In our company we run a number of different websites which are being tracked with Google Analytics (GA). Up to this point we have been using the Login protocol and GData to access GA data to display the data nicely on our custom web application dash boarded which we use for tracking traffic on our sites.
Nowadays Google has Google API Console which lets you track your API usage. We want to take advantage of this service to view howmuch APIs we consume. However from what we can understand it requires us to use OAuth for authentication instead of the username and password we currently use to access the data. We don't like OAuth because it redirects the user to Google for authentication when currently the user has no need to know about where the data is coming from and what credentials are needed.
Is there anyway that we could make Google API Console monitor our usage without having to switch from GData and the Login protocol?
You can switch to the OAuth 2 protocol and use a refresh token for offline access. Once you get the refresh token, you can save it to a file or database and use that to access the data without an authorization redirect.
See the docs here: https://developers.google.com/accounts/docs/OAuth2InstalledApp#refresh
Also see where there is discussion of using the refresh token: How can we access specific Google Analytics account data using API?
Related
I want to use Google BigQuery authentication like other Google services (for example, Google sheet).
The auth of Google sheet works on the scope and makes appear to the user a popup like "The app XXX request the access to your Google Account" and in this popup, you can see what permission needed by the app.
I would the same auth with Google BigQuery but after I read the docs, looks the code of official PHP client, I can't understand how to make this auth. Is this possible?
P.S. Obviously I tried the flow in the google docs with generated JSON from google developer console and it works fine.
What you want to do is not possible. At least in the way you would like.
When using, let's say, "native" GCP products, the OAuth authentication is performed automatically after logging in. This is why you don't are prompted to identify yourself when accessing to your GCS buckets, or when getting into the App Engine Dashboard.
When you want to grant access to an external user to your project, you run the command gcloud auth login. An authorization screen is shown like the one below:
This screen is also shown to "non-native" GCP services, such as BigQuery Geo Viz, Dialogflow, etc. You are prompt to grant access since these are "external" GCP features which interacts with your project's internal info.
BigQuery is an integrated GCP service and does not requires OAuth authentication when used via the UI.
If you would like to interact with the BigQuery API's, I highly recommend you to use the BigQuery Client libraries which do the authentication method much easier.
However, there is a way to grant access to external users. I found the Authorizing API requests doc where it's said that you can get a temporal access token for external users. This is done by following these steps:
Run the command gcloud auth application-default print-access-token in a Cloud Shell session.
Copy the output and paste it in a HTTP request like
https://www.googleapis.com/bigquery/v2/projects/$GOOGLE_CLOUD_PROJECT/datasets?access_token=ACCESS_TOKEN
Note that this could lead to even more effort than the required for Client libraries.
Hope this is helpful.
I'm a bit new to the authentication/authorization landscape and need some advice on how to architect/implement an application that will ultimately be connecting to Salesforce and retrieving information. At a very high-level, I'm building a mobile app that will need to pull Salesforce related data to display to the user. Their specific Salesforce instance uses Google as the identity provider. Also, we are planning to put a gateway in place to orchestrate all communication with Salesforce and potentially do some response aggregation. We're also planning on using Cognito to handle the identity management. My specific questions are:
Will I be authenticating through the Salesforce auth endpoints? If Salesforce is ultimately using Google as an identity provider, wouldn't it make sense to retrieve that token directly from Salesforce itself?
Will I need to register the mobile app as an application as well within Salesforce or Google? I understand that Salesforce itself needs registered within Google to allow for using Google as an identity provider in Salesforce, but does it make sense to register both?
There is currently no need to restrict resource access, as any user that can log in can see everything. Will that effect the implementation at all? Essentially, if a user can log into Salesforce with their Google creds (a.k.a they have a user mapped), then they should be able to see anything.
I'm sure that I'm asking some naive quesitons, and really don't know where to start. I've recently build an Api for Salesforce Connect's use using Azure as an identity provider and that was fairly straightforward, though that was machine-to-machine and much simpler. Any help at all would be greatly appreciated. Thank you.
It has been a while... not sure you still have an issue.
Assuming salesforce is configured to use Google for auth/as an Auth Provider: you have to have your app auth to salesforce, and salesforce will automatically redirect the user to auth to Google (or ensure there is an existing valid Google user session, and let you access salesforce). Google with issue a token to salesforce, and salesforce will issue its own token to your app.
I have to develop a RESTful API for a mobile application and I have some concerns about the flow of the communication between those parts. I'm new to the API development for mobile devices and OAuth.
The project in common should work this way:
users are allowed to login using only their Google accounts
the mobile application uses the website API and all the information is stored on the backend
I found a similar question here OAuth on REST API for mobile app and I prefer the first solution from it, but I have some questions about the security of this solution.
1) Should I use OAuth2 for the API? I'm not sure it's a good idea just to send the user's Google ID to the API to get user's data.
2) How can I check on the server that the Google ID is correct and actual? Or it's not important at all?
I'm thinking about this scenario, but I'm not sure it's the best solution:
1) The user logs in on the mobile application for the first time using his Google Account.
2) The mobile application receives Google ID and some additional information.
3) The mobile application sends the Google ID to the server.
4) The server uses OAuth2. It creates an account for the user (saving the Google ID in the database) and returns an access token to the mobile application.
5) The mobile application stores the access token locally and uses it for requests to the server. Once the access token expires, the user has to login in the mobile application again using his Google account.
I have some concerns about using just Google ID for generating a token. I mean, anybody can just use somebody's Google ID to create a token. Bad idea :(
Also should I use JWT better as a token?
Thanks for your help!
You should send the user's id_token to the API instead
There are a couple of different ways in which you can validate the integrity of the ID token on the server side:
a) "Manually" - constantly download Google's public keys, verify signature and then each and every field, including the iss one; the main advantage (albeit a small one in my opinion) I see here is that you can minimize the number of requests sent to Google.
b) "Automatically" - do a GET on Google's endpoint to verify this token
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}
c) Using a Google API Client Library.
As for the workflow, it's mostly correct, except for the last step, where you can instead refresh an access token without prompting the user for permission. Btw, Google's id_token is actually a JWT.
I have a site that I have tagged using Google Analytics. I can see that the stats are being created and I can analyse them using Google Analytics web tool.
I want to extract my tagging data using the Google Analytics API but all the instructions seem to point me towards the developers console to create my OAuth2 token. My site does not appear in the list of apps that is presented, so I can't do the next step of generating my OAuth2 token.
I feel like I must be missing something obvious, but I am hitting brick wall at the moment. How do I get the site to appear so I can see it in the developers console?
The Google Developer console is for registering your application, this way google knows who is using there APIs. Your Google analytics account wont show up here because well that's not how it works.
Create a new project you will get a client_id and client secrete that are used to identify your application. Then you use a programming language to access the API using the client id and client secret.
I am not a java programmer so i cant help you with that. You mentioned that you want to access your own data. I recommend you look in to using a service account. A service account can be used to grant authentication without having to prompt a user for access. This only works when it is your own account you are accessing and the data doesn't belong to another user. Take the service account email address and add it as a user in google analytics at the ACCOUNT level it must be the Account level. then when you use the service account in your code you will have access.
https://developers.google.com/analytics/devguides/reporting/core/v3/quickstart/service-java
I wish to create a single application registered with Google that uses Google's OAuth2 mechanisms to authorize read access to a user's Google Drive content. Then on behalf of that user I want to take that data and expose it via my application as a webservice (proprietary REST API). The webservice can then be consumed by arbitrary 3rd party applications that know nothing about the authorization of my application to access the user's Google Drive.
This is technically possible and not very difficult. My question is whether or not this is an acceptable use of Google's APIs and Google's OAuth2 offering?
OAuth 2 requires an user to affirmatively say yes to your request. As long as you properly describe what you'll do with it (and what is the nature of these third party apps) then I don't see why you can't.
If you just try to slip in the read scope on a generic-looking request form, than I would say that's a no-no.