I want to authenticate an admin using OAuth2 and access data for accounts that are under this admin.
Primarily something like this, I have an organisation : A --> B, C, D where A is the admin.
If i authenticate A can i access data from B,C,D.
We were able to do this in OAuth1.0 and appending email ids in request URL's.
How do we achieve it in OAuth2.0 ?
(assuming your users are under a Google Apps domain)
This can be achieved in OAuth 2.0 using service accounts. You need to:
Create a service accounts and download private key.
Delegate domain-wide authority to your service account (see the link below for instructions).
Use a signed assertion requesting access to the users data to receive an access token for use in subsequent API calls.
See here for an example using Google Drive API:
https://developers.google.com/drive/delegation
See also the "Additional Claims" section here:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#jwtcontents
Related
OK so I have an account using SSO credentials and the data within this SaaS app is available via a REST api using OAUTH2 but the API is not SSO friendly or enabled so how do I (if possible) access the data via the API but the only credentials I have are managed by the SSO., I do have my api key and secret and I can generate my access token in python from another non sso account but the sso account even tho I have the username and password I cannot get anything but a 401.. any help?
I might add , I am just an end user and have ZERO access to the actual API or data set but I can create and edit users and access on the SaaS app I cannot however change anything with the SSO or AD
I have tried using username#domain.com/token , I have also tried org\username and password, I have tried requesting different access-types from the OAUTH2 endpoint and the only recognized type is password. And I have tried every combination of the above trying to get the data from the API
If you are trying to access the third party REST API via OAuth2 then you'll need to check with the third party team if you are authorized to access that API, they may have to provide some additional permission to allow the access. If you are getting 401 then you don't have the correct credentials, please verify.
I have used service account to manipulate spreadsheet files of all users under same domain.
Now I want to use service account to fetch any user's data.
Can i use service account to read other user's drive data if user is not from my own g-suite domain?
That is absolutely not possible due to privacy and security concerns.
If you want to obtain data from a user which is not part of your domain, that user will have to authenticate to your application by manually completing the OAuth flow.
You may read more at:
Using OAuth 2.0 to Access Google APIs
Using OAuth 2.0 for Web Server Applications
Using OAuth 2.0 for Server to Server Applications
I get it that Oauth is used to grant permission to a third party application to access a user's data (like photos on his facebook account) without revelaing his facebook credentials to the third party application. For example, when you try to use an online photo editing tool and you want to load a photo from facebook, facebook will pop up a message asking whether you really want to allow the application to access your data. So at that point facebook just returns a temporary access token and the app can use it to access your facebook photos. (as i understand the scope for this access token is such that it only has permission to access the particular user's photos only) Yes, this sort of a setup is required because you can't trust a third party application that much as to give away your credentials.
Assume somehow instead of oauth, facebook used api key authentication. This would mean that all third party applications that have subscribed for facebook API already have a key which they can use to access facebook's data sources.So that the app can directly take you to your facebook photos and facebook will not notify you that an outsider is trying to access your private data. This approach is not suitable for an api that exposes user sensitive data but for apis that expose not so user specific (like google maps) data, the api key approach should be enough, right ?
So my question is, what are the criterion to decide which authentication type should be used ? And appreciate feedback if my understanding is wrong.
Here are 2 of the standard 4 Oauth2 flows which cater for the scenarios you mention.
Authorisation Code
Client Credentials.
Using your Facebook example above you could think of like this:
Use Authorisation Code flow for your "Oauth" scenario, where your app needs delegated authorisation to access a user's Facebook photos. This means the user must login and grant access to your app and your app must have an API key (client ID) issued by Facebook.
Use the client credentials flow for your "API Key" scenario. This would be when your app needs access to, for example, public Facebook pages / info and thus does not require specific user consent and can just use its API Key (Client Id & Client Secret)
We have tried various things to get the Google Site Verification API to work, including:
How can I authorize with OAuth 2.0 for google's predictive API in Ruby?
By calling: https://developers.google.com/site-verification/v1/webResource/list using the service account we always get an empty response: {}
When trying the same thing via the web console we get all the websites. We have like 30 websites.
I also had a look at this stackoverflow: Unable to access Google Sites via API, but can via Oauth Playground. Why?, without success.
Why is the body empty?
OAuth 2.0 is not an option for us, as we have a server application.
When using the service account, it will only list the sites that are owned by that service account. If you want to get the sites of a specific user, you must impersonate that user.
I haven't implemented it yet, but apparently you must go to http://www.google.com/a/{your-domain}/ManageOauthClients logged as the user that owns the sites and authorize the client ID of the service account you'll use to access the API, with the appropriate scopes.
This video explains it using Google Drive, but the authentication process is the same.
I'm not sure if this is available for Gmail users.
I was just wondering, I want to associate a Twitter and LinkedIn account with my systems accounts. Which would allow them to post to interact with them without needing to log in to the other systems.
Is there a way to store the social (twitter / LI) usernames and passwords and associate them with my system and vis versa.
E.g. If I login using my native details (email / password) I can access the API features of my social network accounts?
Thanks in advance,
Chris
I can't speak for Twitter, but with LinkedIn you could follow this basic workflow:
Register an 'application' with LinkedIn. Your site will use this application for all communication with the LinkedIn API.
Have the user authorize your site (your application really), to access their account via the LinkedIn API.
Retrieve the user's unique LinkedIn ID, as well as their access tokens, and store those in your user account database, associated with their existing account.
Then, when they return and log in to your site, any calls you need to make to LinkedIn can be done via the stored access token, rather than having to have them manually allow you to have access again.