I am provisioning accounts on my domain with the Directory API.
Right after I create the user, I want to subscribe them to a bunch of calendars as part of their account setup.
Previously, I did this with ClientLogin by authorizing as the newly-created-user (because I knew the password). But ClientLogin has be deprecated.
Is there another way of achieving this?
To answer my own question:
You can do this by using service accounts to authenticate and act on behalf of the user without the user's knowledge.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Related
I am looking to implement a hangouts chat bot for my customers. I am fairly new to the Google ecosystem, so I apologize in advance if some of this is obvious.
Here is my basic confusion:
It looks like in order to access the REST api the chat api requires a service account.
Does this mean that I will have to ask every customer to create a service account using their Google cloud account?
Corollary to the above is: Does every GSuite account have a Google cloud platform account associated with it?
If the service account has to be created, would the customer somehow need to share the private key for that account with me in order for my application to make calls on behalf of the service account.
My end goal is to give my customers a seamless experience where they can choose to
Install my bot in the Google Chat app for their GSuite domain
At the time of install get some information about their domain
Whenever a message is sent to the bot (DM or Room), identify who the message is coming for and in which GSuite domain, and reply accordingly.
Is this possible? Am I missing some very obvious Google concepts?
Thanks in advance.
If your customers have a normal email they can't connect with you. For more information refer this link
Considerations
The service account is used from your bot to access the Google REST APIs. It has a service account for your Google Cloud Project. There is no need for every user to have an service account enabled nor for them to give your their private key (never share private keys).
Approach
You can build and deploy Google Chat Bots directly using Google Apps Script. For your application I suggest you to use the tutorial in this page: https://developers.google.com/hangouts/chat/quickstart/apps-script-bot
Reference
Creating new Bots
I'm trying to figure out which OAuth2 grant to use for my application/saas. Or if OAuth2 is even the correct way to go.
The application:
The purpose of the application is for use and integration with e-commerce. So what I want is for the user is to go to my site and register an account. After the account has been created the user should be provided with credentials with which he/she can acquire an access- and refresh-token. The access-token should provide access to the users OWN resources and preferably use scopes to limit access. The user should the be able to get/post/put and delete stuff from his/her account as if working in the provided administration (SPA).
They should not have to go through the OAuth redirect flow, because they will be using the API from their servers.
My thoughts
First I considered going for the Client Credentials grant. But then I found out that it will not provide access to a user and it's resources.
I've started leaning towards using the Resource owner credentials grant. But I don't put a lot of faith in my users picking strong passwords. And in almost all documentation I can find, everyone seems to not recommend using this grant.
Maybe OAuth is not suitable for my project? Maybe I should go for some API Key which can be traded for an access token?
Any thoughts and/or input?
I've one link which may useful for you.
Link: https://github.com/lucadegasperi/oauth2-server-laravel/blob/master/docs/authorization-server/choosing-grant.md
Came to the conclusion that OAuth2 was not correct for my situation.
In the end I chose to go with a custom solution based on JWT.
First of all, I apologize in advance for my naïveté on the topic.
I am trying to create a few microservices that are exposed using an API gateway. A few of these services will need credentials from Google account to access Google Calendar/Gmail etc.. is there any way for a user to only have to login once so that the credentials are all shared between the services? Or should only one service be facing the Google services with credentials?
It seems possible, you can ask a user to authenticate and authorize all permissions your application will need, all at once. But think about the user, when an application requires to access gmail, hangouts, photos, camera, etc. at once, the user normally disbelieve the application. So, the recommended approach is asking for the specific permission when the application requires it so that the user can realize each action you app do.
There exist many different ways to address your question depending on details, however the following link can help you to know where to start:
This link (Google Sign-in) has a wide context on all the Identity mechanisms to look for the most appropriate for you.
This another one explain all possible Identity mechanisms for specific use cases.
This authentication example for Google Calendar is useful, but this post explain how microservices authentication and authorization was solved.
I have been studying the documentation for the Dropbox API but I couldn't find a way to directly access an account without going to the OAuth process. Is there a way to achieve that?
My final goal is to have a webpage with a list of files and folders from a specific Dropbox account (my own), which can be viewed and downloaded by anyone.
To access a user's Dropbox account via the API, your app will need to be authorized by the user. The Dropbox API currently requires that this authorization be done via the OAuth flow. You only need to perform this step once per user though, as you can store and reuse the access token for each user.
It sounds like you intend to use only one account though (your own), so you can just process this flow once manually yourself, and save and reuse the access token programmatically.
New answer, 9 years later, so probably new changes.
When you create an app in Dropbox, the settings page has a button to Generate Access Token. This will create a permanent token to access your own account without going through the oauth flow.
So I am creating an application for my google apps domain. It will have its very own google apps account associated with it, from which it can store/retrieve/manipulate data.
The application should use this google account alone and the user should have no indication that it is using a google account. Is there a way to programmatically authenticate my entire application and not prompt the user authenticate/authorize?
I think you are looking for two legged OAUTH.
You can generate a OAUTH token and secret in the control panel of Google Apps and assign the authorized scopes to this token/secret pair. For instance, you can authorize access to the calendar of all users in your Google Apps domain using the token/secret.
You can then programmatically access the calendars of all users.
Because this token/secret is authorized by the Google Apps domain administrator, individual users do not need to grant access anymore. That is why this is called two legged Oauth, whereas three legged Oauth requires user interaction to obtain a token/secret for an individual user.
This question on SO might interest you too.