Google script web app running as me - identify actual user - authentication

I have a Google Apps Script deployed as a web app. It is configured to run as me, as it creates and amends events on my calendar and uses a Google sheet of mine as its data store.
There is a requirement that users are NOT required to have a Google (or any other specific type of) account to log on, so I have written a bespoke login function.
The problem I have is reliably identifying the user session.
User properties/cache doesn't work as the user is me for all users.
Is there a way I can identify something unique about the actual user to identify their session?
I understand that web apps run on Google's server and that I have no access to the user's browser so cookies and similar technologies are not an option.

Related

Programatically (Windows Service c#) Upload file to Microsoft One Drive without User Login?

I would like to upload files to Microsoft One Drive using c# and shared to some of my friends on weekly basis.
I have tried few things but when using Authenticate API, browser shows login prompt.
So I would like to upload them without login, because I am uploading these files through Windows Service, which is running in background.
Please suggest the best way to do that.
You'll need some user interaction to gain initial consent for your application to operate on the user's behalf, however as long as that process gives you a refresh token you'll be able to use that in your service to get current tokens without user interaction. It will eventually expire so you'll need a way to notify, and interact with, the user on occasion.
You'll need to ask for the offline_access scope to get the refresh token, see:
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/msa-oauth?view=odsp-graph-online#authentication-scopes

Locally authenticating someone who's only used Oauth2.0

Is it possible to locally authenticate a user who has only logged onto my website using Oauth 2 (maybe using Google or Facebook)?
Say a user has only ever logged onto my app using Oauth 2 (ex. Google) and one day decides to log on locally (via email or username and password), he wouldn't be able to log in because you can't access a users password via Oauth.
For example, by using Oauth 2, I may only have stored his Google_id and his display name in the database. He probably doesn't even know his Google_id in the first place.
Can he log in locally? I know the situation I just made would make it impossible, but is there a way to structure your database so that the user can log in either locally or with Oauth 2 and access the same account?
Also, wouldn't this be the case if he decides to log in using Oauth 2 via Facebook instead of Google?
If anyone could shed light on this for me I'd be very grateful!
I only worry because if a user log on via Oauth 2, makes a lot of progress on my website then logs in locally or via a different social media platform (via Oauth 2), they would be confused and possibly falsely believe their data has been lost.
I'm using SQL and Node.js (Express), not that it matters.

How to tie an account from a backend server to a google assistant user

I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.

Login functionality from my platform INTO other sites?

I am creating a software-platform in Symfony3 (a PHP framework). In this platform, there needs to be a page with links to approximately 20 different websites (among others: Google Analytics, Google TagManager, Rocket.Chat)
My goal is to enable the following functionality:
Upon having clicked on one of these links that are in my platform, I want to redirect the user to that particular site, while having them logged in.
So for example:
There is a 'link' to Google Analytics and when being clicked, the user needs to be redirected to their campaign within Google Analytics.
Note: The username/password that will be used to perform this login will be the same throughout all the different sites. We have a database with these credentials for each user, which we want to use to login to those different services.
I was thinking about using cURL, but this would not be a universal technique. (and bring forwards many security implications)
Another option would be to use the Google API to perform an authentication, but I could not find such functionality. (Normally, it is the other way around: logging into your platform by means of a google account)
I look forward hearing from your input!
Kind regards,
Jeroen

How to publish google apps script to cloud for public?

I have a apps script that uses bigquery service to fetch data from my bigquery account and builds visualizations/tables etc. I publish the app with following options
Execute App as: User accessing web app
Who has access to this app: Anyone
When I open the link (one ending in exec not dev) in chrome incognito, I expect it to show the web app but it asks for google credentials.
When I entering credentials of my other (different from the one hosting the project) account, I get a permissions error.
I added this other account from my primary one under permissions option of google console - even that wasn't enough.
I had to create a dummy project as this other user to accept the invitation from my primary account. After that the app showed up on this other account.
My question is, how do I publish my app for the consumers (even public) of this info without them having to create dummy project/accept my invite etc?
Thanks
You have two errors:
1) Publish to run as you not the user, and2) make it anonymous access. *
People might consume your daily/per second quotas thou.
(*) anonymous access option might not be present if the google apps administrator disabled anonymous sharing in the console.