Can I access my SkyDrive using a permanent access token?
Basically, I want to grant a particular app (my own) permanent access to my personal SkyDrive account. Possible?
My use case: I'm storing some content on my personal SkyDrive, and I want to access that through my C# web app, but I don't want to have to authenticate on the client every time.
Asking around on the SkyDrive API forums, it sounds like this isn't possible.
What is possible, however, is authenticate once using OAuth, then use the refresh token passed back in the initial authentication to refresh the authentication.
Related
I'm trying to get some data from a user (searchconsole):
the user first grants permission on a website.
Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.
What is the easiest/safest way to achieve that?
Should I use the same token for both servers?
or is there a solution using the service account impersonation? (I'm stuck on that one)
use the permission on the web server to add the service account as a searchconsole user?
I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers.
I also read the doc and all examples I could find, but didn't find my case even though it seems basic.
Should I use the same token for both servers?
Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.
or is there a solution using the service account impersonation? (I'm stuck on that one)
Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.
In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts
use the permission on the web server to add the service account as a searchconsole user?
I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.
For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.
I'm making calls to a Web API using a xamarin mobile app and I was wondering when receiving my authorization bearer token could I not simply store it in the xamarin.auth account store along with the user's credentials? I figured this would be a better place than say a global variable in the app. Looking for feedback and any better options. Thanks!
In my opinion there is nothing wrong with using the account store for storing an access token (using the account properties dictionary). I did it myself on one app where I didn't have any other data to persist, so didn't have a custom data access layer.
Access tokens should not be stored. Refresh tokens are OK, but Access not.
From security point of view.
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.
I'm working with 3 Google API Services(Analytics, Webmasters, PageSpeed). I have a single Google API client ID(with all 3 services activated) and common Google API PHP SDK in my server.
User of this aplication should be able to grant and revoke access for each service independently at any point of time depending on his usage. Is this possible?
Testcase:
If user wants to use only analytics service initially, he should be able to grant access for only analytics and later if he wants to use pagespeed service also, he should be able to grant for pagespeed also without compromising access for analytics. If he wants to use analytics & webmasters later, he should be able to revoke only pagespeed access without compromising the access for analytics or webmasters.
When you request an access token, you specify the resources you want access to. If later you need to access another resource, you request another token for that resource.
You can simplify your implementation by setting the include_granted_scopes to true when requesting the token. This will include all previous authorizations so you only need to deal with the new token.
AFAIK there's no way to revoke access to specific scopes, even though the documentation mentions that "When you revoke a token which represents a combined authorization, all of the authorizations are revoked simultaneously;". This actually happens even when revoking individual tokens. Also, the Google account user interface does not allow the user to specify which permissions he wants to keep, it's only possible to revoke all access from an application.
See the docs for incremental authorization.
My app allows users to authorize access to their Google Drive via OAUTH. I provide a way to "unlink" their Google Drive from my app. When they request this, I discard their current access token and their refresh token, so things are done from my side.
Is there any way to remove the authorization scopes initially enabled during OAuth from Google's side?
To be specific, I'd like my app to stop being listed for the user on:
https://accounts.google.com/b/0/IssuedAuthSubTokens
I'm not sure if that's a good permanent URL (/b/0/ looks suspicious..)
Yes, you can explicitly revoke the token.
https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke