I have looked for many solutions here but they are old and don't have a clear answer to my problem. I have successfully created events using OAuth2 everything works perfectly. I am looking for the server to perform the authorization itself, which would allow it to avoid manual authorization each time.
I tried to use a service account to "impersonate" a user but it doesn't work. What I have read from Google is:
About authorization protocols: Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported.
Furthermore, it states:
In enterprise applications you may want to programmatically access
users data without any manual authorization on their part. In G Suite
domains, the domain administrator can grant to the third party
applications domain-wide access to its users' data — this is referred
as a domain-wide delegation of authority. To delegate authority this
way, domain administrators can use service accounts with OAuth 2.0.
And
The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario, you need a service account, which is an account that belongs to your application instead of to an individual end-user.
So, from what I have read, we have to have a G Suite account. The service account will be used for required functionality. Is this right? Do I really need a G Suite account? Is there any other way of handling a simple user G Mail account or even a service account?
The service account will be used for required functionality. Is this right?
Yes, indeed you DO need a service account for server to server authorization using oAuth 2.0 , more information about that here.
Do I really need a G Suite account? Is there any other way of handling a simple user G Mail account or even a service account?
No, you do not actually need to be a G Suite user for having a service account. You can create one through the Google Cloud console. More information about how to do that here. You do not need to grant G Suite domain-wide authority to the service account (and thus do not need a G Suite account) to achieve what you are looking for.
Related
I am going to fetch Google Tasks via API on the server without using the browser but when I am calling the API, it gives me redirect link to authenticate the application as in the documentation here.
I don't want the redirection to browser, verify the application, and get the auth code. I just need to get the auth code when I call the API.
Is there any way to do it?
Answer
There is no way to achieve that using a normal account. You will have to use a Service Account.
Service Account
A Service Account is a special type of account which is used to execute API calls as a non-human user. So if you don't want any human user interaction during the authentication process, this would be the best way to go. Accordingly with the OAuth2 specification, this account will use a JWT (Json Web Token) to authenticate its API call. The Google API provides you with the scaffolding to use the Service Account credentials to build your services as you were doing with a normal account.
Further Reading
Here some recommended further reading and examples on Service Accounts
Understanding Service Accounts
PHP Service Account Sample
I want to read emails of a #gmail.com email account. I've gone through the guides and code samples and I keep getting the Client is unauthorized to retrieve access tokens using this method error message. I can access the data using the OAuth2 3 legged method.
I also have a G-Suite admin and G-Suite organisation domain and emails. With these emails, the code works and I can retrieve the emails.
So, why can't I make it run for my personal gmail account (Non G-Suite)? Do I have to somehow authorize this service account in my gmail account? I haven't seen anything about it.
Please advise!
Thanks.
The short answer : No, you can not use service account with a classic gmail account. Use OauthID instead.
The fact that you were talking about service account made me think about a misunderstanding of the differences between managed account and gmail account, concerning the APIs.
Indeed, with a domain managed google account, you have the possibility to use a service account. You will create a project, an ID, and you will allow a Domain wide Delegation (DwD) for this service account, to your domain, with no restrictions except the Apis it will be able to use.
In the case of a gmail account, this is far different, as you can not have a DwD on gmail.com (or maybe you are CIA ..)
The best option here, is to use an Oauth ID. It's an authentication that depends on the consent of the concerned user.
You can read about this here
The approach is lightly different but the result will be the same, as the user can give a consent ad vitam aeternam.
Do I have to somehow authorize this service account in my gmail account?
Yes. Based from this documentation, if your application runs in a Google Apps domain and accesses user data, the service account that you created needs to be granted access to the user data that you want to access. Please follow through the given documentation for the steps that must be performed by an administrator of the Google Apps domain.
You have encountered Client is unauthorized to retrieve access tokens using this method error because the service account needs to be authorized or it can't access the emails for the domain. See this link.
I am trying to access events from google calendar and I came across on solution
here, This script require google service account, I have one doubt is google service account is free or require Google Work account for my application ?
Discussed in Delegating domain-wide authority to the service account and shown as the best alternative:
If you have a Google Apps domain—if you use Google Apps for Work, for example—an administrator of the Google Apps domain can authorize an application to access user data on behalf of users in the Google Apps domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Apps domain would use a service account to access the Google Calendar API on behalf of users. Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account.
Furthermore,
To delegate domain-wide authority to a service account, first enable domain-wide delegation for an existing service account in the Service accounts section of the Developers Console's Permissions page or create a new service account with domain-wide delegation enabled.
Lastly, setting up of service account is is automatically done upon creating your project while your application runs on Google App Engine.
There are two different types keys for " Service account credentials " JSON and P12
Please, which one is indicated to work with "Google MC Funnels API"?
Either can be used with MFC API. Service account credentials and Oauth2 credentials have nothing to do with the which API you can access. Except with regard to some APIs which don't support service accounts (YouTube API , and blogger to name two). Service account and Oauth2 are all about gaining access to the data you need.
Service account p12 file
Service accounts are used to access data you the developer have access to. If you want to grant someone else access to see your Google Analyitcs data you would use a service account. Setup will require that you take the service account email address and add it as a user at the account level in the google analytics website admin section. it must be the account level.
Oauth authentication Json file
Oauth2 will request a user give your application permission to access their data.
I have created a server side application in PHP that's supposed to work with Google Spreadsheets.
I'm able to authenticate successfully with OAuth 2.0 authentication, but when requesting the list of the spreadsheets from Google, I only get the spreadsheets shared with the service account by the spreadsheet owner.
Is there a way that service account could retrieve all the spreadsheets owned by my main account not the service one, including those not explicitly shared with the service account?
Also I still want to keep the spreadsheets private so noone can access them without my permission, but I need the service account to have full access to both existing and new spreadsheets.
Any advice is appreciated.
Here is a sample script that uses a service account to read the contents of a Google Spreadsheet's sheet. Have a look at the README for instructions to set it up:
https://github.com/juampynr/google-spreadsheet-reader
You have to change approach:
Create a service account in Drive. You can manage and use this account only with the API (not with the web interface as usually)
With the Drive API you can list, create, update, delete and change the permissions of the files. When you create a new file, you can share it - always with API - to the users you want, make the new file public or change the ownership.
Please take a look: https://developers.google.com/drive/v2/reference/permissions
I am assuming you use Google Apps and not a personal GMail account. You can use your service account to impersonate your main account.
Note that here I am talking of a service account in the way Google means it : a private key (in p12 format) and an identifier. This is not a Google Apps account used for technical purposes. More information here.
This is done by :
Authorizing your service account on your Google Apps domain
Modify the code you use to generate the API credentials
The steps are exactly the same for the Spreadsheet API and for the Drive API.
To first authorize your service account to impersonate the domain users, you can follow this documentation. Here are the basic steps. You must be a domain super administrator to perform this task.
Go to your Google Apps domain’s Admin console : https://admin.google.com
Select Security from the list of controls. If you don't see Security listed, select More
controls from the gray bar at the bottom of the page, then select
Security from the list of controls.
Select Advanced settings from
the list of options.
Select Manage third party OAuth Client access
in the Authentication section.
In the Client name field enter the
service account's Client ID. In the One or More API Scopes field
enter the list of scopes that your application should be granted
access to. In your case that would be at least the Spreadsheet API scope : https://spreadsheets.google.com/feeds
When this is done, you need to update your code so that it impersonates your main account :
$key = file_get_contents($SERVICE_ACCOUNT_PKCS12_FILE_PATH);
$auth = new Google_AssertionCredentials(
'YOUR_SERVICE_ACCOUNT_EMAIL',
array('https://spreadsheets.google.com/feeds'),
$key);
$auth->sub = 'yourmainaccount#domain.com';
You can then use the $authvariable to generate the OAuth tokens you need to access the spreadsheet API. I am not sure which client you use for this so the way you inject the access token will depend on which client you use.
Also, note that this token will expire after 1 hour, and then the API will start returning Session Expired errors. If your client does not handle this automatically, you will need to catch the error and regenerate the token.