I've created 2 calendars using service accounts (tried both with a service account key locally and with the default service account running in Firebase Functions).
When I try to add an event in one calendar and invite the other calendar I get a 403 from the calendar API:
'Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.'
I have calendars created like this aprox. 6 months ago and they can add atendees, what am I doing wrong?
PS: I don't have any "real" user emails involved, I just want to control the calendars created on the service account user. Also, no G Suite domain, it's just a Firebase app.
Thank you in advance!
Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.
Means exactly that in order for a service account to invite attendees to an event the service account must have be authorized to the domain using Domain wide delegation.
Yes this means you need to have a gsuite account. It does not work with standard accounts. You will need to use Oauth2 if you dont have a gsuite account.
Related
Do you have to use the service account email address that is given to you or can you use an existing email address that is connected to the accounts you have access to?
service account credentials are a specific type of credentials created on google cloud console and are used to denote your application. Service accounts also allow for pre-authorized Access to private under data by in the case of google analytics adding the service account email address as a user in google analytics.
No you can't use a standard gmail user account as a service account.
You would need to use oauth2 to request consent of the owner or user of the google analytics account to access it.
I've been looking into Google Calendar API as a way to manage calendar/event information for my application. It looks like Google Calendar API is setup to connect to a Google user's account. After you have access to the user's account you can add/update/manipulate calendar and event information. I want this same functionality but on a "user account" that is virtual.. not owned by a real user but an account created specific to my application to use. Is this possible?
The docs mention Google will show a consent page to the user to integrate with the users calendar, how would I go about coding the authentication for my calendar if I (the application) owns the account and calendar?
You could use a service account, which will belong to a project in your dev console, and you can give it credentials to access its own calendar.
See Using OAuth 2.0 to Access Google APIs
I am currently writing an online-booking-module and I want to store events (beside in the database) in a owned google-calendar (this calendar is then added to the responsible employee in outlook).
My idea was just to give the API my auth-data and the calendar-id and then being able to insert and delete events.
The calendar must be private, not public!
Now I see it is more designed to access user's calenders getting their permission etc...
Answer:
Yes, you can authenticate the application as yourself and add the events to a private calendar owned by you.
More Information:
Once the application has been published and contains your credentials and token, there will be no issue running the Events add Calendar API method as you, regardless of who runs the program.
Other option:
Alternatively, you could create a Service account to impersonate your account and run the calendar API queries, though you would need to provide the Service Account with access to your private Google Calendar.
References:
Google Calendar API - Events: insert
Authorizing Requests to the Google Calendar API
Google Developer Admin Console
Google Cloud - Service Accounts
Understanding Service Accounts
Creating and Managing Service Accounts
Creating and Managing Service Account Keys
Granting Roles to Service Accounts
I want to be able to access other users Google Calendars through a service account so I am not prompted for authorization. I am doing this in a simple .net c# console app. When I attempt to create my credentials in the Google API Manager, it gives me the following alert when I specify I am using a non UI app and I want to access User Data. Isn't the purpose of using the service account to access other users data without a UI?
"User data cannot be accessed from a platform without a UI because it requires user interaction for sign-in."
You may have misunderstood the meaning of using a service account to impersonate a user. To help you with Authentication, you might want to check this tutorial : Google Calendar API Authentication with C# by Daimto.
Things to take note of :
To be able to access other calendars by service account, users who own the calendar should share it to the service account.
To impersonate a user, you must know the email address.
From the tutorial:
If you are only accessing data that you own there is no reason to ask a user for permission to access it. You can use a Service account. (Privacy)
If you want to be able to access data owned by someone else you will need to be authenticated.
Hope this helps!
I have built a web application that uses a service account linked to my own Google Account. We use Google Apps, so my Google Account is part of a domain. We have a server with shared contacts, so all of our clients are available as contacts for everyone. In my contacts, this group is called 'directory'.
The application retrieves events from the Google Calendar using the Google Api PHP client. It also retrieves attendees inlcuding all details for those attendees. But if the attendee is not within our domain, it will only retrieve the e-mail address. I also want to get the name for that attendee.
These names are in my contacts in the directory group. When I create an event and invite guests, I can retrieve these contacts and it will show the name and mail adress. But when retrieving the attendees via the API it does not show these names.
Is this a restriction of the API? Is there a solution for this?
I do not want to use the Contacts api with a non-service account, because I don't want to give permission everytime. It is not possible to use the Contacts api with a service account as far as I know.
You are correct that a service account won't work with the Contacts API, however you don't have to authorize it every time you use it. You can provide domain-wide delegation with two-legged OAuth 1.0a instead of 2.0. See https://developers.google.com/google-apps/contacts/v3/index#authorizing_requests_to_the_+wzxhzdk8+_service and https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth.
Depending on your setup, you can also use the three-legged OAuth 2.0 flow for a single administrator account and save the refresh token. This would let you re-use that authorization without requiring explicit permission again.