I am going to fetch Google Tasks via API on the server without using the browser but when I am calling the API, it gives me redirect link to authenticate the application as in the documentation here.
I don't want the redirection to browser, verify the application, and get the auth code. I just need to get the auth code when I call the API.
Is there any way to do it?
Answer
There is no way to achieve that using a normal account. You will have to use a Service Account.
Service Account
A Service Account is a special type of account which is used to execute API calls as a non-human user. So if you don't want any human user interaction during the authentication process, this would be the best way to go. Accordingly with the OAuth2 specification, this account will use a JWT (Json Web Token) to authenticate its API call. The Google API provides you with the scaffolding to use the Service Account credentials to build your services as you were doing with a normal account.
Further Reading
Here some recommended further reading and examples on Service Accounts
Understanding Service Accounts
PHP Service Account Sample
Related
I am referring to these documents
https://developers.google.com/apps-script/api/quickstart/php
https://developers.google.com/apps-script/api/how-tos/execute
for this implementation.
These document explains examples with Auth2.0. Since I am using GCP project for this implementation, i want to use service account of my GCP project for authorization.
I have used GCP service account to use SpreadSheet Apis and its works great.
After brain storming I have finally got answer that : service accounts are not allowed to access the Execution API.
I dont want to Auth method for this implementation and service account not supported by this API.
Question: Is there any other potential way to do this.
Try running the script via an API request with the proper API Client Library. The client should be authenticated in order to perform the request successfully. The Client Libraries support several methods for making authenticated calls to the Google APIs.
We have an app that uses the OAuth2 Google sign-in system and we want to store data from the users that sign in into our app on our back-end during the initial registration.
This is the way we got it set up:
Users signs in with the app using Google sign-in
We get an ID Token and send this to the server
On the server we verify this token is valid using Google library and save the info we get back from the verification
We also need the user to be able to update/insert data into the back-end when he's authenticated.
After the initial registration, how do we do this?
Do we send the ID Token from client to server each time they call the API on our back-end? In this case how to handle expired tokens?
If you want to make your API a first-class citizen in your system and have it require access tokens that are specifically issued to it instead of accepting Google authentication related tokens that were issued to your client application then you need to have an authorization server that specifically issues tokens for your API.
This authorization server can still delegate user authentication to Google, but then after verifying the user identity it will issue API specific access tokens that better satisfy your requirements, like for example, including specific scopes then used by your API to perform authorization decisions.
For a more complete description of this scenario you can check Auth0 Mobile + API architecture scenario.
In this scenario you have a mobile application ("Client") which talks to an API ("Resource Server"). The application will use OpenID Connect with the Authorization Code Grant using Proof Key for Code Exchange (PKCE) to authenticate users.
The information is Auth0 specific and you can indeed use Auth0 as an authorization server for your own API while still maintaining Google authentication support, however, most of the theory would also apply to any OAuth 2.0 compliant provider.
Disclosure: I'm an Auth0 engineer.
I've worked on several websites few years ago and I want to be up-to-date with "the new web" so I'm working on a website using Laravel and Lumen to practice.
I have an architecture like that:
An API using Lumen (with databases: users data, user preferences, …)
A website (without database, this part just ask to the API some data and allow the user to be connected to his account)
Currently everything in my API is public: retrieving users, deleting accounts, searching users, etc.
The problem is that I don't know how to allow situations like that:
Allow my website to execute actions calling the API (call private routes on my API)
I would like to have some routes public on my API (the easiest part, it's done actually)
I would like to allow external users to call my API if they have a valid token (Google analytics, Bugsnag like services)
I'm thinking about services like Google analytics, Bugsnag, …: this services ask the user to put a token/key in Javascript. Is it a problem if someone take the token and use it on his personal website and/or in a mobile application?
I've read about o-auth 2, is it the place to start?
Thanks!
I suggest you to try for:
Allow my website to execute actions calling the API (call private routes on my API)
JWT Authentification (JSON Web Tokens).
How do JSON Web Tokens work?
In authentication, when the user successfully logs in using his credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie. Read more about jwt
Use this JWT-AUTH for connection jwt mechanism with lumen/laravel.
I would like to allow external users to call my API if they have a
valid token (Google analytics, Bugsnag like services)
For that task I suggest you to use OAuth 2.0 protocol
I'm trying to implement Google Drive API. They have quick start example here which is using Google OAuth 2.0. Using for a web application where user will use drive api for creating folder and save files, edit files etc.
Now the problem is OAuth 2.0 is redirecting the page and for authCode and then back to callbackUrl again ie. the usual way. Is there any way so that I can get the authCode without redirecting the url, by using cURL or some library that can do that without redirecting.
I'm using PHP for this app.
We currently offer an alternative flow for installed apps that doesn't redirect back to an app but outputs the exchange code. In order to be sure that user is explicitly giving permissions to your application, we need to intercept the flow for a user action.
If there are no end users involved in your use case, you may like to take a look at the service accounts: https://developers.google.com/accounts/docs/OAuth2ServiceAccount Service accounts also provide impersonation for Google Apps domains.
I need to create an external php web application (PHP) to connect to Google Drive using the API. Problem is that the quick start example illustrates that the user has to visit a url to obtain an authorization code to complete the authorization. Is there a way to achieve the authorization automatically without any user interaction. I need to basically copy an existing doc template automatically via the web application.
This is not possible without authorization, but is possible without user interaction. Please see the Drive SDK documentation sections on domain delegation and service accounts. Service accounts is likely what you need.