I want to extend a project in a way that it can save files to Google Drive. To learn how this works I tried the Quick Start Example from the docs: https://developers.google.com/drive/v3/web/quickstart/js
Following the example I noticed that the example is creating an API key in the developer console. Following the same steps only returns a Client secret. I suspected this to be a naming problem and hoped that the two are the same.
Unfortunately, the example code does not work but loggs the following error:
{"error":{"errors":[{"domain":"usageLimits","reason":"keyInvalid","message":"Bad Request"}],"code":400,"message":"Bad Request"}}
In the request to:
https://content.googleapis.com/discovery/v1/apis/drive/v3/rest?pp=0&fields=kind%2Cname%2Cversion%2CrootUrl%2CservicePath%2Cresources%2Cparameters%2Cmethods%2CbatchPath%2Cid&key=[[my key]]
I checked that the right secret appears in the request url. Setting var API_KEY = '<YOUR_API_KEY>'; to an empty string is a workaround.
How can I debug this further? where do i get the right api key?
I run into this error recently. It is certain that Google Documentation is usually quite good, but in this case, the Google Drive API (https://developers.google.com/drive/api/v3/quickstart/js) it wasn't that clear. For this API in particular, you will require two credentials.
Under your project credentials section, you must create an OAuth 2.0 client for a web application and a API Key.
(Sorry for the Spanish in the screenshots)
Regarding the OAuth 2.0 client, not that I have restricted it to http://localhost
Concerning the API Key, note that I have restricted it to my Google Drive API
Then, in the index.html provided by the documentation, you can set your CLIENT_ID to the one obtained in the OAuth 2.0 client generation, and the API_KEY to the the one generated in the API Key process.
{"error":{"errors":[{"domain":"usageLimits","reason":"keyInvalid","message":"Bad Request"}],"code":400,"message":"Bad Request"}}
Means that the request you have made has not been properly authenticated.
API key is for accessing public data. Oauth2 client id and secret will be used to access private user data which file.list is. So i dont think this is a naming problem. Your code should be popping up requesting access of the user.
Related
Hi, I want the users of our organization only to use google picker to select files from their google drive.
I followed this example to set up API key and oAuth client in the google developer console.
Here is the summary of what I did:
Enabled Google Picker API in Google API Console
Created API Key
Created OAuth client
Using Official Example google picker is working but it allows all Gmail users as well, I want to allow only those emails which belong to my domain.
I could not found anything related to this in official docs so I have the following questions:
Is it possible?
Is it possible to bypass the consent screen using service account impersonation(User Access Token generated on the server via impersonation)?
This is a high level explanation, but the idea is the following:
Using a server side script, you will generate a token for a user using a service account and impersonation.
On the client side, you will have to call that script on the server side and have the server return the token.
When initializing the picker, you will set the token to what you received from the server using the PickerBuilder.setOAuthToken() method.
That way you not only bypass the consent screen, but also make sure the drive picker presents the drive files of the user you authenticated with the service account.
If you are looking for a low level explanation, edit your question and post your architecture along with your code.
There seems to be a lot of documentation lying around everywhere about how to use Google Cloud Platform and its fancy AutoML service. But I couldn't find anything that is solving my problem of trying to get a prediction from a trained model on AutoML via a local website. The website code is in this link: https://pastebin.com/xsfkYf6C
All I get in return from uploading an image and clicking "process" button on this site is:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I surely have made some mistakes somewhere, but I'm completely clueless as to how I would fix this or maybe because I'm just too dumb to figure it out yet. My research has yielded none to very little results. This article might be of some help to clear things up about AutoML Restful API: https://cloud.google.com/vision/automl/docs/reference/rest/v1beta1/projects.locations.models/predict
Appreciate any of your suggestions and code fixes.
Thanks so much and have a great day!
You need to pass your api key to REST API call like this:
https://automl.googleapis.com/v1beta1/projects/a...1/locations/us-central1/models/ICN...1:predict?key=API_KEY
To create an API key you need a Google Cloud account since it's only free up to a certain point and then you will get charged for.
Therefore you should secure this key and make sure it is not visible publicly(so don't put in your html source code, backend should handle this call).
More details here
The error could mean that you are using an API Key or the token you provided is wrong/malformed. I think that creating a token using Playground, ServerSide, Javascript, etc. will fail due to there are not OAuth2.0 scopes for AutoML, maybe because is still in beta release.
Keeping in mind that a token generated from gcloud it works, I can suggest generating programmatically a token impersonating a service account to generate the token, this example contains all the pieces of the puzzle. This means that your user could generate a service account token on behalf of your service
Points to consider when executing the code:
Enable the Identity and Access Management (IAM) API.
Update the code according to your own configuration, project and json file.
Use the generic scope: https://www.googleapis.com/auth/cloud-platform as the jwt_scope.
IMPORTANT: The python code it is using urllib and httplib, which means that it could be translated to a POST requests with some extra effort (to be used in your javascript)
Let us know if it works for your specific use case!
Im researching about some custom google API and in the site it seems to be running okay. im able to upload the desired file to my own drive account, but when i tried it to my local environment its not working. i already changed the developer's key. the oauth seems to be okay but the developer's key might have a problem. here is the demo that the guy provided. https://howdy39.github.io/google-picker-api-demo/ but when i tried it to my local environment its not working, any of them. here is a sample picture of the problem This happens after the login screen so the auth keys are okay. i dont know what to do with the developer's key. here is the original source code provided. https://github.com/howdy39/google-picker-api-demo/blob/master/docs/index.html
Please check Credentials - API key - Accept requests from these HTTP referrers (web sites).
Try adding localhost.
I'm making an open source Node module that will require access to each user's private Google Drive files. I've been trying to wrap my head around all of these different authentication types, and have come to a road block. From what I've gathered, there are two primary types of authentication
I, the library author, provide in my library the public and private keys necessary to authenticate each user with OAuth2. This means giving them a URL to go to to give my app permission to access their data, and have them copy and paste an access code back into their terminal. I was able to run through this tutorial and get it working, but this method seems dangerous, because of the keys I have to package with my library, and unnecessarily difficult.
Have the user go to the Google API console, get their own API key, and provide that to my library through some sort of configuration file. No URL redirection, no copying and pasting, just some private credentials that only they have access to.
2 sounds a lot better to me: This library has absolutely nothing to do with me once it's in the user's hands, so it feels incorrect to have them authenticate with me. But from what I can find, the only way to do this with Google's API is to create a Google Service account, download the JSON they give you, go through a flow similar to the top comment on this blog post, and then manually give the service account email access to my personal Google Drive files. This seems hacky, and a lot of work to gain access to my own private data. Is there a better way to go about this? It seems strange to me that this fairly standard flow in other APIs is only available in Google's API through service accounts, but maybe there is a way and I'm just not seeing it. I'm fairly new to authentication, so any help at all is appreciated. Thanks!
First off I want to say that you cant release your open source project with the client id and client secrete that you created on Google Developers console this is against googles terms of service.
1.Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep
your credentials confidential and make reasonable efforts to prevent
and discourage other API Clients from using your credentials.
Developer credentials may not be embedded in open source projects.
My Answer on another question about exposing client id in open source projects.
Second you could instruct your users to use either Oauth2 or a service account or both its really up to you.
If the user will only be accessing their own data and wont need to access someone else's data then they can use a service account you will need to instruct them in how to share a folder on Google Drive with the service account. However from your side permissions can be tricky when they are uploaded the service account will own the file uploaded to the users google drive account you will need to have the service account add permissions for the user so the user will then also be able to access said file.
The easiest way to go will be Oauth2 when the code uploads files they are owned by the authenticated user so you wont have the same permissions issue you had with a service account.
I'd like to allow a user to visit one of my sites, enter some information into a field, and then save that information into a Google Spreadsheet via JavaScript.
I don't want the user to login via Google or have to do any special authentication.
It's Ok if the spreadsheet needs to be open to public; the data's not sensitive.
I don't want to use a Google Form, I want to have full control over the client-side UI.
I've been reading through the Google developer docs, but they only make mention to an OAuth login solution. The Google Developer Console allows you to create a "Public API access key", but does not explain how it's used.
All of the examples are for the scenario where the user is using your app to access his own files. In your case, you want the app to access your own file. This isn't easy. The only ways I can see are :-
Use a server app (appengine works well) to do the access
Very carefully set up permissions and store a refresh token in your app.
Option 2 could be your worst security nightmare if you don't do it carefully, and even then may be an infringement of Google T's and C's since it's akin to distributing your password.
Once you figure out the auth, you'll need to check out the spreadsheet API (https://developers.google.com/google-apps/spreadsheets/), as this is the API that allows you to update an existing spreadsheet. The Drive API can only upload an entire new spreadsheet.