I've been crawling the web but haven't been able to figure this out.
I want to write an app with the following behavior: it presents existing users of Google Cloud with a login window to which they enter their Cloud credentials - user and password. With those credentials, I want to programmatically access and fetch their respective billing data so I can later display it to them. This should obviously be able to serve multiple users.
I don't understand how to get past the very first step, which is - what do I do after I get the credentials? Is there a client library method to which I supply them and then gain access to the user's info?
You can use Firebase Authentication or Google Identity Toolkit, see sample here
Related
I'm trying to get some data from a user (searchconsole):
the user first grants permission on a website.
Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.
What is the easiest/safest way to achieve that?
Should I use the same token for both servers?
or is there a solution using the service account impersonation? (I'm stuck on that one)
use the permission on the web server to add the service account as a searchconsole user?
I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers.
I also read the doc and all examples I could find, but didn't find my case even though it seems basic.
Should I use the same token for both servers?
Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.
or is there a solution using the service account impersonation? (I'm stuck on that one)
Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.
In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts
use the permission on the web server to add the service account as a searchconsole user?
I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.
For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
Application1 -> Microservice1 (deployed on one server, also db is separate)
Application2 -> Microservice2 (deployed on other server, also db is separate)
NOTE : For Microservice1 and Microservice2 we are use same Google API credentials.
We have a one application in that we are providing user to edit it's word, ppt, excel files with Online editor.
So, we have configure Microservice which used GSuite API for user to edit there file with google online word editor.
Now, we have a scenario like when one user open file from Application1 then our application will redirect user to google login screen and once user enter it's credentials then google will check whether third-party application already registered with login user account or not, and if not then google will give consent screen to register third-party app with current user.
Once user allow third-party app then google will redirect user to our Microservice1
once callback came to our Microservice then we will store user's refresh-token to our db and user can able to edit document online.
Now, user open file from Application2 and it will redirect user to google login screen and once user enter it's same credentials which he used in above then google will check whether third-party application already registered with login user account or not, this time google found that third-party application already registered with them, and google will redirect user to Microservice2, but this time google doesn't give refresh-token and in our db also refresh-token entry not there, so we will not able to open the file in online editor.
So, is there any way to handle these kind of scenario with only single Google API Credential?
Or we need separate account which give us different Google API Credentials?
Like :
Microservice1 (One Google Account with Google API Credential)
Microservice2 (Another Google Account with Google API Credential)
Any kind of help appreciated.
Thanks in advance...
you need to create a service account, possibly with G Suite Domain-Wide Delegation of Authority.
I am building an online web store for a client of mine. I want to use all of their current inventory in their Square system to seed the online store.
It seems as though V1 of their connect API only supports /items which is fine.
However, I can not find a way to get the client's token. I expected that when I signed in to the Developer Portal with the client's credentials that I would be able to access their token, but it just asked me to create my first app -- which would be empty.
Is there a way to do this without OAuth? Since it is being used as a store, I do not want there to be a chance of the session expiring and customers hitting the store and seeing no items.
TL;DR How to connect an existing Square instance to the Connect API?
You're almost there.
If you have the square account credentials, go to connect.squareup.com/apps/ and click on the create app button. Pick something for the name, and after you finish that you'll see a page with the OAuth credentials, as well as the personal access token. If you are just making an app for one merchant, the personal access token will be all you need, and easiest to use.
Apps are just ways to organize API credentials, fairly distinct from merchant accounts.
Is there something you want that the /items endpoint doesn't give you?
I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.
I have a requirement whereby I have to check the credentials of users created using SDK.
When you fetch the users the password is not returned, hence comparison cannot be done.
I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.
Thanks.
Google does not ever return the value of the password. That would be a monumental security risk.
See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.
If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis
At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.