I have the following:
gapi.auth.authorize(
{ client_id: CLIENT_ID, scope: SCOPES, immediate: false },
handleAuthResult);
Which gives me access to an access_token:
The goal is that a user of this application can grant access to my app to use their google drive to store their content. I need to be able to use this token to:
Read files
Post files
Over a long period of time without reauthenticating via the google login page. How can this be achieved? I'm using C# as a backend.
You will need to switch from doing OAuth in JavaScript in the browser to doing OAuth on your server. It's well documented here https://developers.google.com/identity/protocols/OAuth2WebServer
You have the choice of using the OAuth c# library, or simply calling the REST endpoints.
To achieve access without the user present, you'll need access_type=offline which ...
Set the value to offline if your application needs to refresh access
tokens when the user is not present at the browser. This is the method
of refreshing access tokens described later in this document. This
value instructs the Google authorization server to return a refresh
token and an access token the first time that your application
exchanges an authorization code for tokens.
You will then get a Refresh Token on the first time the user grants permission. You will need to save this Refresh Token in some sort of server datastore. You can then use it at any time to request an Access Token.
Related
I currently have an iframe which i embeed in my site, in a chrome extension and in 3rd party sites.
The problem is the following:
I'm populating parts of my iframe with firebase data.
In my site, i embeed my own iframe and is protected by a firebase token (the views), i don't know exactly how it works, but it returns the data correctly when calling the DB.
Example:
getData(
reference: string,
){
const ref = `accounts/${reference}`;
const dataReturn = this.db.object(ref).valueChanges();
return dataReturn;
}
This returns just fine on my webapp, when the user logouts in my webapp, then the data is protected (as it has to be)
The problem begins here: When a 3rd party embeeds my iframe, they use an oAuth token (to get users, etc from my API), so they're not logged in my website, hence, when they embeed and try to get the data (automatically, since we call firebase onInit), they get blocked by firebase because they don't have a valid token/they're not authenticated in my website.
Is there a way to use that oAuth token to let them get the firebase data?
Same escenario happens in the chrome extension, we make the user log-in using an oAuth token (to prevent making an account and logging in in our webapp, preventing CORS issues).
These are my rules in realtime database firebase:
"accounts": {
".read": "auth !== null",
".write": false,
}
Thank you!
If the OAuth token is from a collaborator on the Firebase project and that collaborator has access to the Realtime Database, the client will have that same access to the database too.
Their API calls will in that case bypass the security rules of your database, just as when the collaborator would sign in to the Firebase console and access the database there.
Ok.. so for anyone wondering.. a coworker resolved this issue by sending the oAuth token to our backend, and returning from there a valid firebase token. With that token, we just sign-in with signInWithCustomToken() firebase function (of course applying logic so just oAuth users can actually use this automatically). That way my users have access to realtime database since they're authenticated in firebase
Per https://developers.google.com/identity/sign-in/web/server-side-flow in order to get a refresh token, the client must grant offline access. However, I see no way to do that using the new API. What's the proper way to get a refreshed token using the Google button, so the user doesn't need to re-login every hour?
Authentication for sign-in has been separated from authorization for data access in he new API.
In the new API authentication does not require or use access or refresh tokens, instead a signed JWT ID token credential containing the user profile is shared after user consent. This greatly simplifies the level of effort and need to manage tokens during app sign-up or sign-in.
If you're performing authorization to access Google APIs and storing refresh tokens on your backend, then a server-to-server OAuth flow is appropriate.
Another clarification, user sign-in to your app and maintaining session state are separate concepts and should be handled separate from backend processes which may use an offline refresh token to perform actions through a Google API on behalf of the user while they are not logged in.
Google actions AuthO 2.0 not getting refresh token
After successful login with my web application i get the access token in response.
where can i get the refresh token on actions-on-google side?
The Flow is Authorization_Code and not implicit.
After successful user authentication, in the first response where can i see the refresh token?
Is it possible to get the refresh token?
I am asking the user to signIn if access token is not present.How can i get the refresh token as a part of the code response, if it's a part of http response, how can you access it when GET request is done by googl-actions in background.
if (isNullOrUndefined(conv.user.access.token))
{
conv.ask(new SignIn('To get your account details'));
}
Google requires that you provide the special parameter access_type=offline if you need a refresh token. You need to include that in the authorization URL to receive a refresh token.
Google's Refresh Token docs:
If you are not using a client library, you need to set the access_type HTTP query parameter to offline when redirecting the user to Google's OAuth 2.0 server. In that case, Google's authorization server returns a refresh token when you exchange an authorization code for an access token. Then, if the access token expires (or at any other time), you can use a refresh token to obtain a new access token.
Note that Google will not issue refresh tokens for users that have already authorized an application unless you also include the prompt=consent parameter, forcing the user to affirmatively re-consent to the application's access.
I would like to build a small js library that can read a specific album from my account and display the photos within as a slideshow.
In this guide (https://developers.google.com/photos/library/guides/get-started), to access the API we need both ClientID and Secret. Is there any way to access the API using some type of public key for read-only access? That way I (the provider of photos) don't have to login every time?
The Google Photos Library API is used via OAuth2 user authentication. All requests through the API are made on behalf of a user. Public API keys or service accounts are not supported.
OAuth tokens expire after a certain time, which is returned as part of the OAuth authentication request. You can use a refresh token to retrieve a new access token once it has expired. If you'd like to do this without explicit interactive user interaction, your application needs to be authorized for offline access. The good news is that the authentication client libraries handle this for you.
If you are using Google Sign-In (for example on Android), you can check if the user has already signed in using GoogleSignIn.getLastSignedInAccount(this), so you would not need to prompt again for access. You could also enable server-side access if you want to make these offline requests from your backend.
If you are using any of the Google OAuth client libraries, you can specify the 'offline' parameter as part of the initial sign-in request. For example in Java, you would set the access type: .setAccessType("offline") on the GoogleAuthorizationCodeFlow.Builder during creation.
I'm using Yammer JS SDK to authenticate users to access some web service. I'm using JS SDK to obtain a token and I store it in session. Current flow is following (may be wrong, correct me, if necessary):
User accesses any page, PHP is checking for token stored in session vars. If not - user is redirected to login page
Using Yammer SDK I'm getting an access token and save it to session vars (POSTing it to our server side login service) and render the requested page.
Problem so far - I can't find any way in Yammer API to check if the access token stored\passed to my web service is actually the right thing. Which means, that potentially anyone can generate some random gibberish data, use that as a token and view content - the rest of Yammer functionality will be broken, but content will be visible.
The smartest way I thought of so far is to try and get some client info from Yammer REST API using the token and if response is invalid - delete the session stored token.
How do I do that the proper way?
Checking for HTTP status code 401 Unauthorized Access on a request is the only way I know of to determine if your Token is valid. There are a couple instances where you will get a 401 back with a valid token, but this is pretty rare.