I'm trying to log some data into a public sheet (accessible in incognito mode). I'm trying to avoid OAUTH2 as it seems I can only grant access to all my sheets and I'd like to avoid that. There are likely multiple users of the software and my google account contains some proprietary data.
I'm using Python3.
I just needed to create a "Service Account" (under credentials in the console) and share my sheet with the address in the JSON file containing the credentials.
Now I don't have to rely on OAUTH2 and granting access to all my sheets.
Related
I'm working on a Laravel site where users could connect their Google account and manage their Google calendars directly from within the site. I found https://github.com/spatie/laravel-google-calendar but I'm not sure that it really meets my needs.
That package doesn't seem to follow the authentication flow (OAuth 2) I'm used to with other APIs. It uses service accounts and stores credentials in JSON files where I usually save access and refresh tokens in my users table.
So am I missing something or is that package not made for that kind of site ?
Application1 -> Microservice1 (deployed on one server, also db is separate)
Application2 -> Microservice2 (deployed on other server, also db is separate)
NOTE : For Microservice1 and Microservice2 we are use same Google API credentials.
We have a one application in that we are providing user to edit it's word, ppt, excel files with Online editor.
So, we have configure Microservice which used GSuite API for user to edit there file with google online word editor.
Now, we have a scenario like when one user open file from Application1 then our application will redirect user to google login screen and once user enter it's credentials then google will check whether third-party application already registered with login user account or not, and if not then google will give consent screen to register third-party app with current user.
Once user allow third-party app then google will redirect user to our Microservice1
once callback came to our Microservice then we will store user's refresh-token to our db and user can able to edit document online.
Now, user open file from Application2 and it will redirect user to google login screen and once user enter it's same credentials which he used in above then google will check whether third-party application already registered with login user account or not, this time google found that third-party application already registered with them, and google will redirect user to Microservice2, but this time google doesn't give refresh-token and in our db also refresh-token entry not there, so we will not able to open the file in online editor.
So, is there any way to handle these kind of scenario with only single Google API Credential?
Or we need separate account which give us different Google API Credentials?
Like :
Microservice1 (One Google Account with Google API Credential)
Microservice2 (Another Google Account with Google API Credential)
Any kind of help appreciated.
Thanks in advance...
you need to create a service account, possibly with G Suite Domain-Wide Delegation of Authority.
I am trying to access some data from a Google Sheet using the V4 Spreadsheets API and am getting a 403 with PERMISSION_DENIED. I have verified that the API has been enabled and am passing key={MY_KEY} in the URL. I set the sharing settings to "Anyone with a link" in my personal Google account which is working fine and I am getting data back using the following URL:
https://sheets.googleapis.com/v4/spreadsheets/MY_KEY/values/Sheet1?key=MY_KEY
However, at work we use GSuite and Link Sharing is restricted to our organization only so when I hit that URL for a Sheet in my work account with the same setup from my personal account (excluding the sharing settings), I get the 403 with PERMISSION_DENIED.
I don't see any documentation as to how to authorize outside of an organization or if its possible to add an exemption to be able to share outside of the organization.
It is not possible to have an exemption from the sharing settings. If the policy prohibits sharing outside the organization, then the credentials accessing the sheet must be from a user in the organization.
The main use case is using IPython as CLI to my own Google accounts. What I am really after is minmizing the fussing around between starting the IPython shell and actually issuing usefull calls against the API.
The docs for authenticating with Google APIs focus on setting up application which other user will use to access their data.
This leads to a lengthy Oauth dance involving a browser in order to allow other users to authenticate without compromising their credential.
However, I do not mind sharing my private credentials with myself. I am not planning on sharing the code. If I did share the code I would use something like dotenv to separate the credentials from the code.
Twitter provides developers a second set of credentials
that allows developers to access their own accounts for testing.
Thus it is possible to access ones own account programmatically
by just providing to sets of credentials: the developer credentials that allow the calls to the API and the other credentials that grant access to the developers own data. For example:
from twitter import *
t = Twitter(
auth=OAuth(token, token_key, con_secret, con_secret_key))
# Get your "home" timeline
t.statuses.home_timeline()
# Update your status
t.statuses.update(
status="Tweeting from Python")
Where con_secret* are the developer credentials and
and token* are the account access credentials.
How can I do something equally simple with Google APIs?
Where can I get credentials to access my own account?
How would I use them in Google API?
As an example what would be the simplest procedure for retrieving the contents from one of my own Youtube playlists?
I have com to think that a Python headless browser library could be give me what I need. I have asked a related question on SE Software Recommendations
https://softwarerecs.stackexchange.com/questions/35744/python-headless-browser-library-for-oauth2-authentication-from-ipython-console
I would like to download a set of credentials
Google offers this ability through it's client_secrets.json file. There are different ways to download this, depending on the type of account you want to use (Web application, installed application, Service account). The different techniques can be found here .
Store the credentials locally and keep using them without requiring
new credentials every call
This also isn't a problem, the client secret is valid until you renew it - AFAIK there is no automatic expiry unless you specify otherwise.
Once you have downloaded your client_secrets.json, store the file in a non-public directory (normally inside your project directory/config).
Similar to the downloading of the file, there are different techniques (flow classes) to use the JSON file depending on what type of account you are using. As an example, the below would be used for installed and web applications;
from oauth2client.client import OAuth2WebServerFlow
...
flow = OAuth2WebServerFlow(client_id='your_client_id',
client_secret='your_client_secret',
scope='scope URL here',
redirect_uri='http://example.com/auth_return')
Other flow class examples can be found here
Hope this helps - If you need further information, the official documentation (which be warned, can be incredibly inaccurate and confusing) can be found here https://developers.google.com/api-client-library/python/guide/aaa_oauth
I have an application using Google Drive that must (a) not require user login and (b) populate a document that authorised users can view.
Because of this it appears that using a regular account as a service account is my only option, as described here https://developers.google.com/drive/web/service-accounts
Use regular Google accounts as application-owned accounts
You may create a regular Google account like any user would, by going
through the Google account sign-up flow or by creating an account on
your Google Apps domain. Make sure it is then never used by an actual
person but only by your application.
To be able to access the account’s Drive programmatically you need to
manually go through the OAuth 2.0 web-server flow once and then store
or hard-code the user’s credentials, such as the refresh token, to be
able to programmatically access its Drive. For more information about
the web server flow for Drive, see Implementing Server-side
Authorization.
While it discourages user access, it doesn't ban it. However I am confused by the line
you need to manually go through the OAuth 2.0 web-server flow once and
then store or hard-code the user’s credentials
There doesn't seem to be a documented way to do this (yes, I have searched) - could someone step me though it?
You don't use a regular account as a service account, these are different things. Each one is a type of application-owned account.
The regular account is just a normal Google account that your application uses. Since regular accounts require the manual authorization step (going to the browser, logging in to Google and authorizing your app), you need to do this manually the first time and then save the token. There's some examples in this page. After you save the token, your app can authorize itself without your intervention.
The service account is an account that is not associated with an user and that do not require manual authorization. You can create a service account in the Developers Console as described here. With this type of account, you use a private key file to authorize your app.
Unless you need access to the web interface of the account that will manage your files (for example, to buy more storage), I'd recommend using the service account, since it doesn't require the manual step.