How to set up a service account for Google Apps API - google-apps

Inorder to manage google apps using API, iam working with admin-cmdline-sample client project, which i downloaded from admin sdk.
Now i am able to connect to the Google apps cloud and manage user features.
The problem that i am facing now is that in the process of authorization code flow to get the access token,
iam getting redirected to the login page if the emailId that i passed in the code is not already there in the credential store.
so is there any mechanism in which i can pass the password in the client code itself so that i wont be redirected to the login page.
I found some related post, which recommend to setup service account.
I tried that as mentioned in "https://developers.google.com/console/help/new/#serviceaccounts", but i am not able to find generate certificate and download private key links.
Currently iam using a free subscription plan,is there any alternative way to generate certificate and download private key for free subscribers or is it possible for paid subscribers only

I hope this can help you.
You can create a Service Account with a free subscription or a paid subscriber.
Log in with your Google Account.
Visit the Google developer console. (click here)
Create a new project.
When your project is created:
Click on the "APIs" tab.
Turn on the apis that you need.
After that, you will see something like this picture.
Click on the "Create new client ID" buttton and choose "service account".
After that, your private key (.p12 file) will be downloaded and you will have:
A Client ID
An Email Adress
A Public key fingerprint
You can generate new Keys and download a JSON file.
You can read more information about the Google developer console here

Related

How to use the Google Calendar API from a Raspberry Pi without a keyboard?

Can we get credentials for the Google Calendar API on different devices?
We are using the Google Calendar API on the Raspberry Pi with the following steps as a reference.
https://developers.google.com/calendar/quickstart/python
We have generated the credentials by operating in the following steps
We chose TVs and Limited Input devices as the application type and then downloaded the JSON file.
Credentials > Create credentials > OAuth Client ID
https://console.developers.google.com/apis/credentials
Our Raspberry Pi does not have a keyboard and display.
We note the URL displayed in "Please visit this URL to authorize this application" via ssh.
We access the URL from the PC browser and note the authentication code after tying it to the calendar.
To "Enter the authorization code" we enter it.
It works as we expect.
But this is difficult for our customers.
Can we do this authentication using a PC or smartphone?
In that case, how do we move the token.pickle from the PC or smartphone to the Raspberry Pi?
Maybe we are thinking too hard.
If there is an easier way, please tell us about it.
We just want to use the Google Calendar API.
If you don't have a G-Suite account use SSH in order to send the tokens
Once you get the token.pickle you won't need to "visit" the URL to authorize the application. Anyway, a refresh token has its restrictions. A refresh token might stop working for one of these reasons:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
Use a service account instead (G-Suite account only)
The token.pickle is generated the first time. The quickstart you mentioned makes use of the user credentials. However if you want to use just one token along the devices and see a different calendar in every device I strongly recommend you to use a service account and enable the domain-wide delegation in order to impersonate the user's calendar.
To do so:
Create a service account
Enable the domain-wide delegation
Impersonate the user in order to see the desired calendar (using Python)
Reference
Refresh token expiration
Creating a service account

Set up app authentication for Console App using Microsoft Graph API

I'm struggling to correctly configure my app in the Azure portal. My application prompts for user permission every time it runs. The goal is to prompt an admin user ONE TIME to grant permissions to my app.
I'm writing a CONSOLE application to create a new task in Microsoft Planner by making API calls to the Microsoft Graph API.
I'm using delegated permissions for this so this application needs to take on the permissions of a user.
The good news is I've gotten this to work already.
What I need help with is configuring my app in Azure portal correctly.
Right now, every time I run the app, it prompts for consent. I'd like the app to ask an administrator to grant permissions to the app up front once and let the console app work without prompting users after that.
One issue I have is setting up the Redirect URI. The ONLY way I've gotten this to work so far is to set the URI to "urn:ietf:wg:oauth:2.0:oob".
As much as I've read about redirect URIs, you'd think I'd have this part figured out. I've tried using:
https://login.microsoftonline.com/{0} ({0} = tenant id
msal423d50b9-dfba-4c66-88f8-26c1432083e4://auth
https://login.microsoftonline.com/common/oauth2/nativeclient
https://login.live.com/oauth20_desktop.srf
When my console application runs, it directs the user to the login.microsoftonline.com and there I can choose a user, and then it asks me if I'd like to grant authority on behalf of my organization to all the permissions listed. I click the Accept button and it tells me that the Redirect URI does not match the one in my configuration.
Keeping in mind this is a console application, can someone please advise me as to how I should configure this to work correctly?
private static IAuthenticationProvider CreateAuthorizationProvider(string clientId, string authority, IEnumerable<string> scopes)
{
var clientApplication = new PublicClientApplication(clientId, authority);
return new MsalAuthenticationProvider(clientApplication, scopes.ToArray());
}
As you can see, the code is passing a client Id and authority. The authority in this case is where I'm passing the redirect URI. This is where I believe my problem is and where I could really use some help.
Every example out there is for a web app of some sort.

Understanding Sign-in process in actions-on-google

I have a Google Assistant (Actions on Google) app where I want the user to log in. I use actions-on-google with DialogFlow which in turn has a webhook.
For a specific action where signin in required, in the webhook, I launch app.askForSignIn();
I have an intent called actions.intent.SIGN_IN which has an event called actions_intent_SIGN_IN. On this action, I check app.getSignInStatus() and I get null for this.
Am I missing something? Will Google Assistant / Actions on Google do something to extract link the token and scopes from oauth and associate it with the user?
I was able to make it work on my app but I'm not calling app.askForSignIn(), instead I've checked the option "Sign in required" on the DialogFlow integration with Google Assistant, then I provided all informations regarding client ID and secret and Authorization and Token URLs in the "Account linking" section of the App's overview on the Action on Google console.
I basically followed this guide.
PS: To make it work on the console either you have to sign in from a smartphone or call the auth URL directly in a browser window.
hi rochan i had same problem a while ago see my post its still an open issue for me. Google Actions SDK Sign-In implicit flow
But it hadnt much priority for me. What you can try is using a google assistant enabled smartphone and test there instead of inside the simulator. Maybe it works.
You have to enable the Sign in Required option in Google assistant integration settings in dialogflow
After enabling this, Use Account Linking option in the actions-on-google overview and follow the below steps
We have to enable the webhook first and we can see how to enable the webhook in the dialogflow fulfillment docs.
Open your project under google cloud console
1. Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there
-> Download JSON - from json note down the project id, auth_uri, token_uri
-> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL
-> Save the changes
Actions on Google -> Account linking setup
1. Grant type = Authorisation code
2. Client info
1. Fill up client id,client secrtet, auth_uri, token_uri
2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.co.in
3. Save and run from google assistant on some device.
4. It will show an error while running on the google assistant, but dont worry.
5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth
and token_uri as https://accounts.google.com/o/oauth2/token
6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email
and weare good to go.
7. Save the changes.
In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
Additionally, to get the Username and email address, you can use this below snipet
accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])

Why should I use One tap sign in over Chrome's Credential Management API

Am a bit confused about the One tap sign in that was announced by google earlier this year. Our application already users Credential Management API in Chrome, which essentially provides the user with login options based on the credentials that user has saved for our site on previous visit (passwords that are saved in chrome). When I read the documentation for One tap sign in, it promises to do the same thing, but using Google's client api id. Our application has its own ID provider with our own database of user name and passwords, from the documentation it looks like One Tap sign in does not support custom ID providers. Can anyone shed more light on this, why would I use one against the other?
Thanks
Karthik
I see two major differences:
One Tap is passwordless - it uses a token based login that never exposes the user's password. Chrome Credential Management API stores and retrieves actual passwords in Chrome's password store.
One Tap is purely web based - Chrome Credential Management API relies on Chrome's specific implementation. One Tap is a purely web based workflow so it will work across browsers.
One Tap is a much better long term login solution in my opinion. The Credential Management API is experimental and currently only supported in Chrome.
https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API#Browser_compatibility
I lead product development at Google for the one-tap/auto sign-in library, we designed it such that the library includes the Credential Management API and extends to provide assistance in account creation, secure passwordless, and cross-browsers support.
In particular, if you make a request for existing credentials with code like this:
googleyolo.retrieve({
supportedAuthMethods: [
"https://accounts.google.com",
"googleyolo://id-and-password"
],
supportedIdTokenProviders: [
{ uri: "https://accounts.google.com", clientId: "CLIENT_ID" }
]
});
then any saved username/passwords from the Credential Management API will be returned (in browsers supporting the API) along with token data for Google Accounts. The one-tap/auto sign-in JavaScript library wraps the Credential Management API for credential retrieval.
Furthermore, the library provides a googleyolo.hint method to show an email selector for one-tap selection of a verified email address to assist in new account creation, or to link to an existing account, and then be auto signed-in next time with token instead of password, across all browsers, so long as the same Google Account is active.
I'd suggest using the one-tap/auto sign-in library and consuming tokens as well as passwords in order to get assisted sign-up, keep existing users signed-in automatically, and provide functionality even if the browser does not support the Credential Management API.
As for the question about using your own database of username / password, the hope with this library is you could implement the ability to create accounts and auto sign-in to these and existing accounts with an OpenID Connect ID tokens representing the user's identity. With the one-tap / auto sign-in UX, these are not only much more usable, but far more secure then passwords and mitigate creation of weak/re-used passwords. Please consider this or, even better, a hosted auth solution like Firebase Auth or Auth0 and include the one-tap UX in the frontend UI.

Get messages from Gmail via HTTPS GET call

I'm working on an iOS application and what I'd like to do is have the app ping one universal Gmail account to check for the most recent email.
I went through the guide from Google at https://developers.google.com/gmail/api/quickstart/ios?ver=swift, but the result did not work. After some googling, it appears that some functionality may have been changed, but they haven't updated their documentation yet.
Is there a way to send credentials via https to Gmail and get email messages back? I have an OAuth key via the Gmail API manager, but when I pass it as "access_token", the response says "Login Required".
AFAIK, an error response "Login Required" can be encountered if you try to list the buckets for a project that do not provide an authorization header.
If we check Users.messages: get, it's noted that it requires authorization.
For this, you may want to check Authorizing Your App with Gmail wherein you will find these basic authorization pattern:
During development, register the application in the Google API Console.
When the app launches, request that the user grant access to data in their Google account.
If the user consents, your application requests and receives credentials to access the Gmail API.
Refresh the credentials (if necessary).
Furthermore, if your application needs to access Google APIs on behalf of the user, you should use server-side flow. Please see Implementing Server-Side Authorization for more information.
Sometime back I was involved in writing a sample application to access email from gmail but using C++ on windows. The code is at https://github.com/Panchatcharam/simple_gmail_api. I was able to successfully get emails.