I am looking to see how we can allow a user to connect with their Google Analytic's User ID and connect with our app and we can get the information from their account.
I am looking forward to some articles or any library thats build around the same.
I will be using PHP and MySQL. Do you suggest any other Database than MySQL ?
You can start with a database to keep things simple and since you are not looking to store too much of historical data. The link below should get you started with all the required libraries and documentation.
https://developers.google.com/analytics/devguides/reporting/core/v2/gdataAuthentication
Go for the web client based authentication model rather than the service account model.
This will cause the api to redirect your user to google authorization page and your app will be given privileges to user account.
Make sure you save the refresh token when it redirects back to you app.
Please note that the refresh token only get sent for the very first time you app asks for permission and not after that.
Related
I am integrating Google's login Apis on a website, and I need to place the user's details in our databases to use it the next time they login.
Googles developer documents clearly out lines that developers should never store user IDs in a database, instead you should use Token IDs generated by google to auth the legitimacy of the user.
I completely agree with this, but a token's live cycle is only a short period of time. If we insert the token in our databases, the next time the user logs in, they token will be different to that in our database. So how do we auth users via token id with google sign in?
I've read all of googles developer docs https://developers.google.com/identity/sign-in/web/backend-auth and theres nothing specifically explaining this, other than their process of authentication.
Could someone please help who may have had experience in this ?
Thanks alot
This is googles warning
Warning: Do not accept plain user IDs, such as those you can get with
the GoogleSignInAccount.getId() method, on your backend server. A
modified client application can send arbitrary user IDs to your server
to impersonate users, so you must instead use verifiable ID tokens to
securely get the user IDs of signed-in users on the server side.
Googles developer documents clearly out lines that developers should never store user IDs in a database
No, they don’t.
They are telling you that your server should not trust user ids send to it directly by the client - because anyone could easily fake those.
Instead, you are supposed to send the token, that you acquired on the client side, to the server (those tokens can’t be “guessed”, therefor you can not simply fake them) - and then you make a server-side API call using that token, to get the user id.
I have this app that uses data from gmail accounts. I have been able to create a php site that retrieves the oAuth tokens (online and offline) and later the necessary user information from the mailbox, all using the Google php api. Now to my problem:
When a secondary user logs into gmail in a browser that was previously used by an authorized user, the credentials seems to "stay". So the 2nd (or 3rd or nth user) can see data non-related to them, which is also a security hole. But most important: every loged in user into gmail is seeing only the data of the 1st logged in user.
The question: Is there a way I can use Google PHP API or Google JavaScript API to retrieve the user name of the current gmail session?
This is the current php piece of code I've been using to retrieve the user data:
use google\appengine\api\users\User;
use google\appengine\api\users\UserService;
session_start();
$user = UserService::getCurrentUser();
$userEmail = htmlspecialchars($user->getEmail());
The idea is that the app uses the current gmail user information to query a database and then retrieve the data for that specific user - and only that logged in user. If the user is not authorized, then prompt for the authorization window and ask for permission.
Any ideas or suggestions are welcome.
UPDATE (Sept 7, 2015):
I have made a change in the app.yaml so every logged in user in gmail gets served a different uri from my app. That works just fine. Now I face a new issue: how can I make the PHPSESSID and SACSID cookies to use an specific path instead of the whole domain? That way - theoretically - I can have several logged in users each and every one connecting to a different subfolder.
I've read the whole documentation about the UserService but it seems all I can do is redirect to this:
UserService::createLoginURL($_SERVER['REQUEST_URI']);
And that takes care of the authentication.
The question: How can I restringe the scope so the cookies gets the appropriate folder path?
The main issue is that once you log in to App Engine (via the UserService), that a user session has now been created in your App Engine application, and therefore it doesn't really matter what you do in GMail or any other Google application, as the session has already been created, and persists within your application.
The App Engine UserService was available way before secondary logins were even possible, and it hasn't been updated since. So this use case probably wasn't a consideration when the API as developed.
This is a tough question to ask so I hope I can make it clear!
I'm writing a PHP script that access a users Gmail calendar. I first wrote it using Zend and it was fantastic, but found that I have to use the Oauth to get to tasks - therefore I rewrote it for Oauth instead.
In order to use Oauth I have to go to my API console and set up the account and then I have access and everything works great. Here is my problem: I can't ask every single user to go through this somewhat technical step of creating a key and all of that just so my app can work with their Gmail.
Zend was really easy, the user provides me with their name and password and I have access. Now I don't see any way to change accounts using the Oauth method, all of the credentials are for a SINGLE Gmail account (as far as I can tell).
Is there a way to do what I'm trying to do without making the users go through fifteen hoops to allow me access? I would like to register my app and get my keys, then be able to point to ANY Gmail account, the user grant me access, and I'm in. Otherwise each user has to go to the API console in their own Gmail, create branding, create a key and then create a server ID, THEN provide that all to me so I can plug it in and THEN redirect them back to Google so they can say "yes, I accept this". That's a lot of steps to integrate.
I hope this was clear enough :).
That's basically how OAuth works. ONLY the developer that wrote the app needs to register it, get the keys and add that to the configuration.
Users of the app simply get taken to a page (after signing into their Google account) where they will grant access to your app in a single click. Google will remember their decision and the next time will be even faster.
I've been searching for an answer on Google documentations and stackoverflow also, but i did not find answer.
I planned to create application (PHP) which uses google account (ex. admin#domain.com) to store templates of documents. When someone log in to the application using his own credentials (ex. user#domain.com) he can fulfill some form, then PHP application logs into own Google account and store it with data provided by user in new document with template look.
I don't want to redirect user to google and return to application with some token(s). I would like application make some login process in "silent mode" - invisible for user, no redirects.
Simple scheme:
User fulfill form --(sending data to app)--> App logs into own google account (admin#domain.com) --> Get template document --> Fulfill with user's data from form --> save as copy on Google Drive
Can somebody tell me if it is possible?
You should look into the Google Drive SDK.
You will need to rely on tokens (that's how OAuth works and Google Drive uses OAuth 2.0 for authentication). However, you can tackle the problem of "automatic login" by doing something as follows:
For a new user, ask them to provide authorization in a popup window (more details on that here). This is essential because they need to approve permissions and such before you can authorize them.
On successful login, a long-lived token will be returned. Save this token in a database associated with the user.
For all subsequent logins and requests, you can request new access tokens without having to ask the user for permission.
This link talks more about requesting new access tokens once the user has already gone through the initial authorization phase.
Additionally, this link has several examples of login scenarios (client-side apps, server-side apps, etc.) that will help steer you in the right direction.
I am using Oauth to create a way for users of our website to login
using their twitter account. However, It's quite annoying that
everytime they click to sign in with their twitter account they have
to grant access each and every time.
Couldn't it work so that if it has been granted once they don't have
to keep granting access? Therefore removing a step. I'm using the
steps found in:
http://net.tutsplus.com/tutorials/php/how-to-authenticate-users-with-twitter-oauth/
Thanks for any feedback!
I found the answer after talking to some developers on twitterapi irc
Bascially I was going to https://twitter.com/oauth/authorize with all my oauth, what I need to do was go to https://twitter.com/oauth/authenticate instead. That then gives forever authorization.
When the users connects, you receive an access token and a secret token, which are used every time you ask anything to the Twitter API.
If you wan't your users to stay connected to twitter, you only have to save in your database those two tokens. (They are user specific, don't use one token for every user).
When you know these tokens, you don't need to ask the user to grant access, you can directly use them to call the API.
If a user removes rights for your application, you won't be able to use his tokens any more, and you will have to ask him to grant access a new time.
You need to start the token / token secret you get in a database or other long term storage method. Then you pass it into the object that does the OAuth authentication so you don't have to keep asking your user. With PHP you can store them in a MySQL or similar database and load them into $_SESSION when the user logs in to pass the values.