We are using the refresh token to get Google Calendar free/busy events. When our application connects with Google account of a user for the first time, we obtain a "Refresh Token" and store that in our database and use that for fetching free/busy events from Google. Things were working fine but now the problem is that whenever a user changes its Gmail password then we're unable to call the Google Api using the stored refresh token. The reason we've have found is that Google revokes the Api access for all applications associated to that account on password change/reset. In our application, calendar is still connected to Google (because we do not make call to reconnect with google again). How can we check/identify if the stored Refresh token is still valid or not? Is there any suggested workaround for this problem?
Related
I have a web app which sends emails (gmail) in name of my users
When a user registers, she supplies gmail account and password. Also she has to enable access for Less Secure Apps (I recommend to create a new account for this)
Then I can open a gmail session
session = Session.getInstance(props, new javax.mail.Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(user.getEmail(), user.getPassword());
}
});
and send emails on her behalf.
Unfortunately this is going to stop working next 30th May, when Google will allow only OAUTH2 access
I have followed Java Quickstart for Gmail API and I have code up and running for sending emails with OAUTH2: enable gmail api, create an application on google cloud platform, grant send permission, oauth2 client id credential created...
The problem I have is I can't see a way to automatize this task because when creating an authorized credential, a consent screen displays on browser and you have to select the account to be granted manually (maybe because my app in google cloud platform is still pending to be reviewed)
Is there a way to infer the gmail account you want to access from the credentials file (client_secret.json)? Is there a way to automatize this?
No, or yes. It depends.
The whole point of OAuth2 is to improve security by working with authorization tokens rather than asking for user credentials. To do this the user has to consent to the app's access request, and thus the OAuth consent screen cannot be bypassed. This is
explained in Google's documentation. It's not related to your app's review status but rather it's the way OAuth works.
You can still work in a similar way, though . Instead of asking for username and password upon the user's registration you can redirect them to the OAuth consent screen so they can authorize your app. Make sure that your app is requesting offline access type and then you can retrieve an access_token and a refresh_token. These will essentially work as your credentials and you can use the refresh token to generate new access tokens when needed without having the user go through the consent screen each time.
The refresh token doesn't have a "natural" expiration so you can keep using it indefinitely, but there are a few scenarios where it will become invalid, such as it not being used for six months, the user changing passwords (if using Gmail scopes), the user manually revoking access, etc. In these cases you will need to direct them to the consent screen again to reauthorize your app.
In this sense, your app can still work automatically without user input except the initial setup, which you already had to deal with when they supplied you with their credentials. The refresh token expiration can even be compared to what you had to do when the users changed their passwords in your current workflow.
One exception to this are service accounts. If you and your users are part of a Google Workspace domain you can delegate domain-wide access to it, then the service account will be able to access user data without any manual input. Of course, this is because as the domain administrator you pretty much own all the accounts under it. But if you're working with a publicly available application you will have to deal with the limitations I mentioned above.
Sources:
Google's auth overview
Using OAuth 2.0 to access Google APIs
OAuth 2.0 for web applications
The OAuth consent screen
In our service, we offer Google Sign-In alongside email/password sign in, and need to know when a user loses access to their Google account so we can disable an integration.
Without forcing the user to re-authenticate with Google Sign-In, how can we detect when they lose access to their connected Google account?
The approach that I am thinking through my search is
obtain access_token and refresh_token through OAuth 2.0 authentication when user signs in on our service with Google Sign-In, save them in our database
periodically, make request to https://www.googleapis.com/oauth2/v3/userinfo using saved access_token (we will get an error if user's google account is closed)
if access_token is expired, retrieve another one using refresh_token, then re-try step 2
Is this the right approach or is there a better way to achieve what we want?
Google OAuth 2.0 Tokens expire in 3,600 seconds. They are valid until they are revoked or expired.
When you request the access token, make note of the expiration time in your database and consider the token valid until expiration.
The other option is to continue validating the access token on every request which takes more time than it is usually worth.
Google does not have a callback mechanism to notify you of expiration or revoking of a token.
I am using gapi.auth2.authorize to authorize people in my Google Photos API app but I cannont find a why to unauthorize or disconnect them from the app. What I have noticed though is that there is no way of using an old access token so that the user doesn't need to authorize.
How can I make the access token invalid?
Is it correct that every time the API is used the user has to authorize?
Thanks
How can I make the access token invalid?
Not possible to invalidate an access token, it will expire after 1h
You can check documenttation here
Is it correct that every time the API is used the user has to authorize?
Nope, you should ask users to authorize only once, using a refresh token that you can keep in your back-end, thus allowing your app to content on on users behalf all the time, until they revoke permissions
I'm developing an application that utilizes Google sign-in and the Gmail API. My test users, once logged in, keep receiving an email like the attached file.
Other applications with similar functionality (basic email access) do not seem to trigger these emails. Any ideas? It makes my app seem less trustworthy.
One possibility is that you are obtaining tokens with offline=true indicating a requirement to use the refresh token to renew expired access tokens. If you only require short-term access, perhaps you should remove the offline parameter in the construction of your auth request link.
In this scenario once the access token expires, then the scope will no longer be usable or renewable and so your end-users should not receive the alert emails.
I have an app in NodeJS which calls the outlook api and reads a user's mails. I'm connecting this to a MySQL db where I'm storing specific email replies.The app is working perfectly.
My problem is that I have to sign-in every hour to refresh the access token.
I need a way of calling the outlook api, returning the emails, store them in a db, and then expose them through an API. And I wanna automate this outlook api call through a cron job.
Does anyone have any ideas on how I can accomplish this?
What I believe you are looking for is App-only access a.k.a access without a user. More on this below.
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
In addition, you get a refresh token along with the user consented access token. You can then refresh the access token periodically using the refresh token. More on this below:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code#refresh-the-access-token