Google Analytics API authorization for CMS (Single authorization) - javascript

I'm developing a 'CMS' for use in clients websites and I would like to include a few analytics views. I have searched and I found some things like this one in google analytics demos and tools (https://ga-dev-tools.appspot.com/embed-api/third-party-visualizations/), but it needs you to be logged with the analytics google account to show them.
I have seen Worpdress plugins that shows analytics in the dashboard and you only have to authorize them once and not to be logged in google. ¿How is this done?
I need to show client analytics in the dashboard of the CMS, but I don't want to ask for login everytime or request to be logged in their google accounts.
Thanks to anyone who can help.

The Google Analytics embedded API is built using JavaScript. JavaScript is client sided and there for an implicit login. Implicit logins do not contain a refresh token so when ever the access token expires normally after an hour you will need to login again.
Your Word press plugin assuming its the one i think it is. Uses php and is there for server sided and uses a hybrid login which probably requested offline access from you when you authenticated it first time. Offline access gives you a refresh token which can then be used to request a new access token when ever the plugin needs to access Google Analytics.
Assuming that your client only wants to see their own data they should be using a service account. Service accounts are preauthorized and will there for not require that you authenticate them again. Service accounts only work with server sided languages like php you can not use service account authentication with JavaScript.

Related

Google Picker API for Google Workspace users only

Hi, I want the users of our organization only to use google picker to select files from their google drive.
I followed this example to set up API key and oAuth client in the google developer console.
Here is the summary of what I did:
Enabled Google Picker API in Google API Console
Created API Key
Created OAuth client
Using Official Example google picker is working but it allows all Gmail users as well, I want to allow only those emails which belong to my domain.
I could not found anything related to this in official docs so I have the following questions:
Is it possible?
Is it possible to bypass the consent screen using service account impersonation(User Access Token generated on the server via impersonation)?
This is a high level explanation, but the idea is the following:
Using a server side script, you will generate a token for a user using a service account and impersonation.
On the client side, you will have to call that script on the server side and have the server return the token.
When initializing the picker, you will set the token to what you received from the server using the PickerBuilder.setOAuthToken() method.
That way you not only bypass the consent screen, but also make sure the drive picker presents the drive files of the user you authenticated with the service account.
If you are looking for a low level explanation, edit your question and post your architecture along with your code.

Authenticate a user from via a widget using Firebase Auth

Context:
I am currently working on an embeddable widget, something akin to Intercom or
Hotjar, and have the need to authenticate users. Thus far, I got away with
using Passwordless authentication using Firebase auth but users complain that
it's a high friction process, and they'd rather not do it at all. The ideal
authentication solution would be to let users use their Google or Facebook
account and authenticate via OAuth2.
Problem:
Firebase Auth restricts authenticating via 3rd party auth providers if the
domain the user authenticates via is not whitelisted in the authorized domains
list. So if the user puts the code in abc.com, and tries to auth via Google
firebase rejects it because abc.com is not in the whitelist. Whitelisting the
domain of every client is unorthodox. I feel like the way I'm approaching it
is wrong because I can't correctly build up a mental model of how this would
work out. Technically cookies, sessions, etc. are pointless.
Question:
How would I go about providing the ability to let users authenticate via 3rd
party auth providers? Is this even technically possible?
Potential Solutions:
Host the widget at the main app in a dynamic route (the website where the user
would get the widget's code) and render this route as an iframe in the
client's website. (ex: /widgets/{widgetID} would have the widget). I don't
want to do this really because iframes are a serious pain but this sounds like
the most feasible.
I'd like to know more/better solutions to address this particular situation.
It doesn't matter even if it's from a different cloud provider or a different
authentication service. The goal is to authenticate the user from the widget
ideally via a 3rd party auth provider like Google.
EDIT: This is the error that I currently receive:
widget.js:2 auth/unauthorized-domain This domain (xyz.com) is not authorized to run this operation. Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
Based on your use case, you need to verify the domain ownership xyz.com by following this guide
After that you need to add xyz.comto Authorized domains your, as the error message mentioned.
Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
For more information please check this guide
Is not possible enable Google Sign In by using a domain unverified or unauthorized, this is to protect the access to your sites/projects by restricting the usage of the Firebase/Google credentials only for configured domains.
There is no way to disable this setting, Google sign in uses Oauth2 as authentication framework

How do I connect to the GMAIL API without the oAuth authentication? using js or PHP

I am trying to use GMAIL API to access my emails in my inbox because I want to list my emails on my website. But every time someone visits the page,they asked to login/thru google auth. I want the user to see it without google's OAuth authentication so they they will see it immediately. I have also tried PHP IMAP on gmail, but it loads a bit longer to load the email.
Thanks!

Google Sign-In for Website - Login State Management

I'm incorporating Google Sign-In for my website and the basic setup is working fine, however I face a problem to manage the user's login status.
I came across the below SO question, which suggested to use sessionStorage/localStorage to carry the login status across pages of a website, and when user signs out the stored info should be cleared.
https://stackoverflow.com/a/40206395/5345604
I afraid I don't entirely understand the suggested implementation though. What if user signs out from his Google account somewhere else, say from Gmail or from Google Maps? In this case when the user revisits my website, how can I detect that he is no longer signed in with Google and remove the stored client side session? Or this is not the way it is supposed to work?
And on top of the above question, I'm also thinking about the authentication with my backend (PHP). Given the ID token, shall I be sending it across to my server and authenticate it with the Google API Client Library every time? Or shall I only authenticate the user once and store a flag of indication in $_SESSION, and then destroy the session when the user signs out? (Given that the token is in fact a JWT, I suppose the implementation is meant to be stateless and requires the token to be passed to the server every time? Are there any concerns to implement it with the traditional approach of a server side session?)
I can only answer your first question: The login of your website is completely separate from the login status of other Google services. Even YouTube is separate from google.com.

Is it possible to show blog view counter with information Google Analytics

I have a static blog using Jekyll hosted on GitHub. I have set up Google Analytics for it and works well enough.
Now I want to show how many people viewed each post in my blog. I found Google Analytics JavaScript API to get the information. But it seems that this API uses OAuth for data access. So I think this might not be the API I needed.
Is it possible to do so with Google Analytics? I don't have any server since it's hosted on GitHub.
I finally solved this problem by Google Analytics superProxy as suggested in the comment of #EikePierstorff.
I wrote a blog on it.
Here's the main idea.
I first build a project on Google App Engile, with which I authenticate for the access of my Google Analytics. Then a URL of query (which can be pageview of certain pages) is generated in JSON format. I can set the refresh rate on this GAE project so that the JSON file can be updated from Google Analytic.
Sounds almost perfect to me. Thank you all guys for help!
You can't query the Google Analytics API without authorization by someone, that's the most important thing to remember.
It's certainly possible to display Google Analytics data on your website to users who don't have access to your account, but in order to do that, someone with access to the account needs to authorize and get an access token in order to run queries.
Normally this is done server side, and once you have a valid access token you can query the API client side (to display charts and graph, etc.). Access tokens are typically valid for 1 hour, so if you want to have your website up all the time, you'll also have to deal with refreshing the access token once it expires.
Now, since you're using Github Pages and don't have a back end, which means all the authorization will need to happen client side. While it's technically possible to do the same thing client side as server side, it's generally not a good idea because private data like your client secret, refresh token, etc. will be visible in the source code.
Applications that do auth client side typically don't authorize on behalf of a user. They require the users themselves to go through an auth flow for security reasons (as I just explained), but that would mean those users 1) have to log in, and 2) can only see the analytics data they have access to, which probably isn't what you want.
--
What you can do is run reports periodically yourself and export that data to a Google Spreadsheet. Google Spreadsheets allow you to embed charts and graphs of data as an <iframe> in external pages, so that might be an option.
At the end of the day, if you can't authorize server side you'll have to come up with some kind of workaround to make this happen.
Here are a few possibly helpful links that might point you in the right direction:
https://developers.google.com/analytics/solutions/google-analytics-spreadsheet-add-on
https://developers.google.com/analytics/devguides/reporting/embed
https://developers.google.com/analytics/solutions/report-automation-magic

Categories