Google oauth2.0 with a web app for an organization? - javascript

I'm attempting to pull calendar data (FreeBusy query) for employees in our orgs for a web app so that users can know whether or not they should contact that user right now. When trying to hit the FreeBusy api endpoint I get a 403 as expected, how can I authenticate with Google to allow this user (or app) to pull the information from the API?
Is it possible to create an "app authorization" token with a client username/password to pull this data from the google dev console? Or do I have to use some sort of redirect to google auth url and let the user authenticate there and provide a callback url?
Alternatively, is there any way to include google auth when the page loads? Is there a way to sort of "pop up" the google account you want to use and let google then generate an access token based on that?
The simple flow looks like this:
User enters some data about what they need into a frontend form (javascript app)
Call my own API and determine which employees match X criteria.
Take this result set and check the calendars of these matches. If they're available then allow user to contact them.

In order to access data of other employees, not one that initiated the request, you will either need those employees to each consent to your use of their data or (this is what would generally be done) get the admin of your organization to approve your app on behalf of all users in the domain.
If you do the latter, you can use domain-wide delegation [1] using a service account to pull the information you need.
[1] https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Related

Google Calendar API per user gmail account

Currently I have this code to fetch all dates from my google calendar
https://developers.google.com/calendar/api/quickstart/js
As you can notice, there is client id & client secret key on js code.
I gathered it on my example-main-email#gmail.com
Code this will prompt something like this
So I used example-main-email#gmail.com to login & authorize
As you can see, it lists down all dates from google calendar under example-main-email#gmail.com
But my question is,
Is it possible to fetch calendar dates from different gmail account.
For example, I have 3 users
1st-example-main-email#gmail.com - If I authorize this email, it will fetch calendar dates under this account
2nd-example-main-email#gmail.com - If I authorize this email, it will fetch calendar dates under this account
3rd-example-main-email#gmail.com - If I authorize this email, it will fetch calendar dates under this account
So basically to fetch calendar dates based on gmail account
I'm planning to implement this type of functionality on my laravel project. I just want to know if this case is possible
Yes, this is doable, as long as the account owners provide your application with authorization to do so (either via OAuth token or a client secret)
In case you are referring to a set of Google Workspace Accounts, (and you want to automate it, this will require for you to use a Service Account + enable Domain Wide Delegation for it) plus having your application set to internal, this way it will not require for you to go through an application audit. Your client secret will work for any of these types of accounts inside your domain.
On the other hand, If you are referring to Gmail.com accounts you can use the ‘Test Users’ feature and add those other Gmail accounts there. Be mindful of the limitations though. In this option, your client secret will not work, you will need to change to an OAuth authentication process.

Authenticate a user from via a widget using Firebase Auth

Context:
I am currently working on an embeddable widget, something akin to Intercom or
Hotjar, and have the need to authenticate users. Thus far, I got away with
using Passwordless authentication using Firebase auth but users complain that
it's a high friction process, and they'd rather not do it at all. The ideal
authentication solution would be to let users use their Google or Facebook
account and authenticate via OAuth2.
Problem:
Firebase Auth restricts authenticating via 3rd party auth providers if the
domain the user authenticates via is not whitelisted in the authorized domains
list. So if the user puts the code in abc.com, and tries to auth via Google
firebase rejects it because abc.com is not in the whitelist. Whitelisting the
domain of every client is unorthodox. I feel like the way I'm approaching it
is wrong because I can't correctly build up a mental model of how this would
work out. Technically cookies, sessions, etc. are pointless.
Question:
How would I go about providing the ability to let users authenticate via 3rd
party auth providers? Is this even technically possible?
Potential Solutions:
Host the widget at the main app in a dynamic route (the website where the user
would get the widget's code) and render this route as an iframe in the
client's website. (ex: /widgets/{widgetID} would have the widget). I don't
want to do this really because iframes are a serious pain but this sounds like
the most feasible.
I'd like to know more/better solutions to address this particular situation.
It doesn't matter even if it's from a different cloud provider or a different
authentication service. The goal is to authenticate the user from the widget
ideally via a 3rd party auth provider like Google.
EDIT: This is the error that I currently receive:
widget.js:2 auth/unauthorized-domain This domain (xyz.com) is not authorized to run this operation. Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
Based on your use case, you need to verify the domain ownership xyz.com by following this guide
After that you need to add xyz.comto Authorized domains your, as the error message mentioned.
Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
For more information please check this guide
Is not possible enable Google Sign In by using a domain unverified or unauthorized, this is to protect the access to your sites/projects by restricting the usage of the Firebase/Google credentials only for configured domains.
There is no way to disable this setting, Google sign in uses Oauth2 as authentication framework

How can I provide public access to my photos

I would like to build a small js library that can read a specific album from my account and display the photos within as a slideshow.
In this guide (https://developers.google.com/photos/library/guides/get-started), to access the API we need both ClientID and Secret. Is there any way to access the API using some type of public key for read-only access? That way I (the provider of photos) don't have to login every time?
The Google Photos Library API is used via OAuth2 user authentication. All requests through the API are made on behalf of a user. Public API keys or service accounts are not supported.
OAuth tokens expire after a certain time, which is returned as part of the OAuth authentication request. You can use a refresh token to retrieve a new access token once it has expired. If you'd like to do this without explicit interactive user interaction, your application needs to be authorized for offline access. The good news is that the authentication client libraries handle this for you.
If you are using Google Sign-In (for example on Android), you can check if the user has already signed in using GoogleSignIn.getLastSignedInAccount(this), so you would not need to prompt again for access. You could also enable server-side access if you want to make these offline requests from your backend.
If you are using any of the Google OAuth client libraries, you can specify the 'offline' parameter as part of the initial sign-in request. For example in Java, you would set the access type: .setAccessType("offline") on the GoogleAuthorizationCodeFlow.Builder during creation.

Generate Tokens using twitter login

What i want :
I need to create a twitter application in which i will be providing user login, once user gets logged in, it should ask user to give permissions for Direct message and tweets, once user allows for it, i need that user's Consumer API keys Access-token and access token secret keys
What i did :
I have created an application for my Twitter account, I have generated
Consumer API keys Access-token and access token secret keys for
my application, now which way i should go?
I have seen couple of application which asks users to get logged in and their application generates access token n etc for logged in user, and stores to their DB, which can be used later on for sending and receiving DMs and tweets in customer support like applications.
I am looking to do it using java-script.
Your help would be appreciated.
Please let me know if you required further details.
I wrote a Javascript application that allows users to schedule tweets, retweets, and like tweets, and it uses technology you are asking about.
It does not generate Access Tokens & etc. for the user, because that's Twitter's job... But once the user collects those from Twitter and saves them in my application, you can set up tweets, and schedule when they should go out, and it will Tweet to your account for you using the Twitter API.
Here is my app, you can look through as an example, or even download yourself and run locally on your computer.
Here are the code files on GitHub
This is the live app! Try It!
Your apps needs a server, and if you run a Nodejs server, you can use this NPM package to make interacting with the Twitter API very very easily. IT supports, Tweets, Media Uploads, DMs, Streams, almost everything!
NPM Twit
If you want users to be able to login into your website/app using their Twitter account, you can use Passport.js to easily accomplish this. Search on YouTube, there are many many tutorials.
Passport + Twitter Auth Strategy
Good luck!
EDIT: To answers you're comments: Yes - you can get/send Tweets and DMs on behalf of another account. You MUST acquire the API KEY & SECRET and the ACCESS TOKEN & SECRET. The client MUST provide these to you. There is no other way to Tweet and DM for other accounts, aside from getting their password and logging directly into Twitter. Read Twitter Developer Docs.

OneDrive API Share document for offline writing/updating

I have created a web app which is making use of OneDrive API (https://learn.microsoft.com/en-us/onedrive/developer/rest-api/) to perform actions such as create/update/rename/delete of documents etc. I am authorizing requests with OAuth 2.0 (client side - that means every access token is valid for ~1h and then silently I am getting a new token) and then perform previous actions using that token.
I have a new requirement for the authorized user to share his/her documents for writing/updating them (I found out that API has option for inserting permissions (https://learn.microsoft.com/en-us/onedrive/developer/rest-api/api/driveitem_invite).
Is it possible for a non-authenticated user to be able to write/update documents (programmatically - via OneDrive API or some other API?) that have been created from the authenticated user that shared these? (something that is similar to Microsoft Word online when a user is sharing his document and offline/ guest users are able to edit it?
Thanks.
Some Update:
First of all documentation for REST API/ endpoints is chaotic. (https://github.com/OneDrive/onedrive-api-docs/issues/839)
I found out that I can get shared document via these endpoints:
GET: https://api.onedrive.com/v1.0/shares/encodedUrl/driveItem
And update shared document only if I have an access token
PUT: https://api.onedrive.com/v1.0/shares/encodedUrl/driveItem/content?access_token=accessToken
where encodedUrl can be obtained as : https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/shares_get
(check example on C# with sharing url )
So, I am still wondering how possible is to update a document without any authentication but just a share url.

Categories