What we want to do is to use Spreadsheet API and Calendar Resource API and to access to the API with 2-legged OAuth.
(Most likely, Service Account Authentication method in OAuth 2.0 is similar method. <2LO
To use these API, we tried Service Account Authentication method and successed in it.
However, the way of authentication with Service Account is not on the documents below. As for Spreasheet API, it should be used with OAuth 1.0 if implementing 2-legged OAuth. In terms of Calendar API, it should be used with 3-legged OAuth.
The success of retrieving data with Service Account is good for us and we ant to go on with it. But since the document doesn't tell us the way, we are confused if this is correct way. Can you tell me the way is whether formal admitted way by Google?
Spreadsheet API:
https://developers.google.com/google-apps/spreadsheets/?hl=ja#about_authorization_protocols
Calendar Resource API:
https://developers.google.com/admin-sdk/calendar-resource/auth
Thanks,
All Google APIs now support OAuth2, including service accounts. The documentation for these APIs hasn't been updated to reflect the change, but it should work correctly.
Related
I want to use the Genius API on my Retool frontend. However I am rather new to using APIs and lack the knowledge on how to do the authorizations for APIs in general.
My questions are below:
Which type of authorization does Genius use, can you tell given the below screenshots of the APIs details? I asume OAuth 2.0
On the retool Resources setting form, under OAuth2.0 they ask for a couple of properties under Authenication, where do I get these:
Authorization URL
Access Token URL
I am building a restful API that allows users to access and manage their own resources programmatically (via CURL/HTTP) instead of using the dashboard we provide.
I have my own authorization server and resource servers so there is no 3rd party involved. I am torn between using OAuth 2.0 and simple API Keys. OAuth 2.0 seems like an overkill, yet I don't want to release a public API then change the authorization method in the future.
Is it possible to build a hybrid solution where users can log-in to the dashboard, generate a "refresh-token", specify the scope, then copy this refresh-token and use it in their own code to call the /token endpoint and get an access token?
This would be similar to OAuth 2.0 except that the authorization step is done directly by the authenticated user on the 1st party dashboard. Is this a legitimate solution? Do you have any other recommendations?
OAuth2 is to outsource user/password/MFA management, integration with social logins. You seem to manage users in your dashboard already. On that basis, issuing a manual access token as you described works, provided you sign it and the verify signature in the api/resource servers.
I am trying to access YouTube Reporting API with a service account. But I am getting a 403 forbidden when trying to do youtubeReporting.jobs().list().execute().
YouTube Reporting API clearly supposed Server-to-server interaction.
Do I need to grant access to Youtube Reporting API for a google service account? If so, how?
FYI : I am not using google app domain.
You could create service credentials in the google console, but those credentials won't fix your issue. According to the docs,
The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Reporting API and YouTube Analytics API do not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate an error.
It is p counter-intuitive-- (not to mention hard to locate)-- this info esp. since conceptually related YT APIs utilize service accounts, see here, and the reporting api actions wouldn't seem to need to be associated w/ a specific user account.
Unfortunately, if you use a service account for the Youtube Reporting API you will still end up with a 403 unauthorized caller error.
Instead, create and use web client google credentials. Store and use the token generated from the flow.
You can do that in the Cloud Platform Console. See https://support.google.com/cloud/answer/6158841?hl=en for details
I am struggling with understanding how to implement the following in Web API 2's OWIN pipeline.
I am building an application that will allow users to log in with several third-party identity providers such as Facebook, Twitter, LinkedIn, etc. However, I want the authentication step to be performed entirely client-side. For example, Facebook provides developers a snippet of markup and JavaScript that perform the authentication within the browser, resulting in a Facebook access token--all without any calls to my API.
The Web API templates that ship with Visual Studio 2013 all seem to assume that the API itself is in charge of the authentication flow. I have successfully gotten this style of authentication working, but in my opinion it is not the responsibility of the API to perform this work.
Here is the approach I have been trying to implement (so far unsuccessfully):
Provide endpoints like /authenticate/facebook that accept the appropriate access token and return a JWT with "decoded" claims if the access token is valid. This JWT would have similar claims regardless of the third-party identity provider. For Facebook, I think this involves a call to Graph API's /me endpoint.
Store the JWT in the browser's localStorage for subsequent API calls
Send the JWT in the Authorize header for each API call
Avoid cookies if at all possible
My questions:
Is this an appropriate way to handle third-party authorization?
Should the JWT's expiration match the third-party access token's? I assume yes, but I want to be aware of any caveats here.
Where and how do I store the third-party access tokens for use on subsequent API calls? Do I include them with the JWT?
Is there a template I can use out-of-the-box, or perhaps an online resource that implements authentication and authorization in this way? I don't understand how to use Web API's many classes and features to implement this.
I have this mostly figured out now. I believe my architecture choice is the correct one after much research, specifically into the so-called "assertion flow." I am using Thinktecture's Identity Server 3 project to act as my STS. I am using a custom implementation of ICustomGrantValidator to perform the validation of the Facebook access token and conversion to claims.
Referring to the document https://developers.google.com/accounts/docs/OAuth2ServiceAccount, was able to obtain an access-token.The above mentioned document doesn't provide any details regarding the API's that can be accessed using Service Account.Can anyone list the API's which can be accessed using access-token obtained from Google service account?
Unfortunately, we don't have an exhaustive list of the support in this area. In general, you should be able to access a Google API if that API does not require the user to do something in a web interface to configure their account before doing API access. Service Accounts can't log in. So if the service needs some interactive input from a user on a Google wesite, often their APIs will not work with Service Accounts. Hope this helps.