICE_ACCOUNT_JSON_LOCATION=/home/user/code/project/storage/credentials.json
Step 4: Setup a Google Spreadsheet to integrate with
Create/Open a Google Spreadsheet file.
Give the sheet a name
Copy the ID of the document from file URL (e.g. https://docs.gogle.com/spreadsheets/d/{{SPREADSHEET_ID}}), see this image
Set the document id you copied in last step to .env
SPREADSHEET_ID=1kjtQBxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Copy the Email of the recently created Service Account, see this image
Share the sheet with the Service Account email as Editor, see this image
Step 5: Enable required Google APIs
Navigate to Google Developers Console APIs Dashboard.
Click ENABLE API AND SERVICES.
Search for Google Drive API and Enable it.
Search for Google Sheets API and Enable it.
Step 6: Test it
use Revolution\Google\Sheets\Facades\Sheets;
// Add new sheet to the configured google spreadsheet
Sheets::spreadsheet(config('sheets.spreadsheet_id'))->addSheet('sheetTitle');
$rows = [
['1', '2', '3'],
['4', '5', '6'],
['7', '8', '9'],
];
// Append multiple rows at once
Sheets::sheet('sheetTitle')->append($rows);
see the package documentation for more examples.
{ "error": { "code": 403, "message": "The request is missing a valid API key.", "errors": [ { "message": "The request is missing a valid API key.", "domain": "global", "reason": "forbidden" } ], "status": "PERMISSION_DENIED" } }
Dont forget to add scopes!
[\Google\Service\Sheets::DRIVE, \Google\Service\Sheets::SPREADSHEETS]
to the google.php config file
I'm trying to use p2/OAuth2 to access my documents on Google Drive.
I downloaded the sample Mac app and ran it, and it shows a Google "OAuth consent screen", and I click the "Allow" button, and it all works. So I think the sample code is good.
Then I logged into the Google APIs console, and:
enabled all the APIs that seemed like they might be relevant to this test (getting my name and user info): "Google Drive API", "Contacts API", "People API", "Google IAM API", etc.
created a "project" for my application
created a new "OAuth client ID" (credentials) for my app
I pasted my client_id into the OAuth2App sample, in place of the demo client_id/client_secret, and it fails. It shows the "OAuth consent screen" in a sheet, with the name of my application, but when I click "Allow", it just says "Forbidden".
Things I've tried that didn't help:
I've found this page which says creating a client ID of type "Other" in Google doesn't work, and I need to choose iOS. I've tried both "Other" and "iOS" types, and both give me "Forbidden".
With type "Other", it gives me a client_secret, as well. I don't want or need that, because this is a local app, but I found this question which suggests it doesn't matter to Google. I tried every way:
With the correct client_secret, I get "Forbidden".
With an incorrect client_secret, I get "Unauthorized".
With no client_secret, I get "client_secret is missing".
So I know it's checking that for type="Other", and doesn't seem to care that it's absent for type="iOS". In any event, since it's a different error when that's wrong/missing, that doesn't seem to be my problem here.
I turned on oauth.verbose to see if there's anything useful, but the logs are identical to the successful case (stock IDs), except for the values of some of the IDs/tokens.
How did p2/OAuth2 create a client_id for Google that works? Why is mine only returning "Forbidden"?
If it is your Local app, You'll need to select the installed option while selecting the type, and use Web Athorization Broker
this link might be helpful, its unsolved but has solution for the point you are stuck.
1.) ClientID and ClientSecret both are necessary while using installed application.
--> Also check your network rights if it is allowing the Drive api, that can also give Forbidden Error
my idea is to create a google sheet, make it public and then access it from my work computer linux/bash to read/write values on a daily basis.
i have a public google doc sheet that anyone can find/edit.
this is the sheet ID: 1F6jh6756xNDlDYIvZm_3TrXb59EFEFHGEC7jdWz-Nx0
doing it by the book https://developers.google.com/sheets/api/samples/reading
curl 'https://sheets.googleapis.com/v4/spreadsheets/1F6jh6756xNDlDYIvZm_3TrXb59EFEFHGEC7jdWz-Nx0/values/Sheet1!A1:A3'
returns:
{
"error": {
"code": 403,
"message": "The request is missing a valid API key.",
"status": "PERMISSION_DENIED"
}
}
i've read a lot and especialy here Google Sheet API v4 i've found a complicated solution. that is if you want to access your public sheet in a short 1 hour period.
you browse to https://developers.google.com/oauthplayground/ get authorization for the v4 api, then get "Authorization code", then get "Refresh token", and finally "Access token".
using this "Access token" you can access the public sheet like this
curl 'https://sheets.googleapis.com/v4/spreadsheets/1F6jh6756xNDlDYIvZm_3TrXb59EFEFHGEC7jdWz-Nx0/values/Sheet1!A1:A3' -H "Authorization: Bearer ya29.GlvaBLjrTdsSuSllr3u2nAiC-BOsjvIOE1x5afU3xiafB-FTOdLWDtfabuIMGF1rId5BsZxiTXxrx7VDEtxww4Q1uvW9zRndkfm3I2LZnT1HK2nTWzX_6oXu-NAG"
returns:
{
"range": "Sheet1!A1:A3",
"majorDimension": "ROWS",
"values": [
[
"a1"
],
[
"a2"
],
[
"a3"
]
]
}
perfect. in theory the "Access token" expires after an hour, the "Refresh token" never expires. so you would save the tokens, try to read the sheet with the "Access token", if it fails use the "Refresh token" to gain a new "Access token" and carry on.
but, i've had a dozen of "Refresh token"s that were redeemed/expired, "Authorization code"s expired, all in all nothing works after a few hours. why?
how can i access my google sheet form bash with curl without this kind of authorization?
especially since my sheet is public and can be edited by anyone with a browser.
is there another way to do this with some other permanent authorization?
why not use email and pass?
"API key" is mentioned but never explained. can some one please explain this method step by step?
All Google APIs require that you create a project on Google developer console and identify yourself and your application, even to access public data. Since you have set the sheet to public you can just go to google developer console and create a public api key remember to active the google sheets api. Then just add key=[YourKey] as a parameter on your request.
Update Dev console:
Create project and get key:
Google developer console -> create a project -> credentials drop down -> API Key
Enable it:
Google developer console -> library find sheets enable it.
Update:
{ "error": { "code": 403, "message": "The request is missing a valid API key.", "status": "PERMISSION_DENIED" } }
Means that you have not identified yourself to Google. In 2015 Google Start to require that we identify ourselves you cant just use a Google API without telling google who you are. You do that by creating a project on [Google developer console1. Create an API key and use that API key in all of your requests. This only works with Public data.
https://sheets.googleapis.com/v4/spreadsheets/1F6jh6756xNDlDYIvZm_3TrXb59EFEFHGEC7jdWz-Nx0/values/Sheet1!A1:A3?key=YOurKEY
Note: With private user data you would need to use OAuth and use either access_token=your token or set the header
Authorization: Bearer ya29.GlvaBLjrTdsSuSllr3u2nAiC-BOsjvIOE1x5afU3xiafB-FTOdLWDtfabuIMGF1rId5BsZxiTXxrx7VDEtxww4Q1uvW9zRndkfm3I2LZnT1HK2nTWzX_6oXu-NAG.
An access token is not the same as a API Key.
If you don't want to mess with OAuth2, maybe the simpler solution is to use third-party soft. https://sheetdb.io allows you to work with Google spreadsheets and does OAuth2 for you. Additionally, the API is simpler than Google, check out the docs here: https://docs.sheetdb.io
Another approach is to share the sheet with a Google Cloud service account, and then use the service account to authorize with the API client. If the document is public you do not need to share it.
Instructions on creating a service account and reading a Google doc, which should also apply to sheets https://www.futurice.com/blog/read-goog-doc-using-service-account
A piece of advice - NEVER allow write access to a public Google Sheet.
Anyone can add lots of data and cause all sort of problems.
Always control access to who can edit.
Allow arbitrary edits by anyone programmatically is even worse. I can whip up a script that fill in your Google Sheet to capacity in seconds with garbage data. To everyone else viewing it, the sheet will look like a jumble of data.
Now to answer your question. Here are the basic steps for creating an OAuth 2.0 ClientID:
In the Google Cloud console, go to Menu menu > APIs & Services > Credentials.
Go to Credentials
Click Create Credentials > OAuth client ID.
Click Application type > Desktop app.
In the Name field, type a name for the credential. This name is only shown in the Google Cloud console.
Click Create. The OAuth client created screen appears, showing your new Client ID and Client secret.
Click OK. The newly created credential appears under OAuth 2.0 Client IDs.
Save the downloaded JSON file as credentials.json, and move the file to your working directory.
Follow the rest of the instructions for setting up the environment for a Go app to authenticate, authorize and manipulate the Google Sheet via Golang. For other languages, select the corresponding entry in the left sidebar of the web page.
I'm creating an application in Laravel 5.0 and I want implement socialite 2.0 as OAuth package.
I tried this package for GitHub, Google, Linked In and everything is working fine. But after configuring my Bitbucket account and granting permission to read Email scope, I'm receiving this error:
Received error [{"error": {"message": "Your credentials lack one or more required privilege scopes.", "detail": {"granted": ["account"], "required": ["repository"]}}}] with status code [403] when retrieving token credentials.
After editing my consumer account in Bitbucket and adding Read Repository Permission, everything going to be fine except receiving Null Emails.
First, I don't want to prompt my users to allow to access their repositories, I don't need them and I don't want to scare my clients.
Second, how can I solve null email issue?
I feel your pain. User authentication via third-party without the user email is, to say the least, useless. In the very extreme, it might be dangerous and unsafe to ask for the user to input an email.
Thus, I've created a small fork of the original Bitbucket connector (from the League Of Extraordinary Packages): https://github.com/igorsantos07/oauth1-client
The best way to retrieve the user email and other missing info (such as location) was upgrading to API 2.0, what means repositories are not retrieved anymore. It might be a breaking change for some users, but I guess for many others it will actually be less data to be downloaded.
To install that fork into your project, add/merge the following to your composer.json:
"repositories": [
{
"type": "vcs",
"url": "https://github.com/igorsantos07/oauth1-client"
}
]
Then, you should composer require league/oauth1-client:dev-master. It will download the fork's master branch, with the said Bitbucket upgrades.
Note: I still have nooooo idea why Bitbucket asks for repository permissions to retrieve user emails. Go figure...
In your users migration you will need to set email up as being able to add an account without there being an email.
change:
$table->string('provider')->default('myapp');
to:
$table->string('provider')->default('myapp')->nullable();
How does Google Chrome's ADVANCED REST CLIENT plugin make cross domain POST requests? I thought maybe something with CORS but I don't see "Access-Control-Allow-Origin" in any response. This is a link to the plugin:
https://chrome.google.com/webstore/detail/hgmloofddffdnphfgcellkdfbfbjeloo/related?hl=en-US
Short answer: Extensions are different from normal web pages. They can ask for extra permissions during the course of installation.
(slightly) Long answer: The main requirement of plugins/extensions is that they are able to access different domains. They can ask for extra permission during the installation (The user is typically warned that the extension can access data on those domains).
Take a look at the manifest.json file of the extension you are talking about. More specifically:
"permissions": [
"<all_urls>", "cookies", "history"
]