I've been working as a consultant on an Android project that uses Google oAuth2 to authenticate and identify it's users. The Android project is in production and available for download on Google Play. The oAuth client ids and the entire Google API project was setup by me using a Google Apps e-mail address setup in my name on the client's domain.
Since the project has been released and my work with the client is finished my e-mail address has been deactivated and subsequently deleted (or so it seems, the client claims to not being able to recreate it). Since my e-mail account was set as the owner of the API project the deletion of my e-mail address has resulted in the deactivation (or deletion) of the API project as well. This has of course seriously crippled the app in question.
To get things up and running again a new e-mail address was set up for me on the client's domain and I created a new API project. The problem is that I'm unable to create the oAuth client ids since the packagename and SHA1 key are the same as for the app already live. I get the "This client ID is globally unique and is already in use" message and I seem to be stuck in a very awkward situation. I see a couple of possible solutions but I'm not sure how to proceed:
Reactivate the original e-mail address in the hope that the API project is still linked to that account
Reactivate the Google API project with the help of a Google engineer and assign it to an e-mail account on the client's domain
Delete the client ids from some Google database with the help of a Google engineer and setup a new API project and release a new version of the app.
Worst case: accept the loss, change package name, release a new app and kindly ask users to migrate to the new app.
I've read that Google monitors the google-oauth tag here on SO and I hope to get some help either from the SO community or Google itself. Many thanks in advance!
In the future, please coordinate for long-term ownership of the project, since the Google accounts that own the project are an important aspect of Google's authorization system. For instance, the owner of the project signs ToS for accessing the APIs on behalf of users.
I will follow up with you to find a way to sort out this issue.
Related
Just looking for some general advice here.
I want to build a Slack app and publish it publicly to the Slack App Directory, for anyone to use. The basics of the app are:
When you paste a link to a specific domain in a Slack message, a bot will fetch additional information about that link from a Rest API my company built.
The roadblock I'm running into is that our Rest API uses Basic Auth for authentication, and I can't figure how or where in the Slack App setup flow to ask the user to enter their API key.
Does anyone have any advice on how to ask for user input when setting up a Slack app, so that the user can enter their API Key for our REST API?
Thanks!
OK, I will assume that the API key is individual to each user.
I would suggest to ask the API key as part of the installation process for your Slack app on your website and then store the connection between Slack user ID and API key as part of the installation process. It is in fact possible to have individual installations of the same Slack app to a workspace for each user. This is called "configurations" (e.g. the Twitter app for Slack is using this feature).
This requires each user who want to use the app to go through the installation process and also all users need to have permissions to install this particular Slack app (which can be configured by admin).
I received this message for the second time and i still dont understand why. Can someone help me?
Action required: Critical problem with your Google Cloud/API project
Youtube API (id: tonal-topic-123301)
Dear Developer, We have recently
detected that your Google Cloud/API project Youtube API (id:
tonal-topic-123301) is using a Google product name as the project name
shown to users on the OAuth consent screen, which violates the Google
API Services: User Data Policy. You can fix the problem by revising
the project name and other relevant content so that the OAuth consent
screen shown to users accurately reflects the identity of your
application. To revise the project name visible to users, please take
the following steps:
Please review the Google API Services: User Data Policy, specifically
the following section- "Do not make false or misleading statements
about any entities that have allegedly authorized or managed your
application. You must accurately represent the company, organization,
or other authority that manages your application. Making false
representations about client credentials to Google or Google users is
grounds for suspension."
Sign in to the Google Cloud Platform Console.
Select your project.
On the Home Page Dashboard, select Go to APIs overview under APIs.
In API manager, select Credentials on the left bar, then select OAuth
consent screen. Change the name in the field under Product name shown
to users and then click on Save. We will suspend your Cloud project in
3 days unless you correct the problem. Please submit an appeal if you
have any questions. Please note that you should be logged in as the
project owner to access the appeals page. For more help on submitting
an appeal or to learn more about the process check the Policy
Violation FAQ. Please take a moment to review the Google API Services:
User Data Policy, the Google API Terms of Service, the Google Cloud
Terms of Service and the applicable Terms of Service for the specific
Google API you are using so that you do not violate our terms and
policies in the future.
This is obviously a naming issue regarding something in the google product range.
You Should be able to re-name your project to solve this.
If not, try a Google forum or help pages.
The problem you are having is that Google does not allow you to use a Google product name as the name of your in your application. Users can become confused and assume your third party application was created by them.
How to fix it:
Go to Google Developer console find the credentials screen. Click on the Oauth consent screen tab at the top rename your application.
Note: If you don't do this google is going to shut down your application they are very picky about this.
Since approx 5:30 UTC we are receiving only this response for this api call
https://www.googleapis.com/appsmarket/v2/customerLicense/{appId}/{customer}
{"error":{"errors":[{"domain":"global","reason":"forbidden","message":"Not authorized to access the application ID"}],"code":403,"message":"Not authorized to access the application ID"}}
but there has not been any previous development or changes on our side and this affects all of our marketplace applications.
Any ideas what is going on and how to fix/workaround this issue?
This issue should now be fixed by Google.
If you are still experiencing 403 Forbidden on marketplace API calls make sure you are following these guidelines
Access to these APIs is restricted: only project members of the
Developer Console project associated with your application may use the
API. Specifically, these project members must be in Can Edit or Is
Owner roles. You may also access UserLicense and CustomerLicense as
the logged in user to your app. Refer to
https://cloud.google.com/compute/docs/access/add-remove-change-permissions-for-team-members to learn how to
add members to your project.
For example by doing the API requests using a service account in the Google Cloud Platform Project for you application without using any impersonation/delegation.
I have ran into a problematic situation, which I really hope I can get help with.
I'm working on Jive Software solutions and we have a product that integrates Google Drive and Gmail.
This integration product was once part of a startup that was acquired by Jive and as such, the Google api project we are using for the integration belongs to a Google Account of a specific person which no longer works in Jive (we do have the credentials for the account though).
The problem is, that we want this account to be ours, i.e, a Jive software one.
So, one option I have, is to create a new account and replace the api account I'm using in the code to use the new one. This is bad, as it will break all the current authenticated clients, and will force them to take the oauth process all over again.
The other option I see, is to convert the existing Google account we are using to a jivesoftware one, so it will not be associated to any specific person but it will still be the same account.
Specifically I'm interesting in changing the Name and Email of this account.
Any suggestions of how we can achieve that?
A third option could be moving the api project to owned by another google account, but I couldn't find such an option in the UI, any clue?
There is no way to change a gmail address. You can forward all email to a new address with the name and email address you would like though.
This way you access all the email from an account that is a Jive software one but it is being forwarded from the old one still. However no one directly accesses the old one.
Check out https://support.google.com/mail/answer/10957?hl=en for more info.
According to the documentation, if you use Gmail with your Google Account, it's not currently possible to change your Gmail username after you've registered. with your username being the full email address you used to create your account. You can, however, change your nick name by going to https://myaccount.google.com and clicking Personal Info.
We've migrated our app from the old marketplace to the new one. After a few days we've received an email that we don't comply with an SSO policy - the user is not recognized after he installs the application.
In the old app we had a specific setup link, that was opened for the user after he installed the app - thus making him recognizable. Is there such a function in the market? Is there some sort of a callback for the installation event in the new marketplace?
P.S. the guy from Google told me to post technical questions on Stackoverflow and that "Our developer relations team monitors that forum and will be able to assist you."
EDIT:
There's the Additional app setup link in this after-installation popup (which clearly no user will click):
Is there a way to call the URL that of the Additional app setup in the background, without needing the user to click an obscure link?
That was an intentional design change which is different than how it used to work in v1 of the marketplace.
If you need interactive setup, best thing to do is put in a check on login to see if the domain has been configured. You can use the licensing API to check for a marketplace install record or directory API to check user permissions if those matter for your use case.
If you just need to run a background task, you can periodically poll the licensing API to detect new installations of the app. This shouldn't be done too often, so if you need to do things before a user logs you're still better off going with a check on login to route them to the setup flow as needed.