We have tried various things to get the Google Site Verification API to work, including:
How can I authorize with OAuth 2.0 for google's predictive API in Ruby?
By calling: https://developers.google.com/site-verification/v1/webResource/list using the service account we always get an empty response: {}
When trying the same thing via the web console we get all the websites. We have like 30 websites.
I also had a look at this stackoverflow: Unable to access Google Sites via API, but can via Oauth Playground. Why?, without success.
Why is the body empty?
OAuth 2.0 is not an option for us, as we have a server application.
When using the service account, it will only list the sites that are owned by that service account. If you want to get the sites of a specific user, you must impersonate that user.
I haven't implemented it yet, but apparently you must go to http://www.google.com/a/{your-domain}/ManageOauthClients logged as the user that owns the sites and authorize the client ID of the service account you'll use to access the API, with the appropriate scopes.
This video explains it using Google Drive, but the authentication process is the same.
I'm not sure if this is available for Gmail users.
Related
I am trying to access YouTube Reporting API with a service account. But I am getting a 403 forbidden when trying to do youtubeReporting.jobs().list().execute().
YouTube Reporting API clearly supposed Server-to-server interaction.
Do I need to grant access to Youtube Reporting API for a google service account? If so, how?
FYI : I am not using google app domain.
You could create service credentials in the google console, but those credentials won't fix your issue. According to the docs,
The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Reporting API and YouTube Analytics API do not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate an error.
It is p counter-intuitive-- (not to mention hard to locate)-- this info esp. since conceptually related YT APIs utilize service accounts, see here, and the reporting api actions wouldn't seem to need to be associated w/ a specific user account.
Unfortunately, if you use a service account for the Youtube Reporting API you will still end up with a 403 unauthorized caller error.
Instead, create and use web client google credentials. Store and use the token generated from the flow.
You can do that in the Cloud Platform Console. See https://support.google.com/cloud/answer/6158841?hl=en for details
I'm trying to figure out what I need to do in order to achieve seamless SSO sign up.
When an administrator of a domain installs my google app, all of the users on his/her domain, should be able to sign-in through SSO without seeing any confirmation prompts. I'm looking into documentation on how to set this up:
Instead of displaying a confirmation page, your application should
match the value of the openid.realm parameter in the OpenID request
against the value declared in the application's manifest.
Is there an example of this? Also, I think Google stopped using XML manifest files once they switched from OpendID to OAuth 2.0. If so, how does this whitelist process work with OAuth 2.0?
Should I be utilizing Google Admin SDK?
Since google is moving away from OpenId, white listing instructions are obsolete. Found a blog post about Domain-wide delegation with Oauth 2.0. Google recommends the following:
the recommended authorization mechanism is now to use OAuth 2.0 and
service accounts. Google Apps domain administrators can delegate domain-wide authority to the service account’s credentials for a set of APIs. This results in allowing the application, by using the service account’s credentials, to act on behalf of the Google Apps domain’s users.
instructions on how to set up domain wide delegation - https://developers.google.com/drive/web/delegation
you can find detailed step to achieve seamless SSO sign up at the following url
http://david-codes.blogspot.com/2014/07/how-to-provide-seamless-single-sign-on.html
We have several apps Deployed on Google Apps Marketplace using OAuth 1.0 protocol. According expiration OAuth 1.0 in Google Platform we are trying to migrate all the apps to new OAuth version but we are facing some difficulties regarding background request to Google Admin SDK Directory API.
In our apps we need to request for Domain user accounts, groups and other stuff related Email Domain structure. Until OAuth 1.0 we have been doing this with 2-LO (Two-Legge OAuth) so basically once Admin gave us access we can impersonate request for domain using this mechanism.
After reading all Google Documentation about Google API, Oauth Mechanisms and stuff, and after trying some code test hypothesis too, we haven't figured out yet how can we managed the same concept with OAuth 2 because of the following:
Using Web Server Oauth 2 Strategy simply will not work because in that scenario we would be getting a Domain user Access to Admin SDK. If we keep their access/refresh token pair to later querying Admin SDK and the user is deleted because Domain change it Admin we will be disconnected from flow.
I supposed in that case the best choice was Service Account strategy. The problem with this scenario is the user has to manually configure access to the App in their Admin Console according to the Google's document domain-wide delegation authority (https://developers.google.com/+/domains/authentication/delegation#create_the_service_account_and_its_credentials). This is really awkward for us since we were managing all application installation interactively and we don't want to remove User Experience facilities.
Finally, my questions are:
Is there any way to do domain-delegation authority with OAuth 2 with no manual user configuration, full interactively?
Is there any way to do this without needing user email, which in fact is one of the parameters in Service Account Oauth2 Strategy?
Must we keep 2-LO Authentication for this scenario and do OAuth 2 only for installation Google Marketplace part?
Any comments or guide will be wellcome.
Best,
Certainly - in the latest update to the Google Apps Marketplace, the act of installing an App means the admin doesn't need to do an additional manual step.
You need a way to impersonate a user in a Service Account. Depending on how you implement your application, you might need to utilize the Directory API.
OAuth1 is going away eventually so I recommend you use OAuth2 throughout to simplify your code complexity.
I have an application with users/password (not developed by us) that calls a web service to inform us when a new user is created. This web service should enable us to create automatically a user through the google Directory API service to create an account on the Google Apps For Education.
How can I do that without using OAuth but using only login/password for the admin user of the Google Apps account ?
I know to update CSV file to create/update accounts in Google Apps but would need to create the accounts on Google without doing manual upload and batch.
Thanks for your answer.
The old ClientLogin authentication method for Google APIs is deprecated and is not supported by the Admin SDK Directory API.
You should use OAuth 2.0. Once you have the OAuth 2.0 refresh token for your script, you don't need to reauthenticate the user each time, just grab a new access token if the current one expires.
You may also be able to take advantage of existing applications that already perform the OAuth work for you like GAM.
I just did this exact same thing in a GAfE domain. I needed to create 60,000 accounts quickly, and have them placed in specific organizational units (schools). I'm now putting together a series on how to make sense out of Google Apps for Education using the API explorer and OAuth 2.0.
Basically, you'll need to forget passing user/pass credentials using the API. You'll need to create an OAuth 2.0 ID (web application), and enter a redirect URI (the callback page that will process the request after authorization has been granted). At this point, you'll need to compile a URL string with the following information:
Base URL for the authorization request
data scope
client ID
response type
redirect URI
See the example below:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/admin.directory.user&client_id=your_client_ID_copied_and_pasted_from_the_API_console&response_type=code&redirect_uri=https://www.example.com/callback.php
Once authorization has been granted, you'll be passed a code in the URL that you'll need to exchange for an ACCESS TOKEN using a POST request to https:// accounts.google.com/o/oauth2/token. The response will include the access token that you can then use in your POST request to the directory.users.insert API.
Referring to the document https://developers.google.com/accounts/docs/OAuth2ServiceAccount, was able to obtain an access-token.The above mentioned document doesn't provide any details regarding the API's that can be accessed using Service Account.Can anyone list the API's which can be accessed using access-token obtained from Google service account?
Unfortunately, we don't have an exhaustive list of the support in this area. In general, you should be able to access a Google API if that API does not require the user to do something in a web interface to configure their account before doing API access. Service Accounts can't log in. So if the service needs some interactive input from a user on a Google wesite, often their APIs will not work with Service Accounts. Hope this helps.