I've been trying to integrate my application (ruby) with a Google AppScript (published as a Web Application with access level as 'only me') on behalf of a Google Apps account for quite some time, but I can't get a handle of it. Maybe I'm missing a key concept here or that sort of authentication/authorization isn't available when making requests in the background.
The script works fine when I'm logged in to gmail and access the script endpoint. I can also successfully connect to it using a sinatra application authenticated with openid.
I've already tried to use google-api-ruby-client, but I can't get the authorization scope right (service name). I've also tried clientlogin in gdata-ruby-util, to use Gmail login/password and get an authorization error message when trying to fetch from the script url.
Is it doable? Can anyone point me in the right direction?
Unfortunately, Contentservice in Apps Script (which I think you are using to create your webservice) doesn't provide any authentication mechanism. If you are accessing it from a server side script, you can use a token string which is known by your webservice app and your server to provide a level of security to your publicly accessible webservice.
Here are some similar discussion
How to use Google Apps Script ContentService as a REST server
Google App Script: ContentService web app usage
Related
I have been doing a lot of research into how to authenticate mobile apps with an API - I still feel a bit unsure about which flow & architecture would be better to use in my particular use case.
I think what's confusing me is some of the terminology used.
My use case:
An API & database on one server. Which holds the users & and the users resources.
A web app, which I have built and consumes the API. Hosted on the same server as the API. So it's dogfooding.
A web app, which I have built and consumes the API. Hosted on a different server to the API.
A mobile app, which I have built and consumes the API.
I'd like to be able to authenticate with the API using username & password.
The API will never be opened up for consumption by other 3rd party services except the web app and the mobile app.
Initially I felt like using the Resource Owner Password Credentials Grant flow would be sufficient. However in the docs it states that this flow should be used if "The client is absolutely trusted with the user credentials".
Since both my mobile & web apps will be built by me, I'm assuming they are seen as 1st party clients. Therefore am I right in thinking they are considered to be trusted with the user credentials? As I typically thought that when implementing oAuth, the idea would be to have the authentication server separate from the resource server. Which would allow you to have one authentication server for multiple APIs.
After reading this post: Why the Password Grant is not suitable for modern applications
It threw me off track a bit. But then, is this post talking about using this flow in my use case?
I was also looking at the Implicit Grant Tokens flow. However using this flow I couldn't really see how the user would enter their credentials first?
I also question if any of the oAuth flows is really needed for my use case and I should instead look at other ways of authenticating?
I'm really quite lost with this I would like some direction to go in with how to authenticate users in my particular case.
Thanks in advance!
I'll most likely be using Laravel to house my API and so I do have Passport available to me to implement oAuth
EDIT
From following this oauth article I've found that in all use cases of my app, I end at Password Credentials Grant flow. Would I be correct here?
We have tried various things to get the Google Site Verification API to work, including:
How can I authorize with OAuth 2.0 for google's predictive API in Ruby?
By calling: https://developers.google.com/site-verification/v1/webResource/list using the service account we always get an empty response: {}
When trying the same thing via the web console we get all the websites. We have like 30 websites.
I also had a look at this stackoverflow: Unable to access Google Sites via API, but can via Oauth Playground. Why?, without success.
Why is the body empty?
OAuth 2.0 is not an option for us, as we have a server application.
When using the service account, it will only list the sites that are owned by that service account. If you want to get the sites of a specific user, you must impersonate that user.
I haven't implemented it yet, but apparently you must go to http://www.google.com/a/{your-domain}/ManageOauthClients logged as the user that owns the sites and authorize the client ID of the service account you'll use to access the API, with the appropriate scopes.
This video explains it using Google Drive, but the authentication process is the same.
I'm not sure if this is available for Gmail users.
I recently started a new project using different carefully-chosen technologies, my project is built as follow :
The approach is API-Centric, which means I'm building a website and an iOS app communicating with an API written using Symfony2. I've successfully managed to write my API, and it is perfectly working.
To gain access to the services provided by the API, the main actors (the website users, the iOS app users and the developers) can authenticate theirself in several ways :
Clients can gain access with a login/password couple through the website interface which is communicating directly with the API through AJAX to validate the provided credentials and set a session. So, when someones logs in our website, they have automatically access to the API as well.
Developers can authenticate theirself through the API using HTTP-Basic over SSL, which will as well generate a session and give them access to the services they are authorized to call.
Also, Developers and clients can gain access to the website and the API using their facebook account through the Facebook Connect functionality. This deletes the step where each actor has to create an account on our website.
So basically, the credentials are provided either through HTTP-Basic or using the Facebook Login functionality.
Now that my authentication system is working and that my clients are able to access the website, I would like them to connect to a real-time server when they log in. Like in Facebook or Google+ if you want where the real-time server manages chat and push informations.
In this case i'm using Node.js and the powerfull socket.io library to manage everything that deals with the real-time side.
Of course, the real-time service will need some credentials to authenticate the user since he is authenticated to the Symfony security system with a session but is not authenticated against the real-time server.
A solution I've been thinking about would be to use the PdoSessionStorage in my API (Symfony side) and store all the active sessions in a database such as MySQL or PostgreSQL. Doing so, I would be able to send to my real-time server the session id generated by symfony and check on the database if the session id provided is correct or not. If he is I'll let the user access the services provided by my real-time server and associate his session with an identity.
But I really don;t know if this is a good solution and I would like some more experienced advices on this and on how to deal with this issue.
Note : For some reasons, I cannot implement OAuth even if it could be a solution to solve this issue using a Single Sign On approach.
I'm trying to figure out, how to use OAuth 2.0 to access Google APIs from my web app. The problem is, that the protocol require developer to register redirect_uri (URL of page receiving access token). But my application can be distributed to many customers and can be hosted on endless number of servers. There is no way to know redirect_uri beforehand.
Google offers another option for installed applications, but I cannot use this variant neither. Auth server returns access code in window title and this information cannot be accessed from javascript of our page (JS cannot access content of window opened using window.open(); if that content comes from different server).
To conclude:
Cannot use method for web applications, because I don't know all URLs where will our app run in the future.
Cannot use method for installed applications, because window title is not accessible from our JavaScript code.
Is there any recommendation, how to use Google's OAuth 2.0 from distributable web application running on a lots of servers? Thank you.
Are you sure you cannot access the window title? If your app is opening the window, it should be able to access it. It should be possible to do this in a similar way you would do it in a mobile app.
If all attempts fail, you could set up a proxy server (that has a known redirect URI) and hands out the Google tokens to all your clients. Or better each of the apps could have its own proxy server - the server it was downloaded from. But then if each OAuth client can only have one redirect URI, each app would have to be a separate OAuth client.
I'm interested in making a cross-platform Facebook, but non-browser based application.
Therefor I'd like to make WCF service, which provide and hide e.g. authentication methods, queries via Graph API.
To keep it simple, firstly I would like to connect this service, with a console client.
Does anyone has a tutorial, hint, how can I manage this?
I started with this simple demo app:
http://blog.prabir.me/post/Facebook-CSharp-SDK-Writing-your-First-Facebook-Application-v6.aspx
The main problem with it, that it is using webbrowser control, which I can hardly imagine on a service.
Why do you want to create WCF Service and use it as a proxy to Facebook? You can make direct requests to Facebook server.
As for the authentication you still have to use oauth and ask user to login. You can then securely save the access token somewhere and use that access token to make the requests.