We have a Windows 7 Task Tray application that needs to access services in our Google App Engine application, and we are having difficulty making the OAuth connection between them work. For some reason our OAuth libraries that work with the Twitter and Tumblr OAuth implementations do not seem to work in this scenario with Google. Google is returning a 400 bad request response to the last step in the OAuth authorization sequence.
To debug the problem I am trying to use Google's OAuth 1.0 Playground page (http://googlecodesamples.com/oauth_playground/index.php). But I can't figure out what should be entered for the "scope" in step 1. If I enter the name of our GAE server the sequence will fail with the error message "Invalid scope". Clearly, choosing one of the provided scopes (the Google API services) is not an option for us.
Can anybody tell me how the OAuth scope designation should be set when accessing Google App Engine hosted services?
just for reference look at this blog,looks helpful in your case
http://ikaisays.com/2011/05/26/setting-up-an-oauth-provider-on-google-app-engine/
I think this Google Official Docs explains best how to set up an endpoint to your own appengine application. You question isn't very specific, but take note of the following that is being written in this document:
The scope of an authorization, how much the consumer is allowed to access, is for all of a single app. App Engine only supports whole-app scopes, and does not support more granular scope requests. When Google Accounts prompts the user to authorize a consumer, the prompt explains that the consumer is requesting permission to access the full app.
And did you set up OAuth on your domain?
The consumer performs OAuth actions using a set of standard web service endpoints. These endpoints use reserved paths on your app's domain. For example, if your app uses a Google Apps domain of www.example.com, the endpoints for the OAuth protocol begin as follows:
https://www.example.com/_ah/OAuth...
Related
I'm working on application which generates reports and statistics about youtubers channels. I couldn't find in Google docs, how the Youtube User can grant read-only access from my application to his Youtube account? (I'm meant something like facebook application).
I'm a little confused how many ways of authentication are in Google API and which one should I use.
When you want to access private channel data, you will need to use OAuth authorization.
The way this works is that your app redirects clients to Google's authorization page, on which they can pick a YouTube channel associated with their Google account. If they are not already logged-in, they will first be asked by Google to log in (authenticate) and then proceed to the authorization page.
Once on the authorization page, they can decide to grant or refuse your application access to whatever it is your application demands access to. This is the important part: When your application redirects the user to the authorization page, it must specify one or more scopes.
Scopes define sets of actions that an application can perform once the user gives their permission. An application cannot perform operations that aren't within the scope of its powers. The three most important scopes of the YouTube API are:
https://www.googleapis.com/auth/youtube: Manage your YouTube account
https://www.googleapis.com/auth/youtube.readonly: View your YouTube account
https://www.googleapis.com/auth/youtube.upload: Manage your YouTube videos
That means that you can ask users to give your application read-only access to their channel by configuring your app to use the https://www.googleapis.com/auth/youtube.readonly scope. This is an example of what the URL that your application redirects its users to could look like:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&
access_type=offline&
redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
response_type=code&
client_id=CLIENT_ID
If the user accepts, your server will be given an authorization code which it can exchange for a set of access and refresh tokens. The resource server (Google, in this case) will know with which scope these tokens were originally obtained and reject any calls outside of the scope.
This is what the authorization page currently looks like:
For more information, please read 'Using OAuth 2.0 for Web Server Applications' on Google Developers.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
I'm trying to write a CLI script (ruby) to manage my youtube videos. Technically I'm updating a script that I used in 2012 to do this. It appears that since 2012, youtube has discontinued the simple client authentication mechanism and moved to OAUTH2 (though I'm not totally sure).
I'm wouldn't be the first to say that OAUTH2 is hell (just google it). It's been 3 hours and I still haven't gotten my old script to even authenticate with google (using the youtube_it ruby gem).
I simply do not understand why I would need to use OAUTH to access my own account on Google? What am I missing? I thought OAUTH was so that separate users could give access to applications to temporarily access their data.
Is there another way? What am I missing. As one blogger commented OAUTH2 is enough to make one want to change careers. Even the lead dev quit the project.
The Youtube API docs is specific in stating that if you're going to use Youtube API (or other Google APIs), you must learn how to use OAuth:
If your application will use any API methods that require user
authorization, read the authentication guide to learn how to implement
OAuth 2.0 authorization.
Youtube has a Ruby Quickstart sample which includes the OAuth process.
I simply do not understand why I would need to use OAUTH to access my own account on Google?
I think OAuth answers exactly that question, "how will Google products know if you are who you claim to be?"
Read the OAuth Google guide for more info.
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and google. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.
for more detail study :-
https://www.rfc-editor.org/rfc/rfc6749
We publish an app that use OAuth 2.0 API access on Google Apps Marketplace. It got reviewed by Google and they said our app is invalid because it shows permission screen when a user first runs the app. (The app will be removed from the Google Apps Marketplace if our app is not fixed within 30 days) To solve this issue, we have some problems.
Our app uses OpenID Connect to make users login.
Our app also uses Spreadsheet API and Calendar Resource API (OAuth 2.0 Web Application Flow)
So our questions related above is the followings:
1.
Although our app uses OpenID Connect for login, using OpenID Connect forces our app to show the permission screen. Doesn't it meet the best practice below of Google Apps Marketplace?
https://developers.google.com/apps-marketplace/practices#5_use_one-click_single_sign-on
We followed the OpenID Connect document provided by Google:
https://developers.google.com/accounts/docs/OAuth2Login
2.
Since Spreadsheet API and Calendar Resource API don't currently support the authentication method using Service Account with OAuth 2.0, we chose to use the method of Web Application Flow. Our app get the token when users login, but Google said to us that it fails to meet their SSO requirements. To solve the issue, we are thinking to change our app to authorize AFTER login within the app instead (use Web Application Flow method as it is). Does the way meet the SSO requirements? In other words, is it OK to show permission screen if after login?
We will applicate if anyone can tell us good solution to solve these problems.
Thanks,
If you register your scopes in the Google Apps Marketplace configuration screen, and then only request those scopes in the OpenID Connect flow, then the permissions screen should be automatically skipped. Please ensure the scopes match between these two locations.
I took a look in some docs at developers.google and some questions here in stackoverflow and I really would like to found an objective answer about use the Google OAuth Server to authenticate an application and grant access to download docs into a Google Drive account with NO BROWSER interaction.
As far as I could look, docs like "Using OAuth 2.0 for Server to Server Applications", "Using OAuth 2.0 for Devices", answers here, I couldn't found an article saying "Is possible to authorize an application to get files from a common Google Drive account in Devices with no browser...".
Anyone have tried and had success in this jorney?
The Devices flow is meant for applications that run on devices where no browser is present (fancy example could be a wristwatch that shows new G+ notifications) and requires the user to do manual steps on a device that has a browser. Also this is for getting access to data on the user's account.
UPDATE:
As you say you have an embedded application running without a browser available and want to access data on behalf of a user, this is definitely the way to go. This however still needs the user to login (once) on another device with a browser. After you got an access token using this flow, you can then access the Google Drive API either manually or by using some library.
So you want to access data on Google Drive that belongs to a special account and only your application can access it without a browser involved?
A Service Account (the Server-to-Server flow) would be exactly what you need. These however are only for usage on a web server, as otherwise your private keyfile would have to be deployed to a client, where it could easily be extracted.
One thing you could do is use your own web server that fetches data from your Google account using a Service Account and have a client application that only connects to your own web server. This has of course also its downsides, especially when it comes to locking down your web server so no third party clients could access it.
It can be done, but a browser does need to be used. I've successfully gotten OAuth 2.0 working on an IBM i (AS/400, iSeries, System i, whatever the name is today) which doesn't have a browser. I've so far implemented the Calendar and Google Cloud Print APIs.
During the OAuth 2.0 negotiation you will be returned a URL and a code. You need to display the URL for the user to go to, then the code to enter to grant authority for that specific API/scope. I have an example in our documentation here:
http://docs.bvstools.com/home/greentools-for-google-apps/docs/g4g-base-commands/g4gregsvc
But, the issue now is that the drive API is not yet available to devices. But, Google has said that soon it should be.