Google Picker API for Google Workspace users only - javascript

Hi, I want the users of our organization only to use google picker to select files from their google drive.
I followed this example to set up API key and oAuth client in the google developer console.
Here is the summary of what I did:
Enabled Google Picker API in Google API Console
Created API Key
Created OAuth client
Using Official Example google picker is working but it allows all Gmail users as well, I want to allow only those emails which belong to my domain.
I could not found anything related to this in official docs so I have the following questions:
Is it possible?
Is it possible to bypass the consent screen using service account impersonation(User Access Token generated on the server via impersonation)?

This is a high level explanation, but the idea is the following:
Using a server side script, you will generate a token for a user using a service account and impersonation.
On the client side, you will have to call that script on the server side and have the server return the token.
When initializing the picker, you will set the token to what you received from the server using the PickerBuilder.setOAuthToken() method.
That way you not only bypass the consent screen, but also make sure the drive picker presents the drive files of the user you authenticated with the service account.
If you are looking for a low level explanation, edit your question and post your architecture along with your code.

Related

Using google sheets as a database authenticating from the code

I am working on a POC (a Vue based web application) for which I require a database. I want to use the google sheet as a database
I followed the official Google Sheets API v4 documentation and I am able to perform all kinds of database operations on the google sheet. But, it requires the user to explicitly click on a button and sign in to authenticate. I want it to be done from the code itself.
I have the following keys which are required along with the user consent to use the google sheets API
// Client ID and API key from the Developer Console
var CLIENT_ID = '<YOUR_CLIENT_ID>';
var API_KEY = '<YOUR_API_KEY>';
Apart from this I also have a client secret which I have absolutely no idea how to use it in the code. From what I have read over the internet and what I have understood, it is used to authenticate the access to google sheets API from the code. But, I don't know how.
I did come across some of the third-party services like Sheetsu and SheetDB which I don't want to use. So, is there a way I can use google sheets as a database for simple CRUD operations just as we will do with any traditional database?
It is behaving that way - expecting a user to authenticate - because you are using OAuth2 authentication which is meant for scenarios where a user grants your program access to their spreadsheet.
For your scenario you want to use the other type of authentication: service account.
Actually, you can use a service account with OAuth, as described here:
Using OAuth 2.0 for Server to Server Applications
https://developers.google.com/identity/protocols/oauth2/service-account
And you could consider this because the code examples tend to use OAuth, but I'm suggesting that you instead go back to the sheets API in the console:
https://console.cloud.google.com/apis/api/sheets.googleapis.com/credentials?project=yourProjectId
And click 'create credentials' and choose a service account instead of OAuth. This method has a simpler authentication flow since it is meant for your scenario: no end-user.
Also, I haven't done this in a while, but I think I took the service account client_email (the email address of the account - the main identifier) and give it permission to access the sheet, ie. share your sheet with it.
Finally, I would note - and you probably already know this - but you mention using sheets like a database and it doesn't have the performance characteristics for this. It is more like a CRM: eg. suitable for a building a static site.

Verifying/whitelisting website for Google Calendar

I'm trying to make a portal where users can authenticate their Google credentials and then access their Google Calendar by creating and deleting events all via my website. However, I can't seem to find where on the Google Developers Console where to whitelist my site because of this following error:
{
"error": "idpiframe_initialization_failed",
"details": "Not a valid origin for the client: https://maxstechandmathsite.azurewebsites.net has not been whitelisted for client ID (my client ID).
Please go to https://console.developers.google.com/ and whitelist this origin for your project's client ID."
}
The JavaScript code I'm using is in reference to this Github page: https://github.com/gsuitedevs/browser-samples/blob/master/calendar/quickstart/index.html. Besides having to verify my site ownership, the issue may also be having an incorrect client ID or API key. For Google Calendar, I'm assuming you use the client ID and API key for the Google Calendar itself, but would I possibly have to use my Google Sign-In client ID for the OAuth 2.0 authorization? I tried that client ID, but no error message came up in the first place, unlike with the Google Calendar client ID, so I think I'm on the right track. I just can't find any Google docs on this error.
Turns out I was right. I did have to use my OAuth 2.0 client ID instead of the Google Calendar client ID generated for me when enabling the Calendar API. Not only that, but I had to use a previous API key I made on the Google Developers Console.

I want to let user create Folder on Google Drive without any further signing

My purpose is to provide service on my server based on Google Drive platform. The most importantly user don't need to sign in or have google account to access this service.
As developer I want to authorize my web site URL and the Google Drive that will be mine.
I went through various solution but don't get actual one.
You may want to look at this documentation about service accounts which enables your web application to interact with google servers. The docs says:
A service account's credentials include a generated email address that is unique and at least one public/private key pair. If domain-wide delegation is enabled, then a client ID is also part of the service account's credentials.

Write to a Google spreadsheet from JavaScript using the Public API access (no OAuth)

I'd like to allow a user to visit one of my sites, enter some information into a field, and then save that information into a Google Spreadsheet via JavaScript.
I don't want the user to login via Google or have to do any special authentication.
It's Ok if the spreadsheet needs to be open to public; the data's not sensitive.
I don't want to use a Google Form, I want to have full control over the client-side UI.
I've been reading through the Google developer docs, but they only make mention to an OAuth login solution. The Google Developer Console allows you to create a "Public API access key", but does not explain how it's used.
All of the examples are for the scenario where the user is using your app to access his own files. In your case, you want the app to access your own file. This isn't easy. The only ways I can see are :-
Use a server app (appengine works well) to do the access
Very carefully set up permissions and store a refresh token in your app.
Option 2 could be your worst security nightmare if you don't do it carefully, and even then may be an infringement of Google T's and C's since it's akin to distributing your password.
Once you figure out the auth, you'll need to check out the spreadsheet API (https://developers.google.com/google-apps/spreadsheets/), as this is the API that allows you to update an existing spreadsheet. The Drive API can only upload an entire new spreadsheet.

Is it possible to show blog view counter with information Google Analytics

I have a static blog using Jekyll hosted on GitHub. I have set up Google Analytics for it and works well enough.
Now I want to show how many people viewed each post in my blog. I found Google Analytics JavaScript API to get the information. But it seems that this API uses OAuth for data access. So I think this might not be the API I needed.
Is it possible to do so with Google Analytics? I don't have any server since it's hosted on GitHub.
I finally solved this problem by Google Analytics superProxy as suggested in the comment of #EikePierstorff.
I wrote a blog on it.
Here's the main idea.
I first build a project on Google App Engile, with which I authenticate for the access of my Google Analytics. Then a URL of query (which can be pageview of certain pages) is generated in JSON format. I can set the refresh rate on this GAE project so that the JSON file can be updated from Google Analytic.
Sounds almost perfect to me. Thank you all guys for help!
You can't query the Google Analytics API without authorization by someone, that's the most important thing to remember.
It's certainly possible to display Google Analytics data on your website to users who don't have access to your account, but in order to do that, someone with access to the account needs to authorize and get an access token in order to run queries.
Normally this is done server side, and once you have a valid access token you can query the API client side (to display charts and graph, etc.). Access tokens are typically valid for 1 hour, so if you want to have your website up all the time, you'll also have to deal with refreshing the access token once it expires.
Now, since you're using Github Pages and don't have a back end, which means all the authorization will need to happen client side. While it's technically possible to do the same thing client side as server side, it's generally not a good idea because private data like your client secret, refresh token, etc. will be visible in the source code.
Applications that do auth client side typically don't authorize on behalf of a user. They require the users themselves to go through an auth flow for security reasons (as I just explained), but that would mean those users 1) have to log in, and 2) can only see the analytics data they have access to, which probably isn't what you want.
--
What you can do is run reports periodically yourself and export that data to a Google Spreadsheet. Google Spreadsheets allow you to embed charts and graphs of data as an <iframe> in external pages, so that might be an option.
At the end of the day, if you can't authorize server side you'll have to come up with some kind of workaround to make this happen.
Here are a few possibly helpful links that might point you in the right direction:
https://developers.google.com/analytics/solutions/google-analytics-spreadsheet-add-on
https://developers.google.com/analytics/devguides/reporting/embed
https://developers.google.com/analytics/solutions/report-automation-magic

Categories