I have this example - Embed API Third Party Visualizations - working locally and on a test server, but I'm unsure of what I need to do to ONLY display our organization's Google Analytics data instead of the user's personal GA account.
I created the project and clientID within our org's Google Account, but I'm obviously not understanding something big here.
I'm completely new to both GA's API and oAuth in general, so while I'm sure this has been answered multiple times, I wasn't completely sure which direction to look in. If someone can give a helpful nudge in the right direction I'll happily be on my way.
Thanks everyone!
Embeded API uses Oauth2 to authenticate. Oauth2 requires that a user give you access to their Google Analytics data.
You want to show your person Google Analytics data to other users. Normally I would say you should use a Service account, a service account gives the application direct access to a specific account it has to be set up like you would add a user to Google Analyitcs. The problem is the Embeded API uses JavaScript, for security reasons its probably not a good idea to use a service account with JavaScript. I also think it may be against Googles terms of service to use a service account with JavaScript. That being said I have never found anyone who has gotten a service account to work with JavaScript probably for the reasons I just stated.
Drop the embedded API and switch to a server sided language of some kind and code it yourself. What you want to do cant be done with the embedded API.
Related
Should I use a Service Account or an OAuth 2.0 Client ID?
I'm struggling to understand Google's documentation on authenticating for their APIs. I'm creating a basic application that will help users add and modify Google Calendar events for a single Google account (the account is shared between all users). I only need the application to access that one account, it'll never need to access any others.
It seems to me that Service Account would be best for this, but Google's documentation suggests Service Accounts should only be used for automated processes (unless I'm misunderstanding). For instance this page contains the following, describing when to use Service Accounts.
Would my application qualify as acting on the users behalf?
If so, I would want to use OAuth Client ID credentials, which will ask the user to sign in to a google account. In this case, is there a way I can guarantee they only sign in to the one account I want modified?
I can't find any decent documentation on the OAuth authentication requests to figure this out myself. If there is any could you point me there?
I'm sure I'm misunderstanding something basic here, but thank you for any help!
First off you should know that you can only use service accounts with Google aclendar api if you have a google workspace domain account.
You can then set up a calendar and a domain user that the service account can act on behalf of to control the access of that calendar.
Assuming that your application is going to preform all actions on this calendar then yes i would say that you could use a service account for this. If your app bacly has a ui with a calendar on it your just using google calendar to store the data.
However if you intend to share this calendar with the users themselves, this way they could see it within their own google Calendar account. Im not sure a service account would be the way to go.
If you want the users to be able to see it and make changes then you may want to just use Oauth2. Grant them access to the calendar and then request access to their calendar account.
Drawback to that option is going to be the verification process. You will get access to all the users calendars and your going to need write access.
If you can go with a service account you really should consider it it will save you a lot of hassle with verification.
I am trying to build a small toolbox of scripts such that I can automate some tasks involving Google contacts, calendar and so on. Most of the work is already done by means of the googlecl project, which looks very promising.
As far as I understand the process, googlecl needs to request an authentication ticket from Google by means of OAuth. Admittedly, I have only a sketchy notion of what is going on there, but that’s something that Wikipedia will help me solve.
Here’s the catch: My Google account uses a non-Gmail address (let it be vucar#example.invalid for the sake of this discussion). The account was created back in the old days when Google didn’t force GMail down people’s throats who have no use for it. googlecl will direct me to https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=…&hd=example.invalid to complete the OAuth handshake. Google will then tell me that ‘the domain name has not been signed up for Google Apps’. Which is correct.
If I don’t supply my user ID to googlecl, then the URL reads …&hd=default. Google will accept the OAuth request, granting whichever permissions needed to my locally running googlecl, but then googlecl will complain that the token was issued to a different user ID than for the user ID that was requested. Which of course is also correct.
I’ve read through https://support.google.com/a/answer/33419, which in turn redirects me to http://www.google.com/a in order to ‘to sign up your domain for Google Apps’. Apparently, if my Google account uses a domain different from #gmail.com, then I am a business user and need to purchase Google Apps for my domain—to get, amonst a truckload of other stuff, my domain connected to GMail, the polar opposite of what I wanted to have by having that ‘foreign’ domain in the first place.
I have to admit that I am stymied. I understand what OAuth in this case is used for, but I fail to grasp the byzantine reasoning at Google’s. I do not believe that I want Google Apps for my domain, and I especially do not want to hand over my emails or anything else to Google. I merely want to access and modify my data at Google’s, with my user ID happening not to end in #gmail.com.
Is it strictly required that I purchase Google Apps for Work for such a configuration? The contacts, calendars and so forth is already at Google’s, and used from both Google’s web site and Android clients. The only thing new to the mix is API access.
I've been trying to find a way to interact with Google's API (specifically, the Compute Engine API) without having the user authorise via a consent screen each time I need to reauthorise with Google.
The requests will be made when no user is present, so not having to authorise via a consent screen is an absolute must.
I'm using Go and the Go API Client Library.
Can anybody explain a method to achieve what I need to?
You should take a look at service accounts. They utilize the public/private key pair to authorize calls to Google API.
Google Developers has one very nice document explaining how service accounts work:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Here's how generate a service account:
https://developers.google.com/console/help/new/#serviceaccounts
You will also find the code samples in the first doc, but unfortunately not in Go.
However, there are some comments that I found here:
https://code.google.com/p/google-api-go-client/wiki/GettingStarted
Hope it helps.
I have a google calendar that I have marked as shared. it stores all appointments for the day.
I have a webpage. from the webpage, the user enters a date and I use the google api (javascript) to pull back all info from my shared calendar for that date and present it to the user.
I also want the user to be able to make appointments during free times on any given day.
problem is, I must be signed in to my google account. if I am NOT signed in, I get a little popup asking for my userid/password.
how do I get rid of that? I had hoped that making the calendar shared and specifying the client ID and api key (assigned via Google's API Console) would have been enough.
I've run across this: http://cornempire.net/2012/01/08/part-2-oauth2-and-configuring-your-application-with-google/ which explains doing this via Oath and refresh tokens in PHP.
unfortunately, I'm doing this in javascript and MUST do it from the client side. is that possible?
I think you should look into using a service acccount for this.
http://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
By using a service account you wont have to worry about people loging in. They will have access to the calender for the service account.
Update: I have searched for examples of how to do this in Javascript and have been unable to find any. After considering this issue for a while now i have come to the conculsiton that even if you could use a service account via javascript for security reasons its probably not a good idea.
Unfortuantly this leaves me to beleave that the anwser to your question is No. You cant do this client sided. If you use normal OAuth2 its still going to prompt you for the autentication. You need to try and reconsider a server sidded option. PHP for example
Our company has a web application that is only used internally by our employees. We also have Google Apps Premier Edition. We would like to make it so our employees can log into our private web application using the Google Apps account that they already have.
Requirements: We want to display our own login form. We don't want to pass the email/password in plain text through the internet.
Which authentication mechanism should we use to achieve this?
Note: our application is written in PHP using Zend Framework (if that matters).
I would look into some combination of OpenID and your domain users (i.e. only let those at domain.com can log in).
Google API
They also have libraries for PHP and other languages that you can leverage to make this happen.
EDIT:
Some more info
When it comes to integrate Google Apps and an internally used private system, we simply have two options.
Use Google as the authentication center. Modify the private system to authenticate at Google's server. We could use OpenID or AuthSub. Check http://code.google.com/apis/accounts/docs/OpenID.html and http://code.google.com/apis/accounts/docs/AuthSub.html for more information.
Use the private system as the authentication center. In this case, we have to implement SAML protocol in the private server and configure Google Apps's SSO settings. Check http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html for more information.
It is easier to accomplish SSO with the first method since there's already bunch of OpenID libraries out there. But, as you described in the requirements, you want to use your own login form. So I guess you have to go with the second method.
BTW, if your private system has to get or set information from Google, you may want to use OAuth for authorization. See http://code.google.com/apis/accounts/docs/OAuth.html for more information.
Use the ClientLogin API, it does exactly what you're after: allow you to verify username and password. (the link goes to provisioning API doco but that is not relevant here)
Pro's:
you get to use you own login form
Cons:
you don't get SSO with Google Apps, i.e. users already in Apps will be prompted to login again (you didn't mention that as a requirement, but it seems a reasonable thing to want)
Google won't like you (they're trying to discourage ProgrammaticLogin.
you will get occasional CAPTCHA tests you'll need to show your users.
OpenID specifically prevents you from displaying your own login page, so if that's a hard requirements, Programmatic Login is really your only choice.
Going the SSO route let's you do pretty much anything, but may be a bit of overkill to take on authentication for the whole domain to make one app authenticate in a nicer fashion? If you really want to go down this route, check out SimpleSAMLphp.