OAuth2 tokens for use with Google Analytics API - google-oauth

I have a site that I have tagged using Google Analytics. I can see that the stats are being created and I can analyse them using Google Analytics web tool.
I want to extract my tagging data using the Google Analytics API but all the instructions seem to point me towards the developers console to create my OAuth2 token. My site does not appear in the list of apps that is presented, so I can't do the next step of generating my OAuth2 token.
I feel like I must be missing something obvious, but I am hitting brick wall at the moment. How do I get the site to appear so I can see it in the developers console?

The Google Developer console is for registering your application, this way google knows who is using there APIs. Your Google analytics account wont show up here because well that's not how it works.
Create a new project you will get a client_id and client secrete that are used to identify your application. Then you use a programming language to access the API using the client id and client secret.
I am not a java programmer so i cant help you with that. You mentioned that you want to access your own data. I recommend you look in to using a service account. A service account can be used to grant authentication without having to prompt a user for access. This only works when it is your own account you are accessing and the data doesn't belong to another user. Take the service account email address and add it as a user in google analytics at the ACCOUNT level it must be the Account level. then when you use the service account in your code you will have access.
https://developers.google.com/analytics/devguides/reporting/core/v3/quickstart/service-java

Related

Google BigQuery authentication

I want to use Google BigQuery authentication like other Google services (for example, Google sheet).
The auth of Google sheet works on the scope and makes appear to the user a popup like "The app XXX request the access to your Google Account" and in this popup, you can see what permission needed by the app.
I would the same auth with Google BigQuery but after I read the docs, looks the code of official PHP client, I can't understand how to make this auth. Is this possible?
P.S. Obviously I tried the flow in the google docs with generated JSON from google developer console and it works fine.
What you want to do is not possible. At least in the way you would like.
When using, let's say, "native" GCP products, the OAuth authentication is performed automatically after logging in. This is why you don't are prompted to identify yourself when accessing to your GCS buckets, or when getting into the App Engine Dashboard.
When you want to grant access to an external user to your project, you run the command gcloud auth login. An authorization screen is shown like the one below:
This screen is also shown to "non-native" GCP services, such as BigQuery Geo Viz, Dialogflow, etc. You are prompt to grant access since these are "external" GCP features which interacts with your project's internal info.
BigQuery is an integrated GCP service and does not requires OAuth authentication when used via the UI.
If you would like to interact with the BigQuery API's, I highly recommend you to use the BigQuery Client libraries which do the authentication method much easier.
However, there is a way to grant access to external users. I found the Authorizing API requests doc where it's said that you can get a temporal access token for external users. This is done by following these steps:
Run the command gcloud auth application-default print-access-token in a Cloud Shell session.
Copy the output and paste it in a HTTP request like
https://www.googleapis.com/bigquery/v2/projects/$GOOGLE_CLOUD_PROJECT/datasets?access_token=ACCESS_TOKEN
Note that this could lead to even more effort than the required for Client libraries.
Hope this is helpful.

Google drive oauth api without having to have the user create an app in the Console?

Google Drive API question,
I am writing an application that can view a users' Google Drive files and folders from their google account (can be individual or part of an enterprise).
So on my Google Drive enterprise, I have created an API application. So I have an API key and Secret key stored in my application.
Now I want to use OAuth to authenticate the user so that they can approve my application to read their files. The users will not be part of my enterprise. They can be individual Google accounts, or they can be a single user from an some other enterprise account.
Is this possible? Or are there technical/security reasons this is not allowed?
I just got off the phone with wonderful Google api support agent, and I have my answer:
Yes this is possible to do. however due to the recent phishing attack, Google has put in place new security features that affect the following APIs:
Google drive
Gmail
Contacts
Directory Admin SDK
Here are the new rules:
There is a new security form we will need to fill out and be approved before we will be able to be approved as a trusted app that is able to access these api's using OAuth2 authentication.
Google has provided a feature that many enterprises use that allows an enterprise to completely disable the ability to access these api's using oauth2. So even though we have been approved from step1, we may still get an error for some enterprises who have directly blocked this; however, they can white list us in order to allow it from our enterprise if admin's prefer, while still blocking general use for others.
See links:
https://support.google.com/a/answer/7281227
https://developers.google.com/drive/v3/web/about-auth
https://developers.google.com/identity/protocols/OAuth2
https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/

How to grant access to Youtube Reporting API for a google service account?

I am trying to access YouTube Reporting API with a service account. But I am getting a 403 forbidden when trying to do youtubeReporting.jobs().list().execute().
YouTube Reporting API clearly supposed Server-to-server interaction.
Do I need to grant access to Youtube Reporting API for a google service account? If so, how?
FYI : I am not using google app domain.
You could create service credentials in the google console, but those credentials won't fix your issue. According to the docs,
The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Reporting API and YouTube Analytics API do not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate an error.
It is p counter-intuitive-- (not to mention hard to locate)-- this info esp. since conceptually related YT APIs utilize service accounts, see here, and the reporting api actions wouldn't seem to need to be associated w/ a specific user account.
Unfortunately, if you use a service account for the Youtube Reporting API you will still end up with a 403 unauthorized caller error.
Instead, create and use web client google credentials. Store and use the token generated from the flow.
You can do that in the Cloud Platform Console. See https://support.google.com/cloud/answer/6158841?hl=en for details

Which Google API's can be accessed using the access-token obtained using Google Service Account

Referring to the document https://developers.google.com/accounts/docs/OAuth2ServiceAccount, was able to obtain an access-token.The above mentioned document doesn't provide any details regarding the API's that can be accessed using Service Account.Can anyone list the API's which can be accessed using access-token obtained from Google service account?
Unfortunately, we don't have an exhaustive list of the support in this area. In general, you should be able to access a Google API if that API does not require the user to do something in a web interface to configure their account before doing API access. Service Accounts can't log in. So if the service needs some interactive input from a user on a Google wesite, often their APIs will not work with Service Accounts. Hope this helps.

How should I use Google APIs in this scenario?

In our company we run a number of different websites which are being tracked with Google Analytics (GA). Up to this point we have been using the Login protocol and GData to access GA data to display the data nicely on our custom web application dash boarded which we use for tracking traffic on our sites.
Nowadays Google has Google API Console which lets you track your API usage. We want to take advantage of this service to view howmuch APIs we consume. However from what we can understand it requires us to use OAuth for authentication instead of the username and password we currently use to access the data. We don't like OAuth because it redirects the user to Google for authentication when currently the user has no need to know about where the data is coming from and what credentials are needed.
Is there anyway that we could make Google API Console monitor our usage without having to switch from GData and the Login protocol?
You can switch to the OAuth 2 protocol and use a refresh token for offline access. Once you get the refresh token, you can save it to a file or database and use that to access the data without an authorization redirect.
See the docs here: https://developers.google.com/accounts/docs/OAuth2InstalledApp#refresh
Also see where there is discussion of using the refresh token: How can we access specific Google Analytics account data using API?