I have a google calendar that I have marked as shared. it stores all appointments for the day.
I have a webpage. from the webpage, the user enters a date and I use the google api (javascript) to pull back all info from my shared calendar for that date and present it to the user.
I also want the user to be able to make appointments during free times on any given day.
problem is, I must be signed in to my google account. if I am NOT signed in, I get a little popup asking for my userid/password.
how do I get rid of that? I had hoped that making the calendar shared and specifying the client ID and api key (assigned via Google's API Console) would have been enough.
I've run across this: http://cornempire.net/2012/01/08/part-2-oauth2-and-configuring-your-application-with-google/ which explains doing this via Oath and refresh tokens in PHP.
unfortunately, I'm doing this in javascript and MUST do it from the client side. is that possible?
I think you should look into using a service acccount for this.
http://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
By using a service account you wont have to worry about people loging in. They will have access to the calender for the service account.
Update: I have searched for examples of how to do this in Javascript and have been unable to find any. After considering this issue for a while now i have come to the conculsiton that even if you could use a service account via javascript for security reasons its probably not a good idea.
Unfortuantly this leaves me to beleave that the anwser to your question is No. You cant do this client sided. If you use normal OAuth2 its still going to prompt you for the autentication. You need to try and reconsider a server sidded option. PHP for example
Related
I have a platform that allows people to sign up/log in with their Google account.
Inside the platform, there is a calendar feature where people can connect their Google Calendar and share the data between our app.
I'd like to know if there's a way to separate google calendar with the normal login stuff, so when they sign up with Google, we won't be asking for their Google Calendar permission. Once they are in the app, if they want to connect their Google Calendar, they can do so by clicking another button.
Currently, the 2 things are linked together and I'd like to separate them.
My app is https://clascity.com/
Any help is greatly appreciated!
Just because you use Google signin (openid connect) does not mean that you have permission to access the users Google calendar data.
Google calendar data is private user data, you need specific permission to access the users calendar data, you cant just let them login without asking for permission to access the data you need to access. The user needs to know what data you will be accessing and accept that specifically though the authorization form that google supplies.
Yes, in fact, what you are suggesting is considered a best practice [1]. Use incremental authorization as described here [2].
[1] https://developers.google.com/identity/protocols/oauth2/policies#unbundled-consent
[2]
https://developers.google.com/identity/sign-in/web/incremental-auth
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
I'm faced with a difficult scenario regarding OAuth 2 authentication and Google's Calendar API.
I am attempting to write a PHP script which processes my personal calendar data after being triggered by a POST call from an external source. However, I am having trouble granting the script access to my account. Since the script runs entirely in the background, there is never an opportunity for me to enter the authorization code which is required for PHP command line tools making Google API requests.
I have looked into Service Accounts, which grant access to personal data without individual approval, but unfortunately this is only available to G Suite users, which I am not.
I have also attempted to run my script manually, enter the code to authenticate, then run it from my external source. This doesn't work either, because the authorization codes are apparently only good for the same mode of access where it was entered, and the response to the external source still shows as asking for the code.
Lastly, please note that responding with the authorization code from the external source is not an option. Which I can activate the trigger, I cannot change how it works or the data it passes.
TL;DR: How do I grant a PHP script (which runs only in the background) access to my personal Google Calendar data?
Thanks in advance!
Articulating this question actually helped me better formulate my Google searches, and I found the answer!
I'll leave this question/answer here so somebody can hopefully benefit from it -
Turns out that the Service Account is the way to go, but instead of trying to access your account's data via the service account, you need to share the calendars in question with the generated service account email address. Essentially, this makes the service account a "co-owner" of the calendar. Then, you simply make the request to the service account's own information.
Hope this helps!
I have this example - Embed API Third Party Visualizations - working locally and on a test server, but I'm unsure of what I need to do to ONLY display our organization's Google Analytics data instead of the user's personal GA account.
I created the project and clientID within our org's Google Account, but I'm obviously not understanding something big here.
I'm completely new to both GA's API and oAuth in general, so while I'm sure this has been answered multiple times, I wasn't completely sure which direction to look in. If someone can give a helpful nudge in the right direction I'll happily be on my way.
Thanks everyone!
Embeded API uses Oauth2 to authenticate. Oauth2 requires that a user give you access to their Google Analytics data.
You want to show your person Google Analytics data to other users. Normally I would say you should use a Service account, a service account gives the application direct access to a specific account it has to be set up like you would add a user to Google Analyitcs. The problem is the Embeded API uses JavaScript, for security reasons its probably not a good idea to use a service account with JavaScript. I also think it may be against Googles terms of service to use a service account with JavaScript. That being said I have never found anyone who has gotten a service account to work with JavaScript probably for the reasons I just stated.
Drop the embedded API and switch to a server sided language of some kind and code it yourself. What you want to do cant be done with the embedded API.
Currently using the OAuth server side one-time-code flow, discussed here:
https://developers.google.com/+/web/signin/server-side-flow
Works perfectly for google login.
I want the ability, though, to limit this login to only work for users that belong to a specific apps domain.
Is there any way to enforce this through the api?
OR am I limited to only doing this on my end after google authentication by regexing the email domain? (I would like to avoid this).
Thanks!
There is no support for doing this through Google login. We could allow a developer to set some restrictions on the client id if there are good use cases and a lot of developers would benefit with it. The primary issue I see with is the error message that we have to display to the user. It is better to display that error (and explain) on your site.
In general, as a good practice, you would always want to do the checks on your system/services regarding the authorized user (e.g. check domain)
The only way I can see to do this on the API is to use the fully server side flow (OpenID Connect).
The docs are here:
https://developers.google.com/accounts/docs/OpenIDConnect
With the parameter of interest here:
https://developers.google.com/accounts/docs/OpenIDConnect#hd-param
It doesn't appear to be possible with the server side one time code flow