We Keep Coding

Is login hint available under the new Google Identity Services library?

I'm making an app that connects to a google calender.
I would like make the "sign-up with google" and "authorize to access
calender" flow as seamless as possible.
My understanding is that this can be done with "login hints":
From the docs at https://developers.google.com/identity/oauth2/web/guides/how-user-authz-works
Adding a hint during authorization initialization--typically the email address of the user's Google Account--enables Google to skip the display of an account chooser, saving users a step. The ID Token credential returned by Sign In With Google contains the user's email address.
From past issues and digging around in the source, it looks I can run the "sign in with google" flow, and then pass an email from that to the authorisation flow like so:
This does redirect to a link with "login_hint=EMAIL_FROM_LOGIN_FLOW", but still displays the account selection.
Am I doing something wrong, or is this feature not yet supported in the new library?

Signing in with Google using an existing account - The correct way

Our website allows users to create a new account using a registration page where we collect username, email, passwords, avatar, etc. The users activate their account and then login and browse, buy, comment, etc like normal.
We recently added the Login with Google button to our site as an additional option. Currently the system does the following:
Get a post request from Google
Verify the signature on the JWT and prepare the credentials
Do some security checks on the request
Check if the email exists with an existing user in our system - if it does, authorize them and login
If the email and sub don't exist, create a new account and load the data from Googles credential POST to make a new account
The conflict here is whether or not we should be doing step 4 on existing accounts that were not created using Google or if those accounts should be converted to Google only accounts when they login.
For example,
I register with john#gmail.com as my account name with a password created on the register page. One day, I accidentally, or on purpose, click Sign in with Google. The system sees my email from the oauth login and finds my account already in the system.
Should it:
Log me into the account without checking password, since its already my Google account, and keep everything else the same.
Give me an error that my email is already in use on another account and abort the login process.
Convert the account to a Google only sign-in and remove the password to prevent me from logging in without using Google in the future.
Update the account with the Google sub id but keep the password option and allow them to reset their website password independently from Google should they wish to "unlink" their Google account in the future.
I believe step 4 would be the most logical, but as we have not implemented this before we want to follow the standard that most other developers would use - or maybe there's an even better way.

While working with Google Action Console OAuth, it was rejected for the following reasons

While working with Google Action Console OAuth, it was rejected for the following reasons.
please, Help me.

Based on the line, "We couldn't find account creation/linking prompt", I'm guessing your OAuth page didn't have a "Create an account" link.
If you're telling them you want users to use your website to create accounts, users need to be made aware how to do that.
If you already have that, add "users can create an account on our OAuth page by clicking [Create an account]" (or however you say it) to your Testing Instructions and resubmit.

Add user email scope to Google OAuth

I completed the process to allow the users to login to Google OAuth but the Oauth Consent Screen do not ask the email/userinfo permission/scope to the user and so the access token I get do not have access to the user information.
At console.cloud.google.com > My project > Credentials > Oauth Consent Screen the following scopes are visible but seem added by default and I can not edit them: email (googleapis.com/auth/userinfo.email), profile (googleapis.com/auth/userinfo.profile), openid (openid)
But when I test it I get this dialog window:
Instead I should get this:
So with the text "To continue, Google will share your name, email address, language preference, and profile picture with Support Board."
My app is not verified by Google and maybe this is the issue, but after checking everywhere I do not see any docs about it.

I found the answer, the URL must include; scope=email
For instance:
https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&access_type=offline&redirect_uri=[URL]&client_id=[CLIENT-ID]&prompt=consent
^^^^^^^^^^^

How to properly setup google analytics report api v4? [duplicate]

I'm creating an script, based on Google Analytics step-by-step guide from this page:
https://developers.google.com/analytics/resources/tutorials/hello-analytics-api
Authorization is done without problems, until it tries to access data. The return code is 403, and error message is:
User does not have any Google Analytics account
This message has no sense: my account has google analytics data, tracking multiple websites, and I can access it from web browser without problem. I've allowed Analytics API through Google APIs console, and API access is giving me right data.

I had this problem too. I fixed it by adding the email address for my service account to the Google Analytics profile I wanted it to access.
I got the email address (something like xxxxxx#developer.gserviceaccount.com) for the service account by looking under the "API Access" tab in the Google APIs console.
Then, I followed Google's instructions for adding an email address to an Analytics profile. Now everything's working as expected.
Good luck!

Just add you given email (format of 71667655853644-o653rrdkq5hthsgo0otbpojoo#developer.gserviceaccount.com)
to User Managers:
Wish it helps you

I was facing the same issue. It got resolved by adding the email id of the service account user(your account#yourwebsite-dev.iam.gserviceaccount.com), to the users in your Analytics account under-
Analytics-Home Page ->Admin(left pane) -> User Management -> add (click on plus sign on right side of the menu) -> Add new User -> Add the email id in enter email addresses.
Now, this will solve the issue.

It is mentioned in a comment above but if you add the email address under the User Management for your account, it won't work. You have to click on the User Management under the view part of the screen.

This message we get when no permission granted to client_email, in the google alalytics, client_email is you got from the JSON file. to grant permission to client_email you're using in your App, Head over to Google Analytics site and click "Admin (setting icon)"
you'll get menu list right, there click on "View User Management"
There you'll see "+" icon, and "add user",
once you click on that, you need to add client_email in the "email address field" and save it, you should be good to go!

Go to https://console.cloud.google.com/apis/credentials
Copy email address in "Service Account".
Open Google Analytics, add email above as a new user.

You will also get this error if you have never logged in with the google account youre trying to authenticate with.

I was getting the 403 error until I changed the permissions of the email account from inside Google Analytics from 'Read & Analyze' to something else, saved it, and then changed the permissions back to 'Read & Analyze' and it worked.

Just in case if that doesn't work, Try to open your JSON file which you have downloaded and Search for client_email and copy that email address and add it to the View File
Click On
Analytics-Home Page ->Admin(left pane) -> User Management -> add (click on plus sign on right side of the menu) -> Add new User -> Add the client_email address which you copied.
If that still doesn't work
Analytics-Homepage-> Admin ->Views->User Management(Click on add(+) symbol, add this ccopied client_email address and give permissions and save it.

I was hitting the 403 error. These steps got me around it. To be clear, I was trying to get Google's sample "HelloAnalytics.php" working with OAuth (sans user interaction, suitable for cron job etc).
After enabling the Analytics API, I created a new "Service Account" under APIs & Auth/Credentials; and saved the .p12 key pair. I then went into the Analytics user management console, and added that Service User's email address.
.p12 authorization using the PHP API works if I check off only "Read & Analyze" only in the permissions list. If I add "Manage Users" and/or "Edit", I get the 403. Hope this is helpful, I was grinding on this for a couple of hours...

I had this problem too, and I found that the problem was that I had asked for too many permissions. The Developer Console says to ask for both http://www.googleapis.com/auth/analytics and http://www.googleapis.com/auth/analytics.readonly permissions. This did not work when I was also using the sub claim. A sub claim instructs Google to issue an access token that operates on behalf of another user — in my case the Google account that owns the service account. I removed the analytics permission and stuck with analytics.readonly with the sub claim:
{
"iss":"123123123123123-xxxxxxxxxxxxxxxxxxxxxxxx#developer.gserviceaccount.com",
"sub":"me.example#gmail.com"
"scope":"http://www.googleapis.com/auth/analytics",
...
}
The Bearer token issued allows me to make (at least some) Google Analytics queries to profiles that are owned by completely different Google accounts, but that have been shared (read-only) with my gmail user (me.example#gmail.com).

I managed to fix this by making sure that the
client = Google::APIClient.new(:application_name => 'X',:application_version => '1')
application name variable 'X above was the ACCOUNT name on the GA dashboard, not the PROPERTY name, which in my case was the actual url of the site I want to access.
Confusing, but thankfully fixed (with no thanks to Google!)

The problem happens since we dont provide a "sub" argument. Unless we provide this, the call happens on behalf of that long service account email.
So just provide a sub argument, with an email which you already have given access in the report and things should work well!

I got the same error, since I didn't sign in the google analytics. So I had resolved it by signing in the analytics account.

Instead of using a service account, you can sidestep the need for adding a adding new user permissions (as per the top answers in this thread) by using OAuth client ID credentials.
Go to the API credentials dashboard and click "Create credentials" -> "OAuth client ID". Afterwards you should get a client ID and a client secret that you'll need to authenticate the API.
Now you can use OAuth2WebServerFlow to authenticate on a per-use basis. Here is a python3 example:
from apiclient.discovery import build
from oauth2client.client import OAuth2WebServerFlow
# TODO: Fill these in...
CLIENT_ID = ''
CLIENT_SECRET = ''
VIEW_ID = ''
flow = OAuth2WebServerFlow(
CLIENT_ID, CLIENT_SECRET,
'https://www.googleapis.com/auth/analytics.readonly',
redirect_uri='urn:ietf:wg:oauth:2.0:oob'
)
authorize_url = flow.step1_get_authorize_url()
print('Receive code from:\n%s\n' % authorize_url)
code = input('Enter code here:').strip()
credentials = flow.step2_exchange(code)
api = build('analyticsreporting', 'v4', credentials=credentials)
body={
'reportRequests': [{
'viewId': VIEW_ID,
'dateRanges': [{'startDate': '7daysAgo', 'endDate': 'today'}],
'metrics': [{'expression': 'ga:sessions'}],
'dimensions': [{'name': 'ga:country'}]
}]
}
data = api.reports().batchGet(body=body).execute()