Is it possible to use Google Adwords Api without RefreshToken? - api

I requested RefreshToken from my customer to develop a web page for them by using google adwords Api. They responded my request like that ->
There is no need for Refresh Token to use Google Adwords Api.
Could you please answer me if it is possible or not? If it is possible how we can use Google Adwords Api without RefreshToken?

You only need an access token to access the adwords api that will expire after an hour. You could probably use a service account authentication. If they do give you a refreshToken remember you will also need the client id and secret used to create it in order to get the access token.
It is a also against Google terms of use to share the client credentials. You will need to create your own project and have them authenticate it when they need to access their data. You will then have a refreshToken.

Related

How to generate permanent access token for WhatsApp Cloud API integration

I'm using WhatsApp Cloud API Integration for our company use case and all functionality will be server-to-server API call and I have to generate a Permanent token to call the WhatsApp API to send the message. I have submitted a request to get advance access to whatsapp_business_messaging but it got rejected as we do not have any frontend UI to showcase the implementation. Facebook support team said I do not need advance access if we are implementing WhatsApp API for our own use case. We have also generated the permanent key by creating a system user from the Facebook Business dashboard but the API throws an error that this key does not have permission.
Please guide me on how can a get approval or get a permanent access token to use the WhatsApp Cloud API Integration.
Thank you in advance
On your business setting go to the User(left side menu) and create a system user there. and there you can create the permanent access token.

REST API access from inside SSO

OK so I have an account using SSO credentials and the data within this SaaS app is available via a REST api using OAUTH2 but the API is not SSO friendly or enabled so how do I (if possible) access the data via the API but the only credentials I have are managed by the SSO., I do have my api key and secret and I can generate my access token in python from another non sso account but the sso account even tho I have the username and password I cannot get anything but a 401.. any help?
I might add , I am just an end user and have ZERO access to the actual API or data set but I can create and edit users and access on the SaaS app I cannot however change anything with the SSO or AD
I have tried using username#domain.com/token , I have also tried org\username and password, I have tried requesting different access-types from the OAUTH2 endpoint and the only recognized type is password. And I have tried every combination of the above trying to get the data from the API
If you are trying to access the third party REST API via OAuth2 then you'll need to check with the third party team if you are authorized to access that API, they may have to provide some additional permission to allow the access. If you are getting 401 then you don't have the correct credentials, please verify.

REST API + OAuth + Mobile Flow

I have to develop a RESTful API for a mobile application and I have some concerns about the flow of the communication between those parts. I'm new to the API development for mobile devices and OAuth.
The project in common should work this way:
users are allowed to login using only their Google accounts
the mobile application uses the website API and all the information is stored on the backend
I found a similar question here OAuth on REST API for mobile app and I prefer the first solution from it, but I have some questions about the security of this solution.
1) Should I use OAuth2 for the API? I'm not sure it's a good idea just to send the user's Google ID to the API to get user's data.
2) How can I check on the server that the Google ID is correct and actual? Or it's not important at all?
I'm thinking about this scenario, but I'm not sure it's the best solution:
1) The user logs in on the mobile application for the first time using his Google Account.
2) The mobile application receives Google ID and some additional information.
3) The mobile application sends the Google ID to the server.
4) The server uses OAuth2. It creates an account for the user (saving the Google ID in the database) and returns an access token to the mobile application.
5) The mobile application stores the access token locally and uses it for requests to the server. Once the access token expires, the user has to login in the mobile application again using his Google account.
I have some concerns about using just Google ID for generating a token. I mean, anybody can just use somebody's Google ID to create a token. Bad idea :(
Also should I use JWT better as a token?
Thanks for your help!
You should send the user's id_token to the API instead
There are a couple of different ways in which you can validate the integrity of the ID token on the server side:
a) "Manually" - constantly download Google's public keys, verify signature and then each and every field, including the iss one; the main advantage (albeit a small one in my opinion) I see here is that you can minimize the number of requests sent to Google.
b) "Automatically" - do a GET on Google's endpoint to verify this token
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}
c) Using a Google API Client Library.
As for the workflow, it's mostly correct, except for the last step, where you can instead refresh an access token without prompting the user for permission. Btw, Google's id_token is actually a JWT.

Google+ Sign-in integration with API

I have a website where I was allowing user logins based on my own database. I have migrated this login system to Google+ sign-in and it worked well for UI based login workflow.
My website also allows users to perform some operations through our custom REST API. I want my API users to go through google sign-in as well. Does google provide a standard workflow where our end-users authenticate themselves from google and send auth token to my API?
If there is no standard workflow defined by google, I have thought of hack-ish way where users use google refresh token as API key. I will not store refresh token in DB, rather Users will send the refresh key to my API in form of API access key. API will generate access token from google. Users will use the access token as session key for further requests (for abt 1 Hr). Is it right way to go forward? Is there any security flaw in this?

How should I use Google APIs in this scenario?

In our company we run a number of different websites which are being tracked with Google Analytics (GA). Up to this point we have been using the Login protocol and GData to access GA data to display the data nicely on our custom web application dash boarded which we use for tracking traffic on our sites.
Nowadays Google has Google API Console which lets you track your API usage. We want to take advantage of this service to view howmuch APIs we consume. However from what we can understand it requires us to use OAuth for authentication instead of the username and password we currently use to access the data. We don't like OAuth because it redirects the user to Google for authentication when currently the user has no need to know about where the data is coming from and what credentials are needed.
Is there anyway that we could make Google API Console monitor our usage without having to switch from GData and the Login protocol?
You can switch to the OAuth 2 protocol and use a refresh token for offline access. Once you get the refresh token, you can save it to a file or database and use that to access the data without an authorization redirect.
See the docs here: https://developers.google.com/accounts/docs/OAuth2InstalledApp#refresh
Also see where there is discussion of using the refresh token: How can we access specific Google Analytics account data using API?