Situation
Using the Google Core Reporting API (v3), I need to get client companies analytics and other data but since they are organizations and not individuals, It is too tedious to put them through the login flow in order to get access tokens.
I know that I can obtain a token for such a request using the Server to Server auth process, but that involves obtaining and holding on to their private key which then grants me, to my knowledge, near unlimited access.
Question
Is the Server to Server method the only way to do this or is there something better.
Yes, server to server is the only method which doesn't require the client login (OAuth).
Remarks about Google APIs:
Server-to-server comes in 2 flavours: Service account and API key
The vast majority of Google APIs (including Google Analytics APIs) only support the Service account method for server-to-server access
Some (eg Google Search Console) support API keys instead of Service account
You could use OAuth and store refresh tokens so people don't have to authenticate every time should you want to use a method that requires client login
Remarks about GA:
You should use the v4 reporting API as v3 is being discontinued
Related
So I'm trying to use Google Sign In and Sign in with Apple in my native mobile app which also communicates with my own backend server. I think I have the grasp of the OAuth2 flow and the concept of ID Tokens behind OpenID Connect. The only doubt I have is if I can/should use the access/refresh token pair to authorize access to my own endpoints? On apple's documentation this isn't clearly stated and on Google's site they mention you CAN use it to access Google APIs, but nowhere have I found you could use it for your own backend server. If not, how should this be approached (generating my own access/refresh token pair after validating the the authorization server's ID Token?)
Note that I only need to authenticate my users via these platforms, I don't want access to other Google APIs (for now).
TL;DR: Can I use Apple's/Google's access/refresh token pair to authorize access to my own backend's endpoints or should I generate my own/do something else?
You can use the tokens provided to you, but often you soon or later will want to customize what they contain and then introducing your own local provider can be a solution. So that your internal services trusts the tokens from your own service an your auth server trusts the tokens from Apple/Google.
The second problem is that your internal systems might need to trust multiple token issuers. In my experience is to internally only trust one token service and not multiple, even if this is not a hard requirement.
I have API backend and it will be consumed by different consumers like our own company website and even other website can use our API with certain quota/limitation and for this scope management we will be using express-gateway(eg), however this is not the only reason I am using express-gateway(eg). Now coming to my problem/miss-understanding, for our own website we can create api-key and user credentials using eg command. But for the other user who wishes to use our api, I don’t want them to contact me for this integration, rather they should be able to create a user credentials and API key themselves using some facility (let us call it key management) provided by us. Here I am stuck how to give a web platform or any other mechanism where a user can create account and then create api-key for their own website. I was thinking to extend the express-gateway app itself and create page where a website owner can fill the form with various input field that will serve as parameter for eg command and I can trigger eg command in node console and create credentials and save it in redis database and then fetch those information to show it to user as their use rid and api-key. But I want to know the best way how others are doing, like how google, twitter and many more are allowing to create api-key, delete key and regenerate the api-key on compromise. Some suggestion would be to use third party tool to manage user-credentials, I will have little inertia to accept that, even if I do so how will I hook those third-party solution to my express-gateway.
In general, API gateways and authentication servers are independent, or at least loosely-coupled. The typical workflow is:
A user browses to the Create Account page for a service.
The user creates an account with the authentication server
The user makes a request through the API gateway
The API gateway checks with the authentication server whether the operation is allowed, discarding it if the user is not authorized to perform the requested action
The API gateway dispatches the request to the appropriate server
The receiving server checks whether the user is permitted to perform the action (in case the API gateway has been compromised)
Express Gateway includes its own authentication server for convenience, but the steps are basically the same. The difference is that one uses the Express Gateway Admin API to create the user and credentials rather than going to a different server.
Note that Express Gateway and its default account database (reddis) are not persistent out of the box.
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
service account - server to server interaction only works with workspace domains. No authorization popup required.
Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
I'm trining to create live stream on youtube using google API. Now it working only when I use oauth authorisation. When I use API key authorisation I get authorisation error (login required)
When I use oauth authorisation - it require to enter confirmation code each time I create new translation. Is it possible to use "liveStreams->insert" method of API with authorisation that does not require entering of confirmation code?
From what you are writing it appears to me that you haven't understood the concept of OAuth and when to use OAuth vs an API key.
Try to think about it this way: You, as a person, have a Google account. This Google account is not the same as your YouTube account (or, as it is more commonly refered to, your YouTube channel). But your Google account is associated with your YouTube channel (of which you can have multiple). Because you are logged in to your Google account and your channel and Google account are linked, the YouTube website knows who you are and gives you access to your channel.
Now you head over to the Google Cloud Console. Here you create a project, which is very similar to a YouTube account in the sense that it, too, is an independent account which in this case represents your app, but is linked to your Google account so the Cloud Console website knows to give you access to the project as long as you are logged-in to your Google account.
HOWEVER, your YouTube account is not linked to your Cloud Console project. When you make an API request with an API key, the API does not see you as in "your Google account", but rather your apps's Cloud Console Project. That's why with an API key, you can only access publicly available data (everything you could "see" when you browse YouTube while not being logged-in).
So, in order for an application to read private channel information or modify channel information, the API needs verification that whoever makes that request is actually allowed to do that. This is where OAuth comes into play.
When you say you have to provide the confirmation code for each request, I think you don't save the access token and refresh token. I highly recommend you read Using OAuth 2.0 to Access Google APIs and Obtaining authorization credentials over on Google Developers to help get you started.
How can I get Google Analytics report on my SPA without authorization by Google?
Without authorization as a participant of project made I get this error
403 PERMISSION_DENIED
403 PERMISSION_DENIED
Means that you do not have permission to do what it is you are trying to do.
How can I get Google Analytics report on my SPA without authorization by Google?
You cant you must always be authenticated in order to access google analytics data.
In order to access private user data you must have permission to access it. Your google analytics data is private. There for you must be authorized though google in order to access that data.
If you are looking for a way of doing it without requesting access of the user. For example if you would like to display data from your personal Google analytics account to others without requiring that they have access to the data then you could use a service account. Service accounts are preauthorized so that your code will run and have access to the data without having to request access of a user.
Don't do Analytics API requests for your own data at the client side.
What you should do is have a server side job that requests data from the API every day and caches the result. Then you can provide the result for clients.
The API have limits in place that avoid more than 10k requests per day, having this done at client side means that you will reach this limit. This limit is in place exactly to discourage use cases like yours.
Having this done on the client side means exposing your credentials at the client side which would also likely allow users to query data you don't intend to share or maybe even change settings in your account depending on which scopes you are authorized.
You have to rethink your design to not do this job on client side.