I have an app that is protected by google-oauth (3-legged OAuth) at the nginx-level (using https://github.com/cloudflare/nginx-google-oauth). As you may know, it requires the user to be logged in or manually login to a google account using the browser.
I'd like to access this same protected app through the CLI/programatically. It's true that nginx-google-oauth provides some means that make it easy to do that: the _token_curl endpoint prints outs the headers ready to be used with curl. The problem though is that that token has an expiration date and to get it I need to be logged in or login manually to my google account.
I'm wondering if I could use a Google Service Account (2-legged OAuth) to access the google-oauth-protected app? I've searched around in the documentation (https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and from what I understood, it's only meant to access Google APIs.
Could someone shed some light on the subject? Thanks!
Just for anyone else finding this, the question was answered on GitHub and it is not supported by nginx-google-oauth:
https://github.com/cloudflare/nginx-google-oauth/issues/21
Related
I am using Google Analytics API to fetch analytics data. I tried to authenticate it using following steps:
Created OAuth client ID in https://console.developers.google.com/ credentials section.
In consent screen I had set publishing status as testing
In OAuth 2.0 Playground I got the refresh token using above generated client id and client secret
Then I am using it to generate access token through it.
But after a few days, the refresh token expires although it is mentioned that the refresh token's validity is life long.
If your app is in testing mode then user tokens will expire in 7 days. Please find this explanations here: https://support.google.com/cloud/answer/10311615#zippy=%2Ctesting
I needed to send mails from a gmail account that I have access to, using nodemailer. It works for a couple of days before my refresh token is mysteriously revoked, even though the account belongs to me. A google search brought me here and I had been watching for a while hoping someone would help with a solution.
As you mentioned, this seems to happen with only test/unverified apps and I'm guessing google revokes tokens for such applications in your account after a few days. After much trials and errors, here is what I did.
NOTE: This is solution is only applicable to accounts you own, otherwise you must verify your app to access other people's accounts
Generate a new refresh token (existing one is most likely revoked) as described in this SO post
Go to the security tab of your google account dashboard
Under the Recent security activity section, you should see a security alert for your app.
Click on the context menu next to the notification and click DISMISS
At this point you'll be presented with a dialog of options where you indicate the level of trust you have for the app. I just went ahead and said I trusted the developer/app, obviously. And that's it! The refresh token should persist after this.
I could not find anything related anywhere else.
The other answer pointed me in the right direction but for me the option was located somewhere else: security > security checkup/security issues found > context menu next to your app > dismiss
This issue seems to be for unverified apps, Simply delete the token file from your project and rerun the project, it will create a new token.
My problem was when I've added access_token instead of refresh_token.
What I did:
Go to https://console.cloud.google.com/apis/credentials/consent and change from the testing status to published.
Delete the current token file.
Authorize the API again by signing into your gmail account. You will be sent to a warning screen. From there, you can choose to proceed.
When done you'll get a new token file
The solution is to delete your token.json file to force Google to find a new token.
I was able to get it to work WITHOUT a verified app. Perhaps the refresh() method will work once my app is verified. Not sure on that one.
I use Google Sign-In in order to let my users connect their Google Calendar and related services to our web app. The problem is that if a user signs out of her connected account somewhere else, this will revoke access from our app as well.
I understand that this is primarily a user issue, but several of them still expect their Google integration with our app to work even if they are not signed in to the account in question.
Is there any way at all we can achieve this? Does Google Sign-In have something akin to a Refresh Token which will allow us to create a new session even if the user has signed out?
After trying multiple approaches, we came to the conclusion that this simply is not possible. You should NOT use Google SignIn if you need persistent access to a users profile until he/she manually revokes it. The natural choice for that is plain oauth2.
In LinkedIn API, the access tokens will be expired after 60 days, I want to refresh them in 60 days before they are expired in a console application. I viewed this document: https://developer.linkedin.com/blog/tips-and-tricks-refreshing-access-token, and I also viewed many posts in this forum, but it looks like the refresh flow is still now clear for me.
Please note that:
I need to refresh access tokens from a console application - it is not a website, it is a tool running in backend, it has no cookies and cannot open web page to ask user to login.
And if there are some sample code (not for website) that should be better, for example: C# or Java code.
You can use curl to accomplish this. For whatever programming language you use, there should be a relevant curl library.
The way this works is as follows:
You send a POST request to https://api.linkedin.com/uas/oauth/requestToken
You receive back a request token. Use that token in place of XXX in the following call: https//www.linkedin.com/uas/oauth/authenticate?oauth_token=XXX
You will receive the response you need, which includes the access token, which you need to save. It will not expire for the next 60 days.
If you could elaborate on the issues you're having, that would certainly help.
I see what you mean now. Linkedin doesn't allow you and will never allow you to do this. The reason access tokens expire is in order to add an extra layer of privacy protection for users. Linkedin would never want you to access user data if the user's aren't actively using your application. Of course, you might have a situation where no action is required on their part, that's the only drawback. Therefore, you would need to give them a reason to visit your application at least once in each token's lifetime.
I hope this helps.
This may seem like a totally idiotic question but I am looking at writing a web app/service that will utilize google's calendar API's and I needed to see if I have the ability to write to a users calendar when the user isn't logged into there google account. I couldn't find any clear documentation that illustrated whether or not I could do this or not. I pictured the authorization process something the user agrees to when they sign up for my site and then my app can go add things to there google calendar. Does anyone know if this is possible? If so, can someone hook me up with a link that illustrates how that works?
Thanks in advance
You're thinking about "logged in" wrong.
Because web connections don't persist between requests, any web-site or web-service is checking headers such as the Authorization header and/or Cookie header (depending on what authorisation method is used), with each and every request and matching the request to a user.
Hence logging in* means that the web client (browser or whatever) is set to use the details that relate to a particular user in making the request.
When you use the API, the authorisation information you send, is performing the same job. As such, when the user is using your API they are logged in through your API, whether they're logged in through a web page or other application or not.
E.g.:
My web browser is currently logged into google to an account I use for work stuff.
My mail client is logged into google calendar to an account I use for private stuff.
When I look at google calendar, I see that I don't have any calendars (I don't use it on my work account).
When I look at Thunderbird, I see my calendars.
If I peek at the traffic being sent by the browser and mail client, on both I see headers like:
Authorization: GoogleLogin auth=...stuff I'm not going to share or it would help you impersonate me
So, I'm "logged in" on Thunderbird because the code using the API logs me in itself.
Indeed, the same application can access multiple accounts and be "logged in" to all of them, as long as it has the authentication details to do so.
*Strictly, some would argue that "logged in" isn't the correct term at all, and refers to different sorts of access mechanism where there is state on the connection. Whatever about that opinion, we use the metaphor of being or not being logged in, because users understand it.
The answer to your question is yes. Use OAuth 2 and the Authorization Code flow (web server flow), with offline enabled. Store the refresh tokens (which last indefinitely until the user has revoked), and you'll be able to upload events to Google Calendar even when the user isn't currently logged in.
More info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Credits to Ryan Boyd for this note.
I am implementing Facebook login on my website. I am creating an asp.net user as well with the Facebook users details. This way I can control login in people to my site using .NET membership regardless of whether they are a Facebook user or not.
The problem I am facing now is security. When a user logs in with Facebook I am calling a webservice with their facebook details, if the user exists on the system (by their facebook userid) then I log them in. However as it stands anyone could call the webservice with someone elses facebook id and it would log them in (if that user existed on the system). Is there something that I can use to link the facebook user with my asp.net user that is only accessible to that user, such as an access token. It also needs to be something which does not change? Does facebook send back such a thing in the response object?
Any help or suggestions are much appreciated.
Thanks
Yes, we can get that profile data from Facebook. Using that requestAccessToken Url you can get that access token.
requestAccessTokenurl="https://graph.facebook.com/oauth/access_token?client_id={0} redirect_uri={1};client_secret={2};code={3}"
Also we can get the Profile Data using this access token
requestProfileUrl="https://graph.facebook.com/me"
please see this link- http://easyoauth.codeplex.com/
you can download the source code also :)
We have implemented for Facebook, Twitter, LinkedIn, Google using this framework. It is very straight forward. I can help you how to do this.
Thanks