I am trying to access events from google calendar and I came across on solution
here, This script require google service account, I have one doubt is google service account is free or require Google Work account for my application ?
Discussed in Delegating domain-wide authority to the service account and shown as the best alternative:
If you have a Google Apps domain—if you use Google Apps for Work, for example—an administrator of the Google Apps domain can authorize an application to access user data on behalf of users in the Google Apps domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Apps domain would use a service account to access the Google Calendar API on behalf of users. Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account.
Furthermore,
To delegate domain-wide authority to a service account, first enable domain-wide delegation for an existing service account in the Service accounts section of the Developers Console's Permissions page or create a new service account with domain-wide delegation enabled.
Lastly, setting up of service account is is automatically done upon creating your project while your application runs on Google App Engine.
Related
I want's to send invitation email's in Lumen.
Currently using: https://github.com/spatie/laravel-google-calendar
This package is in Lumen (Laravel micro framework).
I have completed all the Google API related steps given in this package. But still getting Google exception as
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
Even though I have enabled domain wide delegation in service account.
Also had doubt, Is it compulsory to have gsuite account? I am just trying with my normal gmail account.
I have looked for many solutions here but they are old and don't have a clear answer to my problem. I have successfully created events using OAuth2 everything works perfectly. I am looking for the server to perform the authorization itself, which would allow it to avoid manual authorization each time.
I tried to use a service account to "impersonate" a user but it doesn't work. What I have read from Google is:
About authorization protocols: Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported.
Furthermore, it states:
In enterprise applications you may want to programmatically access
users data without any manual authorization on their part. In G Suite
domains, the domain administrator can grant to the third party
applications domain-wide access to its users' data — this is referred
as a domain-wide delegation of authority. To delegate authority this
way, domain administrators can use service accounts with OAuth 2.0.
And
The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario, you need a service account, which is an account that belongs to your application instead of to an individual end-user.
So, from what I have read, we have to have a G Suite account. The service account will be used for required functionality. Is this right? Do I really need a G Suite account? Is there any other way of handling a simple user G Mail account or even a service account?
The service account will be used for required functionality. Is this right?
Yes, indeed you DO need a service account for server to server authorization using oAuth 2.0 , more information about that here.
Do I really need a G Suite account? Is there any other way of handling a simple user G Mail account or even a service account?
No, you do not actually need to be a G Suite user for having a service account. You can create one through the Google Cloud console. More information about how to do that here. You do not need to grant G Suite domain-wide authority to the service account (and thus do not need a G Suite account) to achieve what you are looking for.
There are two different types keys for " Service account credentials " JSON and P12
Please, which one is indicated to work with "Google MC Funnels API"?
Either can be used with MFC API. Service account credentials and Oauth2 credentials have nothing to do with the which API you can access. Except with regard to some APIs which don't support service accounts (YouTube API , and blogger to name two). Service account and Oauth2 are all about gaining access to the data you need.
Service account p12 file
Service accounts are used to access data you the developer have access to. If you want to grant someone else access to see your Google Analyitcs data you would use a service account. Setup will require that you take the service account email address and add it as a user at the account level in the google analytics website admin section. it must be the account level.
Oauth authentication Json file
Oauth2 will request a user give your application permission to access their data.
My boss registered an Google Analytics account and shared his website Analytics account with me.
Now I have the authority to see all data about the website. I want to use the Google Analytics API to request data from Google Analytics with my php script.
Authorization is done without any problems, until the script tries to access data. The return code is 403, and error message is :
User does not have any Google Analytics account。
This will depend on what method of authentication you are using.
Oauth2:
When your PHP script pops up and asks a user to authenticate the Google account the user users to authenticate must have access to a Google analytics account. In this case it doesn't. Note: the user is only going to be able to see there own Google Analytics data not date for your website unless your boss goes and grants them access as well.
service account:
In the event you are using a service account to authenticate. The service account by default doesn't have access to any Google Analytics accounts you need to grant it access just like your boss granted you access. Take the service account email address from Google Developer console and add it at the ACCOUNT level it must be the ACCOUNT level to the Google Analytics website. then the service account will have access to the data for that account.
I am using Google Api v3 (PHP Libraries) and wish to add an event to a user's calendar in our Google Apps domain. I have created a client ID in the Google Developer console and have granted access to it under Security in our Google Apps Admin Console. However, the event will only insert into a user's calendar if the User has previously granted access to the developer account. I do not wish every user in our domain to have to grant the developer account access to their calendar.
Is it possible under API v3 to be able to seamlessly add an event to a user's calendar?
Granting domain-wide delegation to your service account in the Google Apps Admin Console doesn't give it access to everyone's calendar. Instead it allows the service account to impersonate any given user within your domain, and then make requests as that user.
In the PHP client library you can impersonate a user by setting the sub field on the Google_AssertionCredentials object you created.
$auth->sub = $userEmail;
We don't have a complete sample showing this for the Calendar API, but the Drive API documentation includes a sample, and the process is identical.