I'm just getting started porting my old code over to the new google apps json service but I'm not clear on the oauth.
I'm looking at:
https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites
It says:
"Set up a new project in the Google APIs Console and activate Admin SDK service for this project. See the Google APIs Console Help in the upper right corner of the Console page for more information about creating your API project. "
My product gets installed at each client location. Do I create the app using my key then distribute this to my customers or do I use their key in my app that runs at their site? Do I also need to enable the admin SDK in addition to enabling API access?
Do I create the app using my key then distribute this to my customers or do I use their key in my app that runs at their site?
Do they have access to the source code? If true then it will be known to them.
Whether it is your key (an API project owner by you) or theirs depends on the kind of software you offer (tailored or common service (webapp?)) and who will be responsible of the quotas, billing (if needed) and maintenance.
Do I also need to enable the admin SDK in addition to enabling API access?
Yes.
FYI:
API projects can hold up to 20 accounts
Users can own several projects (don't know how many)
Projects can be shared with other users or Groups
Related
I tried searching in various places, googling about how I can create and authenticate an SDK which I can use as a starting point. Here is what I am trying to achieve.
My Application:
I am creating a saas similar to firebase, supabase etc., where a user signs up on my application and adds some data, say a todo list.
Now, I would have to provide a client SDK(javascript) and server SDK(python, nodejs). Using this the customer should be able to add the SDK to his own application (Customer Application) and be able to access the data that My Application provides.
To do this, when the SDK is used in the Customer Application, I need to authenticate and get the user details, roles and provide the data from My Application. How can I do this?
I have seen that there is some kind of Client key and Server key generated in My Application. These keys can be used by the customer in his application and initialize the sdk using the Client key.
What kind of auth mechanism is this
How is the Client key and Server key generated securely
Any link/pointers to resources will be very helpful.
We use JWT based auth that encode certain Postgres user roles. You can find more information on it here: https://supabase.com/docs/guides/api#api-security
Hope you are doing well..!!
I have a question , I have an existing website where already integrated google calendar api . Now I have another new website so my question here is , may I use existing website google calendar api in this new domain or not ?
or need to buy for new domain again ?
Thanks,
Anks
If you have a website that users Google calendar api. So you have created a project on Google cloud console. either with service account credentials or web credentials. That is considered to be a single application.
When you go and create a new website and which to also use an api you should create a new project on Google cloud console for this application. The main reason for this would be quota. If you use the same project on google cloud console then both websites would be sharing the quota.
I cant tell you if you need to buy a new domain name for your website i guess that would depend upon your needs. If by domain you mean google workspace domain. Assuming you are using service accounts to store the web app calendar data, i dont see any reason it couldn't be under the same workspace domain. Just make sure you create separate projects in google cloud console to avoid the quota issue i mentioned.
So I have this really old UWP app that has been using the Live/OneDrive SDK to provide authentication and identification for at least 7 years now. The app is registered with Microsoft Account Authentication which provides a Client Id and Client Secret to identify the app when an authentication request is made.
When I use the SDK for authentication (OnlineIdAuthenticationProvider), it returns a unique Id (CurrentAccountSession.UserId) with which I can determine which of my users is using the app and then use that unique Id to persist/retrieve information the user provides.
The problem is....The OneDrive SDK is super old (hasn't been touched in over 3 years), outdated (.NET 4.51...no .NetStandard implementation) and Microsoft is pushing everyone to use MSAL and Graph instead. Fine.
But how can I do that and still be able to tie the person who is logged in to the app to the information I am storing for her/him?
From what I'm seeing, in order to use the new SDKs, I have to register my app, again, in the Azure portal and use a new Application (client) ID. If so, when my user logs in...my expectation is that any identifier that's returned to my app in the authentication process will not be the same as the UserId I've been using for almost a decade.
Has anyone done this? I can't be the only person who has encountered this problem...can I?
Any help would be greatly appreciated....
I want to restrict the access of google app engine apps only to users in my organization. Also, I want them to be able to access these without connecting to the organization's VPN
I am using python 3.7 runtime and standard environment for apps deployed on app engine
Using login: required handler is deprecated in python 3 runtime
handlers:
login: required
Is there a similar and ready to use alternate to this?
You can take a look at Identity Aware Proxy. Visit this link for a quick tutorial.
A benefit with IAP is that you don't need to make any changes to your application for it to work. All requests to your application will get authenticated with a google account and reach your code only if the user is logged in with a valid google account with IAP-secured Web App User role assigned.
You can create a Google Group in your organization's G Suite which contains all the users in the organization and assign the IAP-secured Web App User role to it. Then only users in your organization will be able to access the application.
Google Drive API question,
I am writing an application that can view a users' Google Drive files and folders from their google account (can be individual or part of an enterprise).
So on my Google Drive enterprise, I have created an API application. So I have an API key and Secret key stored in my application.
Now I want to use OAuth to authenticate the user so that they can approve my application to read their files. The users will not be part of my enterprise. They can be individual Google accounts, or they can be a single user from an some other enterprise account.
Is this possible? Or are there technical/security reasons this is not allowed?
I just got off the phone with wonderful Google api support agent, and I have my answer:
Yes this is possible to do. however due to the recent phishing attack, Google has put in place new security features that affect the following APIs:
Google drive
Gmail
Contacts
Directory Admin SDK
Here are the new rules:
There is a new security form we will need to fill out and be approved before we will be able to be approved as a trusted app that is able to access these api's using OAuth2 authentication.
Google has provided a feature that many enterprises use that allows an enterprise to completely disable the ability to access these api's using oauth2. So even though we have been approved from step1, we may still get an error for some enterprises who have directly blocked this; however, they can white list us in order to allow it from our enterprise if admin's prefer, while still blocking general use for others.
See links:
https://support.google.com/a/answer/7281227
https://developers.google.com/drive/v3/web/about-auth
https://developers.google.com/identity/protocols/OAuth2
https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/