I'm not quite sure that this is the right place to ask my question, but I've searched all over and haven't been able to figure out my problem. Google Support told me to post in ththe AdWords API forum, and they sent me here. I have a developer account used for the Analytics API (520577192276#developer.gserviceaccount.com), which was set up several years ago by a colleague who is no longer with the company. I've looked for the password for this account all over the place, but I haven't been able to find it. I tried recovering the password, however the recovery email is the same as the email on the account (520577192276#developer.gserviceaccount.com), and since I can't get in to that account, I can't check the email.
We're very close to reaching the limit of 100 Google accounts for the 520577192276#developer.gserviceaccount.com account. I tried requesting an increase to 200, but I was told I needed to approve the request via email using the 520577192276#developer.gserviceaccount.com account, which as you see above, I'm not able to access.
It looks like this account is linked to another account we use (rioseo.ga#gmail.com) with Google Analytics and Google My Business. When I log into the Google Developer Console with the rioseo.ga#gmail.com account, I can see the API enabled for the 520577192276#developer.gserviceaccount.com, and all the other details related to the Analytics API. Is there any way I can recover or reset the password for 520577192276#developer.gserviceaccount.com so I can approve an increase in user accounts?
Related
Should I use a Service Account or an OAuth 2.0 Client ID?
I'm struggling to understand Google's documentation on authenticating for their APIs. I'm creating a basic application that will help users add and modify Google Calendar events for a single Google account (the account is shared between all users). I only need the application to access that one account, it'll never need to access any others.
It seems to me that Service Account would be best for this, but Google's documentation suggests Service Accounts should only be used for automated processes (unless I'm misunderstanding). For instance this page contains the following, describing when to use Service Accounts.
Would my application qualify as acting on the users behalf?
If so, I would want to use OAuth Client ID credentials, which will ask the user to sign in to a google account. In this case, is there a way I can guarantee they only sign in to the one account I want modified?
I can't find any decent documentation on the OAuth authentication requests to figure this out myself. If there is any could you point me there?
I'm sure I'm misunderstanding something basic here, but thank you for any help!
First off you should know that you can only use service accounts with Google aclendar api if you have a google workspace domain account.
You can then set up a calendar and a domain user that the service account can act on behalf of to control the access of that calendar.
Assuming that your application is going to preform all actions on this calendar then yes i would say that you could use a service account for this. If your app bacly has a ui with a calendar on it your just using google calendar to store the data.
However if you intend to share this calendar with the users themselves, this way they could see it within their own google Calendar account. Im not sure a service account would be the way to go.
If you want the users to be able to see it and make changes then you may want to just use Oauth2. Grant them access to the calendar and then request access to their calendar account.
Drawback to that option is going to be the verification process. You will get access to all the users calendars and your going to need write access.
If you can go with a service account you really should consider it it will save you a lot of hassle with verification.
I have a platform that allows people to sign up/log in with their Google account.
Inside the platform, there is a calendar feature where people can connect their Google Calendar and share the data between our app.
I'd like to know if there's a way to separate google calendar with the normal login stuff, so when they sign up with Google, we won't be asking for their Google Calendar permission. Once they are in the app, if they want to connect their Google Calendar, they can do so by clicking another button.
Currently, the 2 things are linked together and I'd like to separate them.
My app is https://clascity.com/
Any help is greatly appreciated!
Just because you use Google signin (openid connect) does not mean that you have permission to access the users Google calendar data.
Google calendar data is private user data, you need specific permission to access the users calendar data, you cant just let them login without asking for permission to access the data you need to access. The user needs to know what data you will be accessing and accept that specifically though the authorization form that google supplies.
Yes, in fact, what you are suggesting is considered a best practice [1]. Use incremental authorization as described here [2].
[1] https://developers.google.com/identity/protocols/oauth2/policies#unbundled-consent
[2]
https://developers.google.com/identity/sign-in/web/incremental-auth
I'm using Google Sign-in to register and login users to my web app.
We are an edtech product, so I would like to make sure users are registering with a google account that is tied to a school and not using their personal google accounts.
Is this possible?
I don't see a field in user that would indicate this. I also can't find confirmation as to whether or not school google accounts can have an #gmail.com email or if they must use a custom domain.
Note that these account may or may not be using Google Classroom, so I can't rely on that.
Unless you have a List of the "school" accounts and can test against that there is no way for you to know.
Google is not going to tell you if its a school google account. They may know if its a google classroom account but that kind of information is not shared at login time. Probably due to user privacy.
I was a victim of yesterday's google doc phishing attack. The email I received had a link and when clicked it asked for certain permissions. I gave access at that time but after few minutes I removed the permission from my google security page. However I am not sure what kind of permissions were given to the hacker. If I click on the link now the google page shows this message.
Error: disabled_client
The OAuth client was disabled.
Request Details
client_id=946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com
scope=https://mail.google.com/ https://www.googleapis.com/auth/contacts
immediate=false
include_granted_scopes=true
response_type=token
redirect_uri=https://googledocs.gdocs.pro/g.php
customparam=customparam
That’s all we know.
What kind of permissions were given to the hacker based on the above information? I am more interested in whether the hacker had access to my emails or not.
If they were able to gain access to my emails, is there a way to check whether or not they were able to successfully download my emails? I had removed the permission few minutes after giving access.
The hacker had access to your contacts and your mail account, as visible in this line:
scope=https://mail.google.com/
https://www.googleapis.com/auth/contacts
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.