In my web app I need to add freebusy read permission for my service account to the primary calendar of gmail addresses provided by users.
How do I do that?
Delegate domain-wide authority to your service account
From your domain’s Admin console, go to Main menu menu > Security > Access and data control > API controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the client ID obtained from the service account creation steps above.
In the OAuth Scopes field, enter a comma-delimited list of the scopes required for your application. Use the scope https://www.googleapis.com/auth/calendar for full access to the Google Calendar API.
Click Authorize.
Related
I've been looking into Google Calendar API as a way to manage calendar/event information for my application. It looks like Google Calendar API is setup to connect to a Google user's account. After you have access to the user's account you can add/update/manipulate calendar and event information. I want this same functionality but on a "user account" that is virtual.. not owned by a real user but an account created specific to my application to use. Is this possible?
The docs mention Google will show a consent page to the user to integrate with the users calendar, how would I go about coding the authentication for my calendar if I (the application) owns the account and calendar?
You could use a service account, which will belong to a project in your dev console, and you can give it credentials to access its own calendar.
See Using OAuth 2.0 to Access Google APIs
I am currently writing an online-booking-module and I want to store events (beside in the database) in a owned google-calendar (this calendar is then added to the responsible employee in outlook).
My idea was just to give the API my auth-data and the calendar-id and then being able to insert and delete events.
The calendar must be private, not public!
Now I see it is more designed to access user's calenders getting their permission etc...
Answer:
Yes, you can authenticate the application as yourself and add the events to a private calendar owned by you.
More Information:
Once the application has been published and contains your credentials and token, there will be no issue running the Events add Calendar API method as you, regardless of who runs the program.
Other option:
Alternatively, you could create a Service account to impersonate your account and run the calendar API queries, though you would need to provide the Service Account with access to your private Google Calendar.
References:
Google Calendar API - Events: insert
Authorizing Requests to the Google Calendar API
Google Developer Admin Console
Google Cloud - Service Accounts
Understanding Service Accounts
Creating and Managing Service Accounts
Creating and Managing Service Account Keys
Granting Roles to Service Accounts
Referencing this post
, I tried to create an access token for my Google Actions. I enabled Google sign in, and end up with a user-id. The top post says "You can combine this with a web- or app-based Google Sign-In to get their permission to access OAuth scopes if you need to access Google's APIs" but I honestly have no idea how to do that. What I'm trying to do is get an access token from Google Actions/ Dialog flow to send to my server-end code in order to make a successful API POST request to Google Calendar API.
The post you reference that points to another StackOverflow answer that discusses the approach. It basically says that you need to combine two things to do what you want:
You use Google Sign In on a web page to let the user authorize you to access the calendar on their behalf.
You probably should use the hybrid flow so the access/refresh tokens are only handled on the server side - not in your web client.
Your server will store the access/refresh tokens in some way so you can use them as part of your Action later.
You will use Google Sign In for Assistant to authenticate the user when they connect through the Assistant and determine if they have already authorized you to access their calendar. If they have, you'll be able to get their access/refresh tokens out of your store and access their calendar.
You can't do it completely through AoG/Dialogflow because there is no way for the user to grant OAuth permissions to you by voice alone - this is why you need to direct the user to a web page for them to grant you permission to access their calendar.
I want to be able to access other users Google Calendars through a service account so I am not prompted for authorization. I am doing this in a simple .net c# console app. When I attempt to create my credentials in the Google API Manager, it gives me the following alert when I specify I am using a non UI app and I want to access User Data. Isn't the purpose of using the service account to access other users data without a UI?
"User data cannot be accessed from a platform without a UI because it requires user interaction for sign-in."
You may have misunderstood the meaning of using a service account to impersonate a user. To help you with Authentication, you might want to check this tutorial : Google Calendar API Authentication with C# by Daimto.
Things to take note of :
To be able to access other calendars by service account, users who own the calendar should share it to the service account.
To impersonate a user, you must know the email address.
From the tutorial:
If you are only accessing data that you own there is no reason to ask a user for permission to access it. You can use a Service account. (Privacy)
If you want to be able to access data owned by someone else you will need to be authenticated.
Hope this helps!
I have built a web application that uses a service account linked to my own Google Account. We use Google Apps, so my Google Account is part of a domain. We have a server with shared contacts, so all of our clients are available as contacts for everyone. In my contacts, this group is called 'directory'.
The application retrieves events from the Google Calendar using the Google Api PHP client. It also retrieves attendees inlcuding all details for those attendees. But if the attendee is not within our domain, it will only retrieve the e-mail address. I also want to get the name for that attendee.
These names are in my contacts in the directory group. When I create an event and invite guests, I can retrieve these contacts and it will show the name and mail adress. But when retrieving the attendees via the API it does not show these names.
Is this a restriction of the API? Is there a solution for this?
I do not want to use the Contacts api with a non-service account, because I don't want to give permission everytime. It is not possible to use the Contacts api with a service account as far as I know.
You are correct that a service account won't work with the Contacts API, however you don't have to authorize it every time you use it. You can provide domain-wide delegation with two-legged OAuth 1.0a instead of 2.0. See https://developers.google.com/google-apps/contacts/v3/index#authorizing_requests_to_the_+wzxhzdk8+_service and https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth.
Depending on your setup, you can also use the three-legged OAuth 2.0 flow for a single administrator account and save the refresh token. This would let you re-use that authorization without requiring explicit permission again.