User data through Google APIs without authorization flow - heroku

I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.

An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount

So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.

Related

Debug redirect_url in oauth2 flow

We are using Go server side code to interact with Google Ads REST API.
Namely, we authenticate it with help of "golang.org/x/oauth2" and
"golang.org/x/oauth2"packages.
In May (and recently again) we've got a email from Google regarding deprecation
Out-of-band flow, essentially rewording of this
one.
But additionally to common information, Google email listed account, which we
are using to authenticate, as being used in OOB flow and going to be blocked.
We checked our sources and available sources of mentioned packages but was not
able to find redirect URIs which are said to be used for OOB flow as one of
those:
redirect_uri=urn:ietf:wg:oauth:2.0:oob
urn:ietf:wg:oauth:2.0:oob:auto
oob
We explicitly use http://localhost in our code and long-live refresh token
(which seems never expires).
We also tried to use tcpdump to monitor our API calls, but was not able to
learn much from it, because calls are made via https and, therefore, encrypted.
We considered to use man-in-the-middle kind of proxy like
https://www.charlesproxy.com/, but haven't tried it yet, because it become
non-free and because of complexity of setup.
We tried to log our requests to API endpoint with custom RoundTripper, but
have not spotted anything suspicious. It seems that we're using refresh token
only and exchange of code to refresh token just never happen in the code.
Because of this, we don't think that further logging or monitoring with
decrypting https packages may help (but we open to suggestions how to do it better).
Finally, we decided to create a new OAuth 2 Client in the Google console with
fresh set of client id, client secret and refresh token. We obtained a new
refresh token with oauth2l and replaced
credentials in our configuration. But still, we are not sure that new account
will not be blocked by Google due OOB deprication, because seemingly it looks
the same as old one.
Questions:
Why may Google mark our account as OOB?
How can we ensure that newly created account will not be blocked?
Same here.
I find out an answer, that says "Desktop" type of Credentials uses OOB by default. Probably you need to create new Credentials with type "Web"

Limits when accessing Google APIs using Service Account vs OAuth

My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.

Login with Google+ account programmatically

there is a service where one can authorize using their Google account.
I need to automate the workflow with that service, so my software has to log-in with a given Google account.
But as I've never done that before I don't know where to start. Most related answers suggest to display the authorization page to the user letting them to enter their login/password of their Google account, but that's not the case since my software must be fully automated, plus it is being ran in terminal mode so no browser neither any human to enter anything should be involved.
I wonder if such automation could be possible and where should I start.
The standard way to authenticate a user with google is through a three-legged oauth authentication flow (in a browser). You can do this in go using the oauth2 or with a more comprehensive package like goth
The general flow is:
redirect user to a landing page on google's site where they are prompted to grant you access.
google will make a callback to your site with a special code.
you make another request to exchange that code for an access token and a refresh token.
Use access token to use google apis, and use refresh token to get a new access token anytime it expires.
It is more detailed than this, and there is a lot to get right to keep it secure, but that is the general idea.
Now, like you've said, your app is a command line thing, so it is hard to do that flow. Unfortunately, you may need to do that once, just to get a refresh token. Once you have that, you could give it to your application: myapp -google-token=FOOBAR123, and your app can exchange the referesh token for a valid access token.
Maybe this will help: https://github.com/burnash/gspread/wiki/How-to-get-OAuth-access-token-in-console%3F

Yammer OAuth Impersonation Token Storage

I have started building a C# asp.net website that will have the ability to post directly into Yammer (we have Yammer Enterprise). I have used the REST api to create a post and have also been able to create in impersonation token to post on behalf of other users. It works fine, but reading the documentation, the tokens seem to have an indefinite lifetime. Forgive me is this is a stupid question, but is there an expectation that as a developer, I should store the token locally (eg in a SQL table) and reuse local version for future API calls?
If the API call fails, then I assume I regenerate the token and re-store for future use?
Thanks
Andy
Yes, these tokens don't expire until an account is suspended or deleted in Yammer, or the user manually revokes the app. Until that changes you need to be very careful with handling these tokens. Applying encryption, permissions, and other techniques to secure your app is the best way to protect them.
You might also consider storing the time when the token was acquired or last used. Then delete the token after a period if it hasn't been used. That will protect the user.
In your UI make it clear what your app does with Yammer so that users authorizing it are aware of what they are opting into.

How to keep user authenticated long term using google api client library

Background
I'm working on an app that will run on a device which does not contain a browser, but I want to get the users google tasks through the google api.
Because of the lack of browser, they can't authenticate on the device, so I have it set up in such a way that they visit a website and authenticate there, then the device makes http requests to the website to get the data it needs.
Problem
Once I got everything working this system works out OK, the problem is it only works for a day or so before the user has to visit the website again to refresh their access token.
It would be great if the user could be authenticated for very long periods of time, or even forever (not sure if that's possible or secure). Can I get some suggestions on what people think is the best way to accomplish this kind of long term athentication?
Refresh tokens?
I've heard there is a way to store the user's refresh token in a database and somehow use that to refresh their access token. If this sounds like a good way, can anyone point me in the direction of an example to get this to work?
I've been using the google api client library for ruby
Thanks a lot!
You're on the right track with the refresh tokens. I can't help too much with the Ruby API, and honestly I just did this calling the REST api directly, but this doc should help you understand the actual calls you need to make.
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Note that for a lot of their examples you need to remove the newlines for them to work.
Basically like you said, you need to send the user to https://accounts.google.com/o/oauth2/auth with the access-type=offline parameter for them to give consent. This comes back with an authorization code, which you send to /o/oauth2/token. This comes back with an access token and a refresh token. You can use the access token immediately, and you store the refresh token, which never expires. When the access token expires you send the refresh token to /o/oauth2/token (note that the grant_type changes to refresh_token) to get a new access token.

Resources