Google MBA Service Account get all locations - service-accounts

My company owns several (verified) facilities and using my company's email i can see those locations (business.google.com).
Now, my company would like to fetch the reviews in each location and present it in our company website. Before we're using the Google Place API but since it only returns the latest 5 reviews we opt to using Google My Business API to retrieve a location's complete reviews. We'd like our backend (PHP) to retrieve the reviews so using the same email I created a service account (console.developers.google.com/apis/credentials) because we don't need the end user to allow/interact anything when browsing our website.
Using postman (with my signed JWT) I have managed to get a valid access token
...that I use to retrieve the lists of accounts (mybusinessaccountmanagement.googleapis.com/v1/accounts) I could see the service account itself alone in the response.
Now, I tried calling the account locations api (mybusiness.googleapis.com/v4/accounts/{MY_ACCOUNT_ID_HERE}/locations) but it only returns and empty object response.
Can someone help me resolve this issue. Why my service account can't see the verified locations under my company's email. Is this even possible? Thank you.

Even that this is an older question - I run into the same issue calling the new Google My Business Information v1 API (getting empty results) using a service account.
It seems, that it is not recommended to use Service Accounts, I found this support article on Google: https://support.google.com/business/thread/8281160/cannot-get-access-to-gmb-locations-with-service-account-with-nodejs?hl=en
The "official" recommendation is to use OAuth.
But we finally made it using Service Account. The following steps are necessary to resolve it (at least for us it is working now):
Add a project in Google Cloud Platform
Add and enable the Account Management and Business Information API's.
Add the service account and generate a key (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
Make the Business Profile API request (you need the approval made by Google to be able to make requests against the two API's; otherwise you may run into quota exceeds as "Request per minute" is set to 0 by default). Important: It may take up to 2 weeks until, but we received the approval within about 5 days
Enable domain-wide delegation for the service account using the scope "https://www.googleapis.com/auth/business.manage". More about domain-wide-delegation: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
Add a user identity in GCP. This user also needs to be added in Google My Business for editing locations. When creating your ServiceAccountCredential object, impersonate this user.
Security concerns:
Domain-wide-delegation enables that everyone knowing/having the credentials of the service account could impersonate any person (identity) from withing GCP. At least in this case only for Business Profile API, but anyway, keep this in mind.
Also using private keys for authenticating the service account is not recommended, you should be aware to regularly change / create a new private key or there would be a solution with Identity Workload.
Hope this helps everyone facing the challenge with GMB / GCP / service accounts :-)

Related

Multiple tokens (for multiple services) for single user in mobile application

I am making a hybrid mobile application, using Ionic and Cordova, for which I would like to give the user the possibility to sign up/log in with Facebook, G+, Linkedin and Instagram, and email account. I would indentify everyone by their email (to check if it's the same person, it is not a pk in the database but just an index).
I have been looking around for information about OAuth2 and looking into the documentation for the services APIs. I have understood what I have to do in the front, but I have some questions on the whole process:
[BACK] How do I check the tokens provided by the services APIs? Let's say when a user logs in with Facebook, I get a token which is stored in the user's phone. Then, on every HTTP request, I have to attach the JWT to verify the user indentity. How do I verify it? Against what do I have to test it?
I want to be able to get information from the user's G+ account but also the user's Linkedin account (example). How do I manage this properly?
Do I just store both (or more) tokens (in local storage) and use them to authenticate? I want to do this as my app will have "friends lists", so the user will be able to log into external services and the app will get the user's friends/contact list from those apps.
As of now, I think about including an auth_method field in my database to store available authentication methods (a JSON string or something like that), and just add four fields (one for each service) default null where I would store the token created for the user.
I can show you my code but it do not think it would help as these are more of theory and not specific to a language.
Thank you for all the help!

Possible to "swap" OAuth2 Gmail API scopes?

We have an app in the Google Apps Marketplace that currently uses the Email Settings API:
https://apps-apis.google.com/a/feeds/emailsettings/2.0/
We use this to get a user's email signature.
This is being discontinued later this year, so we now want to move to the Gmail API and use this scope:
https://www.googleapis.com/auth/gmail.settings.basic
We already have the Gmail "compose" scope, however this doesn't allow us to retrieve the signature.
We have over 250 businesses using our software and changing the scopes within the Marketplace SDK will trigger an enormous amount of stress / effort / confusion if end-customers have to re-authorise our App. We'd prefer not to inconvenience the end-customer when we're essentially asking for capabilities that are lesser than what we already had through the old Email Settings API.
Is there any way we can just "swap" and downgrade scopes, or add the new scope without customer intervention? Google have done similar things in the past with deprecated APIs.
EDIT: in case it matters, we're accessing the Gmail API using a service account so we can access the details of any user like we could with the Email Settings API.
(If the answer is "no", I'm hoping an official Google person will see this and take this idea away for consideration. Alternatively, allow us to retrieve signature settings with the "compose" scope since appending a signature to an email you're sending is a genuine use-case.)

How do I send email from a domain account when the domain was added using the NEW console on App Engine?

Here's the situation: I have successfully set up email to come from a custom domain on App Engine before, but that was always done through the Google Apps for Business set up process. This time I have added the custom domain through the new developers console instead (https://console.developers.google.com/project/[APP_ID]/appengine/settings/domains) and now I'm getting the "unauthorized sender" error every time.
I've tried a lot of variations on the set up process, checked for typos or other potential bugs repeatedly, and scoured both the docs and Stack Overflow without finding an answer. Most of the docs and answers that come up seem woefully out of date. The docs hardly ever reference the new developer console or the fact that Google Apps for Business doesn't have a free tier any more. And most of the answers seem to ignore the fact that the docs (https://cloud.google.com/appengine/docs/python/mail/sendingmail) explicitly state that "Domain accounts do not need to be explicitly verified, since you will have verified the domain during the registration process."
So has anyone actually gotten domain accounts to work with the new process? Do I have to modify DNS records? DKIM? Something else I'm missing? Any insight would be much appreciated.
As stated in the docs:
For security purposes, the sender address of a message must be the
email address of an administrator for the application or any valid
email receiving address for the app (see Receiving Mail). The sender
can also be the Google Account email address of the current user who
is signed in, if the user's account is a Gmail account or is on a
domain managed by Google Apps.
So only logged in Google accounts or admin (owners in the new console) addresses can be used to send emails through GAE. If you want to use a set of custom domain addresses you can either:
1) Add and validate all those addresses as owners in the project's "permissions" settings.
2) Use as external party to send your emails through a Web API, EG Sendgrid which gives you 25.000 emails/month for free for GAE developers (https://cloud.google.com/appengine/docs/python/mail/sendgrid)

Google API service account in Angular app

This sounds like a popular scenario, but I can't find direct answer nowhere...
I want to plot Analytics data in my app's admin area.
This area is used by multiple users of the company, and they have to authenticate to access this area. I plan to use GA service account, but 'browser-key/domain' option seems only available for public api.
Can I use server auth (through node API), get the token, and pass it to user while logging in? Will the token be valid? Can I have multiple valid tokens simultaneously for all the users?
Or maybe there is some other way to do it?
Okay, I've tested it myself and the answer is:
YES, you get universal (max 60min) token with every request - so you can have many of them, and dispose to you client-side apps as needed.
I have now embedApi widget in my Angular.js dashboard for every user, without login.

Accessing Gmail emails through google app engine

How to get the e-mail contents by getting the user's login details in google app engine?
Try taking a look at the GMail API. You'll probably want to use OAuth.
https://developers.google.com/gmail/
This is exactly what I'm doing in my current project. Google App Engine Blog introduced a company named "Context.IO" and they provide very easy API to access GMail. I've implemented it in my project successfully.
Links
GAE Blog
Demo (You can look for a contact, and get all its emails...)
My Experience
They also provide a Explore feature that allow you to post and get json data from your gmail accounts.
However, if you registered for a free API key here, they will limit to 3 mailboxes per day. You can run a cron job to delete it daily. The nice thing is that you can contact them to get more mailboxes for development purposes :)
Hope my experience can help you
You can also use google service account. https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount
Then you can use it in order to get access to account under your domain.
$client = new Google_Client();
$client->setApplicationName('My App');
$client->setAuthConfigFile('path/to/service_account.json');
$client->useApplicationDefaultCredentials();
// account that we want to check
$client->setSubject('account#mydomain.com');
$client->setAccessType('offline');
$client->setScopes([Google_Service_Gmail::GMAIL_READONLY]);
$service = new Google_Service_Gmail($client);
$messagesResponse = $service->users_messages->listUsersMessages('me');

Resources