I have developed a Google Action for Assistant (with Api.ai). I have to use a Sign-in method because my app use a website where the user have to sign-in and make something.
In the action console I setup account linking with IMPLICIT method and under AUTHORIZATION URL I inserted my url for the login. It's works.
When I speak for the first time (for testing) to my Google Home, on my smartphone appears the notification for account linking... perfect. My website create a token and record it and every time after my webhook will call with the same access_token. Perfect.
Two questions
This access_token is linked to my google-account forever or google may change it?
How can I disable this account-linking and reset my google-action? I want to re-link my assistant with new access_token. I try to return a http 401 from my webhook but it's not work.
The access token is just a piece of string so Google cannot change that exact one. It might have a lifetime.
I am pretty sure Google has an endpoint that revokes the access token.
Related
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
I'm developing an application that utilizes Google sign-in and the Gmail API. My test users, once logged in, keep receiving an email like the attached file.
Other applications with similar functionality (basic email access) do not seem to trigger these emails. Any ideas? It makes my app seem less trustworthy.
One possibility is that you are obtaining tokens with offline=true indicating a requirement to use the refresh token to renew expired access tokens. If you only require short-term access, perhaps you should remove the offline parameter in the construction of your auth request link.
In this scenario once the access token expires, then the scope will no longer be usable or renewable and so your end-users should not receive the alert emails.
there is a service where one can authorize using their Google account.
I need to automate the workflow with that service, so my software has to log-in with a given Google account.
But as I've never done that before I don't know where to start. Most related answers suggest to display the authorization page to the user letting them to enter their login/password of their Google account, but that's not the case since my software must be fully automated, plus it is being ran in terminal mode so no browser neither any human to enter anything should be involved.
I wonder if such automation could be possible and where should I start.
The standard way to authenticate a user with google is through a three-legged oauth authentication flow (in a browser). You can do this in go using the oauth2 or with a more comprehensive package like goth
The general flow is:
redirect user to a landing page on google's site where they are prompted to grant you access.
google will make a callback to your site with a special code.
you make another request to exchange that code for an access token and a refresh token.
Use access token to use google apis, and use refresh token to get a new access token anytime it expires.
It is more detailed than this, and there is a lot to get right to keep it secure, but that is the general idea.
Now, like you've said, your app is a command line thing, so it is hard to do that flow. Unfortunately, you may need to do that once, just to get a refresh token. Once you have that, you could give it to your application: myapp -google-token=FOOBAR123, and your app can exchange the referesh token for a valid access token.
Maybe this will help: https://github.com/burnash/gspread/wiki/How-to-get-OAuth-access-token-in-console%3F
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.
Background
I'm working on an app that will run on a device which does not contain a browser, but I want to get the users google tasks through the google api.
Because of the lack of browser, they can't authenticate on the device, so I have it set up in such a way that they visit a website and authenticate there, then the device makes http requests to the website to get the data it needs.
Problem
Once I got everything working this system works out OK, the problem is it only works for a day or so before the user has to visit the website again to refresh their access token.
It would be great if the user could be authenticated for very long periods of time, or even forever (not sure if that's possible or secure). Can I get some suggestions on what people think is the best way to accomplish this kind of long term athentication?
Refresh tokens?
I've heard there is a way to store the user's refresh token in a database and somehow use that to refresh their access token. If this sounds like a good way, can anyone point me in the direction of an example to get this to work?
I've been using the google api client library for ruby
Thanks a lot!
You're on the right track with the refresh tokens. I can't help too much with the Ruby API, and honestly I just did this calling the REST api directly, but this doc should help you understand the actual calls you need to make.
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Note that for a lot of their examples you need to remove the newlines for them to work.
Basically like you said, you need to send the user to https://accounts.google.com/o/oauth2/auth with the access-type=offline parameter for them to give consent. This comes back with an authorization code, which you send to /o/oauth2/token. This comes back with an access token and a refresh token. You can use the access token immediately, and you store the refresh token, which never expires. When the access token expires you send the refresh token to /o/oauth2/token (note that the grant_type changes to refresh_token) to get a new access token.