Using Oauth2 and Google's API I have set up access with a service account, but am struggling to set up access to a specific folder within our team organization.
Currently I am able to do the method calls I want (list, permissions, copy) but the items in the drive that come are only the get started file. I'm not entirely sure which drive this is pulling from as that doesn't exist in any of the accounts I've set the service up in.
My Questions:
When setting up drive integration using a service account, what is the default drive used and how do I access it via the dev console or gmail account?
Are you able to access Organization/Team folders and add files to it?
Thank you again for the help!
The drive resource used will be the the Google account which generated the service account in the Google Dev console.
A service
account
is a special type of Google account that belongs to your application
or a virtual machine (VM), instead of to an individual end user. Your
application calls Google APIs assuming the identity of the service
account,
so that the users aren't directly involved. A service account can have
zero or more pairs of service account keys, which are used to
authenticate to Google.
Are you able to access Organization/Team folders and add files to it?
If you're application is using a service account to login, yes people you've granted permission can definitely access it and modify the contents depending on the roles you've given them.
You can read more of service accounts in Using OAuth 2.0 for Server to Server Applications.
Related
Hi, I want the users of our organization only to use google picker to select files from their google drive.
I followed this example to set up API key and oAuth client in the google developer console.
Here is the summary of what I did:
Enabled Google Picker API in Google API Console
Created API Key
Created OAuth client
Using Official Example google picker is working but it allows all Gmail users as well, I want to allow only those emails which belong to my domain.
I could not found anything related to this in official docs so I have the following questions:
Is it possible?
Is it possible to bypass the consent screen using service account impersonation(User Access Token generated on the server via impersonation)?
This is a high level explanation, but the idea is the following:
Using a server side script, you will generate a token for a user using a service account and impersonation.
On the client side, you will have to call that script on the server side and have the server return the token.
When initializing the picker, you will set the token to what you received from the server using the PickerBuilder.setOAuthToken() method.
That way you not only bypass the consent screen, but also make sure the drive picker presents the drive files of the user you authenticated with the service account.
If you are looking for a low level explanation, edit your question and post your architecture along with your code.
I have created a web app which is making use of OneDrive API (https://learn.microsoft.com/en-us/onedrive/developer/rest-api/) to perform actions such as create/update/rename/delete of documents etc. I am authorizing requests with OAuth 2.0 (client side - that means every access token is valid for ~1h and then silently I am getting a new token) and then perform previous actions using that token.
I have a new requirement for the authorized user to share his/her documents for writing/updating them (I found out that API has option for inserting permissions (https://learn.microsoft.com/en-us/onedrive/developer/rest-api/api/driveitem_invite).
Is it possible for a non-authenticated user to be able to write/update documents (programmatically - via OneDrive API or some other API?) that have been created from the authenticated user that shared these? (something that is similar to Microsoft Word online when a user is sharing his document and offline/ guest users are able to edit it?
Thanks.
Some Update:
First of all documentation for REST API/ endpoints is chaotic. (https://github.com/OneDrive/onedrive-api-docs/issues/839)
I found out that I can get shared document via these endpoints:
GET: https://api.onedrive.com/v1.0/shares/encodedUrl/driveItem
And update shared document only if I have an access token
PUT: https://api.onedrive.com/v1.0/shares/encodedUrl/driveItem/content?access_token=accessToken
where encodedUrl can be obtained as : https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/shares_get
(check example on C# with sharing url )
So, I am still wondering how possible is to update a document without any authentication but just a share url.
I'm making an open source Node module that will require access to each user's private Google Drive files. I've been trying to wrap my head around all of these different authentication types, and have come to a road block. From what I've gathered, there are two primary types of authentication
I, the library author, provide in my library the public and private keys necessary to authenticate each user with OAuth2. This means giving them a URL to go to to give my app permission to access their data, and have them copy and paste an access code back into their terminal. I was able to run through this tutorial and get it working, but this method seems dangerous, because of the keys I have to package with my library, and unnecessarily difficult.
Have the user go to the Google API console, get their own API key, and provide that to my library through some sort of configuration file. No URL redirection, no copying and pasting, just some private credentials that only they have access to.
2 sounds a lot better to me: This library has absolutely nothing to do with me once it's in the user's hands, so it feels incorrect to have them authenticate with me. But from what I can find, the only way to do this with Google's API is to create a Google Service account, download the JSON they give you, go through a flow similar to the top comment on this blog post, and then manually give the service account email access to my personal Google Drive files. This seems hacky, and a lot of work to gain access to my own private data. Is there a better way to go about this? It seems strange to me that this fairly standard flow in other APIs is only available in Google's API through service accounts, but maybe there is a way and I'm just not seeing it. I'm fairly new to authentication, so any help at all is appreciated. Thanks!
First off I want to say that you cant release your open source project with the client id and client secrete that you created on Google Developers console this is against googles terms of service.
1.Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep
your credentials confidential and make reasonable efforts to prevent
and discourage other API Clients from using your credentials.
Developer credentials may not be embedded in open source projects.
My Answer on another question about exposing client id in open source projects.
Second you could instruct your users to use either Oauth2 or a service account or both its really up to you.
If the user will only be accessing their own data and wont need to access someone else's data then they can use a service account you will need to instruct them in how to share a folder on Google Drive with the service account. However from your side permissions can be tricky when they are uploaded the service account will own the file uploaded to the users google drive account you will need to have the service account add permissions for the user so the user will then also be able to access said file.
The easiest way to go will be Oauth2 when the code uploads files they are owned by the authenticated user so you wont have the same permissions issue you had with a service account.
I'm creating a chrome extension, I'm using chrome.identity.getAuthToken() to get the access token. I'm authenticated with firstName.lastName#company.com. I set following scopes
"https://www.googleapis.com/auth/contacts.readonly",
"https://www.google.com/m8/feeds/",
"http://www.google.com/m8/feeds/contacts/"
Header has GData-Version: 3.0 set.
I'm able to access my own contacts through https://www.google.com/m8/feeds/contacts/default/full/?access_token=...
If I try to access the domain shared contacts through https://www.google.com/m8/feeds/contacts/company.com/full/?access_token=... I get an error 403 with Your client does not have permission to get URL /m8/feeds/contacts/company.com/full/ from this server
My goal is to get an extension that is able to create shared contacts that can be accessed by everybody from the company.
Any help would be appreciated
My account didn't had the necessary read/write rights. It seems just superadmins are allowed to edit the domain shared contacts.
If I don't want to grant the user superadmin rights I would need to create a backend that takes care of the contact creation.
I would need to create a service account to impersonate superadmin level user, this account would update the contacts. All necessary information can be found here
My purpose is to provide service on my server based on Google Drive platform. The most importantly user don't need to sign in or have google account to access this service.
As developer I want to authorize my web site URL and the Google Drive that will be mine.
I went through various solution but don't get actual one.
You may want to look at this documentation about service accounts which enables your web application to interact with google servers. The docs says:
A service account's credentials include a generated email address that is unique and at least one public/private key pair. If domain-wide delegation is enabled, then a client ID is also part of the service account's credentials.