I want to run automated scripts to read files from a Dropbox folder on our server. I started looking into the dropbox gems that are out there, and they all seem to require the user to authenticate a session by opening a browser. This obviously doesn't make sense for an automated task. Is there a way to do this without requiring a user to actually open the browser manually?
The reason that they all require a web browser is that Dropbox uses OAuth v1. There is a way around this that may not be 100% in spirit with the Dropbox API T&C.
I would start by creating a Dropbox account that will be the user account you use from the scripts. Manually login as this user and go to the authorization URL for your app and approve it.
In your scripts you'll create an HTTP connection that uses that user id and password to login. You'll need to keep the information in the response that describes the user's session. Use the session information to create a second HTTP connection to the authorization URL. Since the app is already authorized, you'll just need to capture the session token from the redirect URL.
The definite downside to this is that the password for the user is in your script. :P
Related
I'm trying to get some data from a user (searchconsole):
the user first grants permission on a website.
Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.
What is the easiest/safest way to achieve that?
Should I use the same token for both servers?
or is there a solution using the service account impersonation? (I'm stuck on that one)
use the permission on the web server to add the service account as a searchconsole user?
I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers.
I also read the doc and all examples I could find, but didn't find my case even though it seems basic.
Should I use the same token for both servers?
Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.
or is there a solution using the service account impersonation? (I'm stuck on that one)
Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.
In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts
use the permission on the web server to add the service account as a searchconsole user?
I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.
For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
service account - server to server interaction only works with workspace domains. No authorization popup required.
Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
On apps like twitter and snapchat, if you changed the password from the web, it wouldn’t allow you to get into the app without re-authenticating with the new password. When changing your password with Parse Open Source Framework, does it implement this functionality automatically on mobile or would the developer need to implement it themselves?
You have to do it by yourself. Check the following tutorial, section Handling an Invalidated Session:
https://parse.com/tutorials/integrating-facebook-in-android
I'm trying to build a simple ruby command line facebook client that will display all of the user's friends to the screen (fb_friends.rb) and I am using the fb_graph ruby gem: https://github.com/nov/fb_graph
The problem is, the method user.friends needs to have the user authenticate the application first.
I've read a similar question here: Ruby Command line application to update Facebook Status
And from what I understand, you cannot authenticate a user in the command line.
My question is: Is there any other way to authenticate the user?
What I'm thinking: On authentication, the default web browser of the user's system will pop out, then the user will grant access and authenticate, now the browser window will close and the user will return to the command line app and there he can see the list of his friends.
Is that possible?
Thanks
This isn't currently possible with Open Graph applications without sharing a server-side authentication token. Facebook requires you maintain control (and not share) your Applications authentication token. If a user were to abuse the command line application, and make a large number of requests to the server, using your app ID and token, you would be the one on the hook.
The best way to accomplish your goal is with a server under your control in between your command line application and the Facebook graph api. The command-line api could direct the user to your website where they would hit the "Facebook Connect" button. The user would authenticate the application with your server, and you could provide them with a token they could pair with their user ID to post status updates or retrieve friends through your server.
The command-line api would interact with your server, and your server with the Facebook Graph API.
A strong side benefit of this approach is that if Facebook's API changes, your clients would not break (no need to change your own server's API).
Can anyone tell me how I could go about authenticating with the various OAuth login mechanisms on the internets (Twitter, Facebook) so that I can run scripts against these services.
As an example, right now when I use Facebook data I goto graph.facebook.com and copy paste the access key from the URL. Obviously this is a bad approach, it has sufficed for now, but is not really an option anymore :)
I've checked out the documentation on the facebook site in particular which requests that I use a callback urL and so on. I'd like to be able to make a call from a ruby script which requests the OAuth token instead.
Is this even possible?
P.s This would be using my own credentials.
Yes, it is possible. http://developers.facebook.com/docs/authentication/ "Authenticating as an Application" section.
You can get the Access Token using a web redirection, and then store it to perform further offline operations. Some APIs need explicit user scope permission to do that.