My app is looking for events in facebook in a particular city by https://graph.facebook.com/search?q=Sity&type=event&access_token=[..] and publishes the data found on another site.
To search for public events in the marker is now required Facebook access token.
How can I get a long token that my application was looking for events without requiring additional permissions to users?
Thank you very much for your help.
Get an app access token – https://developers.facebook.com/docs/authentication/applications/
Related
Should I use a Service Account or an OAuth 2.0 Client ID?
I'm struggling to understand Google's documentation on authenticating for their APIs. I'm creating a basic application that will help users add and modify Google Calendar events for a single Google account (the account is shared between all users). I only need the application to access that one account, it'll never need to access any others.
It seems to me that Service Account would be best for this, but Google's documentation suggests Service Accounts should only be used for automated processes (unless I'm misunderstanding). For instance this page contains the following, describing when to use Service Accounts.
Would my application qualify as acting on the users behalf?
If so, I would want to use OAuth Client ID credentials, which will ask the user to sign in to a google account. In this case, is there a way I can guarantee they only sign in to the one account I want modified?
I can't find any decent documentation on the OAuth authentication requests to figure this out myself. If there is any could you point me there?
I'm sure I'm misunderstanding something basic here, but thank you for any help!
First off you should know that you can only use service accounts with Google aclendar api if you have a google workspace domain account.
You can then set up a calendar and a domain user that the service account can act on behalf of to control the access of that calendar.
Assuming that your application is going to preform all actions on this calendar then yes i would say that you could use a service account for this. If your app bacly has a ui with a calendar on it your just using google calendar to store the data.
However if you intend to share this calendar with the users themselves, this way they could see it within their own google Calendar account. Im not sure a service account would be the way to go.
If you want the users to be able to see it and make changes then you may want to just use Oauth2. Grant them access to the calendar and then request access to their calendar account.
Drawback to that option is going to be the verification process. You will get access to all the users calendars and your going to need write access.
If you can go with a service account you really should consider it it will save you a lot of hassle with verification.
I want to get all the sign up & sign in with Google events of my Google Workspace users using API.
I can see the Tokens activity from my Google Workspace admin account, under the audit log (https://admin.google.com/u/5/ac/reporting/audit/token), but it's limited to first sign ups, and doesn't show any of the following sign in events of my users.
Is there any way to see all the events related to third parties sign ins / sign ups of my users? is there any place that lists the summary of all of the third parties linked to users in my organization?
As far as a summary, you can retrieve a list of applications authorized by your users using the Directory API tokens.list method.
Unfortunately when it comes to OIDC sign in events, there currently is no way to see when users are logging into a 3rd party application. You will see activity events for tools accessing Google APIs, but not for login.
I guess you could use tokens.delete to revoke access, making the users re-authorize to log in again (which will be logged). But that's a rather heavy handed approach.
I think I've found what you're after:
https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-tokens
You can use this api call to retrieve all authorization events for third party applications.
The general format of such requests is below (parameters are surrounded by a double asterix)
GET https://www.googleapis.com/admin/reports/v1/activity/users/all
/applications/token?endTime=**end date**&startTime=**start date**
&maxResults=**maximum number of events returned on a response page**
Hopefully this gets you the info you want. I don't have access to a google admin account myself so I can't test this api call.
I have a platform that allows people to sign up/log in with their Google account.
Inside the platform, there is a calendar feature where people can connect their Google Calendar and share the data between our app.
I'd like to know if there's a way to separate google calendar with the normal login stuff, so when they sign up with Google, we won't be asking for their Google Calendar permission. Once they are in the app, if they want to connect their Google Calendar, they can do so by clicking another button.
Currently, the 2 things are linked together and I'd like to separate them.
My app is https://clascity.com/
Any help is greatly appreciated!
Just because you use Google signin (openid connect) does not mean that you have permission to access the users Google calendar data.
Google calendar data is private user data, you need specific permission to access the users calendar data, you cant just let them login without asking for permission to access the data you need to access. The user needs to know what data you will be accessing and accept that specifically though the authorization form that google supplies.
Yes, in fact, what you are suggesting is considered a best practice [1]. Use incremental authorization as described here [2].
[1] https://developers.google.com/identity/protocols/oauth2/policies#unbundled-consent
[2]
https://developers.google.com/identity/sign-in/web/incremental-auth
My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.