Current Working Flow
I have a web app (developed in wordpress)
I am using google-drive-sdk to upload dynamically generated pdf file to a GMail account.
The GMail account has been configured in the web app giving the
secret key ....
The web app first makes the authentication ===>i.e The GDrive Account is authenticated for the first time by the GMail owner (In Google Permission window the button Allow Access is clicked)
It works fine thereafter when called from the web app - the pdf file dynamically generated gets into the configured GDrive
The Problem
PDF files gets uploaded to the GDrive only for some time.
After sometime it doesn't upload the files to GDrive.
I then tried creating a new token - It again starts uploading files but stops after some time.
This happens only in Staging server.
In my local development system it keeps working fine - uploading the file to GDrive whenever the app is executed.
The difference between both the environment is the GMail Account is different.
If you have any idea on the cause of issue or any pointers would really be helpful for me.
Your application must use OAuth 2.0 to authorize requests. All requests to the Drive API must be authorized by an authenticated user.
The details of the authorization process, or "flow," for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:
When you create your application, you register it using the Google API Console. Google then provides information you'll need later, such as a client ID and a client secret.
Activate the Drive API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)
When your application needs access to user data, it asks Google for a particular scope of access.
Google displays a consent screen to the user, asking them to authorize your application to request some of their data.
If the user approves, then Google gives your application a short-lived access token.
Your application requests user data, attaching the access token to the request.
If Google determines that your request and the token are valid, it returns the requested data.
Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.
Related
I am using the Google API Playground to auth my PWA and get tokens to upload files to google drive from the PWA.
I'm using the Google Drive API, but the refresh token that I got from the Playground is expiring after one week. This causes us to go through the whole process from playground again.
I don't have this problem with other APIs, such as Dropbox, where the app refresh tokens aren't expiring and can be used to generate a new access token.
I am looking for help in:
Authorizing my PWA and get code in php using curl
Get a refresh token through my PWA without a consent screen
Lets take this step by step
I'm using the Google Drive API, but the refresh token that I got from the Playground is expiring after one week.
I am going to assume that you are using your own client id and client secret within Playground.
If this is the case then the reason it is expiring after a week is that your app is still in the testing phase. To fix that you can go to google cloud console under the oauth2 consent screen and switch your app to prodctuion.
Request a new refresh token and it should not expire.
If you are not using your own client id then the reason its expiring is that developer console is not intended for production use its just for testing. Stop using it in that manner.
Get a refresh token through my PWA without a consent screen
If you only connecting to a single google drive account then you should consider using a service account. A service account is intended for server to server authorization its pre authorized. You can share a folder with a service account and the service account will have access to that folder without requesting a user grant consent. It will just work.
I am creating an application which aims at automatically creating Spotify Playlists in a central Spotify account (not the account of the end users).
I have set up this account and created the developer app for the secret and the client_id.
On the backend side, I am using PHP to authorize this central user, and it is working as long as I am logged in myself with that account.
Users that visit my website should be able to create playlists via that interface through the Spotify Web API without the need to authorize their account nor being logged in at all.
If I'm trying to open the same page on a separate device (without having any account logged in), it just gives me the following error:
User not registered in the Developer Dashboard
Is it somehow possible to perform this authorization process only on the backend side without the need for the user to authorize it?
Eventually, I want to send the playlist URL created in the central Spotify Account to the user who can open it in their own app or share with others, if they want to.
I try to avoid that multiple users must authorize for my app, since I don't need to access personal information from their account, anyways.
I used the 3-step process for authorization as described in this Stackoverflow Post: Spotify oauth2 with PHP curl. How to get authorization code?
If necessary, I will provide more information.
Do you have any idea, how I can implement this authorization process for the single account on the backend side, without the user even showing any authorization process of the Spotify Web API at all?
EDIT1: I am not trying to login on the behalf of my users, just automatically for my own account without the interactive login with Spotify. Is that even possible?
I received valuable feedback from the Spotify Developer Community that helped me finding a solution to the problem.
When you let the central Spotify account login to your app, you'll [get] an access_token (that will expire in 1 hour) and a refresh_token.
When the access_token of that account expires, let your server send a POST request to the Accounts service /api/token endpoint, but use the refresh_token in place of the access_token.
A new access_token will be returned.
A new refresh_token might be returned too. (I don't think that's even needed)
You can read more about it here.
I am creating an react-native-ios app that communicates with a php web app hosted on azure.
How I understand it works:
The user signs up to the app, the server communicates with auth0 server which then returns a JWT token to the php server, saves the token to the database and then sends the token back to the client-device where it is then stored on device.
The user must send the JWT token as a header whenever communicating with the server.
Whenever the user logs out the token is deleted and when signing in, a new JWT must be received.
The user can sign in via using credentials that match what is on the database or sign-in with Google or facebook.
Or is Auth0 just for signing-in with enterprises such as Google or can I use it to sign in to my app also that has login credentials on the database?
I have found the
npm react-native-lock-ios but it doesn't work the way I described above.
In summary, How should I go about this and is what I have explained above correct?
The main problem here is that you did not understand how to work with JWTs. I would advise you to take a deeper look on how this technology works and how Auth0 can help you. But, in summary, this is the workflow for authentication that you must aim:
Your user will choose one of the many identity providers supported by Auth0(e.g. Facebook, Twitter, LinkedIn, SAML, WS Federate and so on).
Your react native app will communicate directly to Auth0 API through the react native lock.
Auth0 will interface with the chosen provider and redirect the user to an authorization page in this provider (case it is needed and it is the first time the user logs in).
Auth0 will generate a JWT and send back to your react native app.
Your react native app will send this JWT to the server (usually on the Authorization HTTP header) when issuing requests to your endpoints.
Your PHP backend will check if this JWT is really valid. This is can be done with Auth0 PHP SDK.
In case the JWT sent has not been tampered (changed irregularly), your backend will accept it as the user identifier and respond the request as expected by your react native app.
As you can see the biggest issue in the approach that you thought you would follow is that the login process does not go through your backend server. It happens on your front-end app (react native) communicating with Auth0 and the identity provider chosen.
JWTs are tokens that hold information (claims) about a subject. These tokens can be validated by anyone that possess a key (public or private). That is, having this key you can validate the token and can rest assured that it has not been changed improperly.
Further more, to answer the question regarding the usage of Auth0 with credentials on your database, you can bet that you can use it. Auth0 provides ways to integrate with your own database to check the existence of a user. This is called a customer user store.
Happy studying.
Scenario:
Someone comes to my website and they see a file select field. They select the file and upload the file to MY Google Drive account.
Problem:
In looking at the Google Drive SDK docs I see that it uses OAuth for authentication, but I don't need to authenticate the user because they are uploading to MY Google Drive account. I'm aware that I need to register my application with Google, etc. but I'd like to know if I can upload without authorizing the user with OAuth the typical way (sending offsite or modal window to validate w/ redirect URL).
Is this possible to do? I'm using PHP.
You have two options:-
Use a Service Account. The files will be uploaded to the account of the Service Account
Use a regular Google account. For this option, you (as the account owner) will need to do a one-off auth to get a refresh token, which you will store. You can then use this any time to generate the access token needed to invoke the actual Drive API. You can generate the refresh token using the Oauth Playground, so no need to write any code.
See How do I authorise an app (web or installed) without user intervention? (canonical ?)
I have recently implemented the SSO functionality for a Google Apps Marketplace app we are developing. In simple words: it provides a way to retrieve the Google Apps' user's email and log him in in your website, without the need of authorization on his end. You just need the consumer key and consumer secret, provided by Google to the app during installation on your domain (the installing user also authorizes (a one time action) any other permissions you request in the Manifest file).
Now I have somehow managed to get the SSO user login working using JanRain's OpenID PHP library and adding Google Apps as provider using the PHP Extensions for Google Apps OpenID Discovery.
However, after logging in, I need to implement a functionality that will retrieve all users in a given Google Apps domain. I've already did that using oAuth2 authentication and the following Directory API. However, this requires the existense of a consumer key, consumer secret and a redirect URL (that must be registered in the Google API console).
Is there a way to remove this convenience and instead allow our users to directly be able to get their Google Apps domain's users, using the existing SSO authentication we made in the background while logging him in? Otherwise, it will be too much hassle for the user to register the app at the Google API console, enter the correct redirect URL and set it up in our website and then he will be able to get his domain's users.
Regular users cannot use the Directory API, you'll need to authenticate as an admin user to make Directory API calls.
Depending on your needs though for accessing all users, you may be able to get by with requesting access to the user's Contacts scope and grabbing a copy of the full Global Address List which contains information on all non-hidden domain users as well as non-hidden groups and shared contacts.