My gmail account has access to our GA platform, and I am able to query the data using a GA query tool available online. When I build a query string for a request on my own, I get the error "Login Required". Not sure where or how in the query string to put this info, or even what the credentials are.
The regular GA API requires you to login. It spits out a login box on the page, even if you are doing it server-side. If you want to be able to do this without making it do this, you can use GA superProxy
Related
I am trying to use GA4 API (with Google Python Client & Google Analytics Data Python Client) of Google with the Credentials authentication:
credentials = Credentials(
token=config['access_token'],
refresh_token=config['refresh_token'],
client_id=config['client_id'],
client_secret=config['client_secret'],
token_uri="https://accounts.google.com/o/oauth2/token",
scopes=['https://www.googleapis.com/auth/analytics.readonly']
)
This is working when my access token is not expired. However, this access token is expiring after 1 hour and I want to refresh it via following method:
credentials.refresh(google.auth.transport.requests.Request())
However, this code is returning "invalid_grant" error.
For that problem, I checked almost everything suggested (i.e. system clock/ntp, user permissions, etc.) however I couldn't fix the problem.
Also, I can't figure out about the refresh_token that I use is valid for Google Analytics 4 or not.
So, the questions are:
How can I able to solve this problem?
How can I assure that the refresh_token is valid for GA4?
If not valid, how can I refresh the refresh_token?
Is there any suggestion on the refresh of access_token, any other method or anything else?
Thanks
In my case, the solution was creating new OAuth client and generate a refresh_token for that account depend on the Google Analytics scope.
For that purpose, after I create the new client, I downloaded the client_secrets.json and run the Complete Example by Google and finally I am able to refresh the token.
I'm trying to use Google Sign-In from my web application (asp.net vb.net).
Following the tutorial that Google provides, and using Google API libraries for .NET this is an easy task.
https://developers.google.com/identity/sign-in/web/sign-in
Now the result of this approach is that I check on the client for a googleUser.getAuthResponse().id_token which is a JWT and send this to my server side code with ajax for validation and to get the payload with the Google unique user Id and other infos.
All this happens on the same page, with a popup from Google, triggered by the default button they provide in the tutorial.
What I'm trying to accomplish is to obtain the same JWT (id_token) without the popup, but actually issuing a redirect to Google, when the user clicks on a custom "Log in with Google" button.
Sadly all the example I found, even from Google itself, involve a much more complex interaction where you get a code from the server, that you then have to exchange for temporary and refresh tokens, and so on.
While the client side approach with the popup window they provide, gives you immediatly the JWT token in response, not that code to request the token, that you have to validate then (I do this with Google .Net APIs with GoogleJsonWebSignature.ValidateAsync(externalToken) and retrieve the payload that way).
Looking at the urls in the popup, what I noticed that differs from all the examples I found that serve you the "code" for token exchange, are those parameters: flowName=GeneralOAuthFlow and response_type=permission%20id_token
While the examples you find for server to server transaction all include calling Google with response_type=code
I tried tampering a bit with the popup url to let it open in a new full window, copying and modifying the url but with not much success. I'm redirected but without the id_token parameter.
Any hint would be much appreciated since I'm not able to find any documentation on response_type=permission%20id_token to query Google service.
Thanks in advance
For anyone interested... I found a solution. The url to redirect to is:
https://accounts.google.com/o/oauth2/auth?response_type=id_token&redirect_uri={0}&scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile&client_id={1}&state={2}
Where
{0} is the redirect url on your server, registered inside google console for this client_id
{1} is your Google client_id
{2} is some querystring or variable you want back to your server when the redirect happens
It works... it gives you back directly the id_token that you can verify with Google .NET APi with GoogleJsonWebSignature.ValidateAsync(id_token) and get as a result a payload (you have the payload class in Google Api .NET as well).
Only issue is that when Google comes back to your redirect url with the id_token in the querystring, it uses hash (url fragment #) so nothing is passed to the server.
There are workarounds with js to get the value and send to the server with ajax or redirect to the same page replacing the hash with ? but this is very annoying.
I imagine there are serious security reason for google to do this but from a dev standpoint is really a pain.
Instead of all those hacks i resorted to the longer way requesting response_type=code instead of the id_token, which returns a canonical querystring with ?code=...
If anyone knows how to get beck the id_token without the hash in the url it would be great.
Referencing this post
, I tried to create an access token for my Google Actions. I enabled Google sign in, and end up with a user-id. The top post says "You can combine this with a web- or app-based Google Sign-In to get their permission to access OAuth scopes if you need to access Google's APIs" but I honestly have no idea how to do that. What I'm trying to do is get an access token from Google Actions/ Dialog flow to send to my server-end code in order to make a successful API POST request to Google Calendar API.
The post you reference that points to another StackOverflow answer that discusses the approach. It basically says that you need to combine two things to do what you want:
You use Google Sign In on a web page to let the user authorize you to access the calendar on their behalf.
You probably should use the hybrid flow so the access/refresh tokens are only handled on the server side - not in your web client.
Your server will store the access/refresh tokens in some way so you can use them as part of your Action later.
You will use Google Sign In for Assistant to authenticate the user when they connect through the Assistant and determine if they have already authorized you to access their calendar. If they have, you'll be able to get their access/refresh tokens out of your store and access their calendar.
You can't do it completely through AoG/Dialogflow because there is no way for the user to grant OAuth permissions to you by voice alone - this is why you need to direct the user to a web page for them to grant you permission to access their calendar.
We're using Google and Facebook SSO allowing our users to sign up and login with these services. However, if a user signs up or logins in with either service (rather than creating a standard email login), we lose the referral source in Google Analytics -- and, instead, sign up and upgrade sources are attributed to accounts.google.com or Facebook.com. Anyone have some thoughts on a workaround?
This requires some backend work. Whenever one of your users clicks on the login button with either services, you backend should 'remember' him using a cookie or any other parameter. In that way whenever he comes back from exactly the url of your Facebook SSO or accounts.google.com you should set the GA tracker referrer parameter to the one of your site's URL. You can do this in basic js code like this
ga('set', 'referrer', 'mydomain.com');
In this way you won't see these invalid referrals anymore.
As per the querybuilder
My API URI looks:
https://www.googleapis.com/analytics/v3/data/ga?ids=ga:12134345&
start-date=30daysAgo
&end-date=yesterday&
metrics=ga:pageviews,ga:pageValue,ga:entrances&
dimensions=ga:pagePath,ga:daysSinceLastSession,ga:sessionCount,ga%3
Abrowser,ga:city&filters=ga:pagePath==/home
But when i execute in my domain, it throws error as login
required. So for that i also passed API-KEY as &key="****" to the
above url. But still no success. Still i get the same error
Am i missing something? Can i embed this results to embed-api in charts
The api key is different from the access token. If you use the Query Explorer you can check a box in the report to include the access token in the query URI, which will allow you to just paste it into your browser's address bar (note: access tokens expire after an hour).
If you want to learn how to get an access token programmatically, you should check out the OAuth 2.0 section of the Google Developers site:
https://developers.google.com/identity/protocols/OAuth2