Call Google Glass Mirror API using service account - google-mirror-api

I need to create a (demo) application for Google Glass with a simple user interaction: insert a card on Glass and get a response back to the application.
I think this can be done by using the Mirror API.
This application is not a web application so I think I need to use a service account.
I have created an API project on the Google APIs console https://code.google.com/apis/console/ and enabled the Google Mirror API.
After that I created a new client ID with application type "service account" (calls Google APIs on behalf of your application instead of an end-user; more info at https://developers.google.com/accounts/docs/OAuth2#serviceaccount).
The result is a client id, email address and public key fingerprint and a P12 key with password.
The problem is that I cannot find an example how to do the service account authentication and for example a card insert.
Any ideas? The used programming language is less important...
See also Can I use OAUTH2 Service Accounts with Glass Mirror API? but unfortunately without an answer.
Edit:
From the answer below I understand I cannot use the service account for this.
Is it then correct that I always need a web application where Google Glass has a callback url so data can be send from Glass to the application?
We develop a Warehouse Management System where the operator in the warehouse uses a voice client (like http://www.epf-gmbh.de/bilderorg/talkman_joe.jpg) that communicates with the server. The server sends commands to the client and the operator can send voice commands back to the server.
For demo purposes I would like to replace the voice client with Google Glass.
Edit 2:
Something like this: http://youtu.be/kbcskj4yAvo

You cannot do timeline operations with a service account. Most Mirror API operations (on the Timeline, Contacts, and Subscriptions) require a user's account since these operations must be done on behalf of the user in order to correctly identify which Glass will be used.
Update:
Your followup questions don't exactly relate to the authentication question, and they may be better asked in a new question, but two quick points:
Yes, when working with the Mirror API if you want to get information from Glass into your server you'll need a webapp which can take callbacks. You'll be registering this as part of a Subscription.
The example you pointed at uses the GDK, not the Mirror API.

Related

How do I authenticate users of a web-app to access GCP data relevant only to them?

I have spent 3 days researching this problem and cannot find a solution or similar use case that shows how to solve the problem, so any pointers would be greatly appreciated.
I am creating a web-app that uses Google Cloud Storage and Bigquery. A user registers on the web app and then can upload data to Cloud Storage and Big Query. Two users could be from the same company and therefore should be able to view the same data - i.e. Jack and Jill work for company A and if Jack uploads a massive dataset via this app, Jill should also be able to view it later.
Another scenario will be I have two completely separate clients with users using this web-app. If users from Company A upload data, users from Company B should not be able to view Company A's data, and vice versa. But users from the same company should be able to view the data within their company.
Currently, I have an app that works for a single company. This has a React front-end that uses Firebase for authentication. Once the user is logged in, they can use the app which sends off API calls to a Flask back-end that does some error checking and authentication checking and then fires off an API call to GCP. This uses a service account and the key is loaded as an environment variable in the environment in which the Flask app is running.
However, if Company B want to use the app now, both Company A and Company B will be able to see each other's data and visualize it through the app. In addition, they will be sharing a project (I would like to change this to allocate billing more easily to have each client have their own project).
I ultimately want to get this app onto Kubernetes and ensure that each company is independent of each other, however, do not want to have to have separate URL's for every company using the app. Also, I want to abstract GCP away from the client. I would prefer to authenticate a user based on their login credentials and then they will be given access to their GCP project (via my front-end) accordingly.
I thought about perhaps having separate service keys for each client and then storing the service key info in Firebase, while using the respective keys for API calls but not sure this is best practice. It is however the only strategy I can think of.
If anyone could provide some help or guidance it would be very much appreciated. This is my first GCP project and have not been able to find any answers on GCP, SO, Google Groups, Slack or Medium.
Thanks,
TJ
First if all, welcome on GCP! It's an awesome platform, very powerful and flexible. But not magic.
Indeed, the use case that you describe is specific to your business logic. GCP provides told for securing access for user and VM(through service account) but not for customer. Here you have to implement your own custom and authorisation logic, with a database (I don't recommend bigquery for website, the latency is too high) to list three users, the companies where they work, the blobs of each company...
Nothing is magic and your use case specific.
If you want to discuss more about which component to use and to start, no problem. Let a comment.

Desktop client flow for MicrosoftAccount access to Azure Mobile Service API

I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH

Showing Google Analytics Data in real time

I would like to show number of visitors on a site since beginning of the month, number of users on the current day and currently on site.
I have Google Analytics installed, I tried to solve this issue with Embed API by enabling Google Analytics API from developer console - but I requires user authorization, etc.
What would be the easiest way to show analytics on-site without user authentication and accepting access by Embeded API, etc. Application is written in Angular, so Javascript API is the one I look for.
Thank you for any suggestion.
Authorization has to happen in order to get the data you want. Either you can let visitors to your site authorize themselves, or you'll have to authorize server-side on their behalf.
Once authorized, you can do something similar to what the Third Party Visualization Embed API demo shows. It uses a custom ActiveUsers Embed API component and includes the source code to show how it works.
Whether you use the ActiveUsers component or not, the basic gist is that once the users is authenticated via the Embed API, you have access to the method gapi.client.analytics.data.realtime.get, which you can use to query this data.
Here's where that happens in the source code for the ActiveUsers component:
https://github.com/googleanalytics/ga-dev-tools/blob/master/src/javascript/embed-api/components/active-users.js#L69-L87
Authentication with the Analytics service is mandatory. But the OAuth 2.0 Service Accounts (for Server to Server Applications) can be used to automate it in many cases.
It's unclear to me (from a quick scan) if the Auth options of the Embeed API would work with the automated authentication scheme, you may want to go through the details.
You should be able to use the Analytics Core Reporting API and maybe the Analytics Real Time Reporting API (beta) which work with the automated authentication according to their guides (look for the Authorisation sections on the left frames of the respective guides).
Donno if this qualifies as easy, tho, YMMV :)

Using the Google Users Service with jQuery Mobile

I was wondering what would be a better way to let my jQuery Mobile app "know" the user of the app after completing a registration process.Since the handlers in my Python Google App Engine app expect a username, i decided to store the username in localstorage and then use this as part of any request made to the server.But i don't think this is a good design idea (?).After a lot of search, i have found that jQuery Mobile does not support Google login (Please correct me if am wrong) So i have decided to use the Users Service from the server end.I am confused on how to implement this, since the users service from Google has it's own sign-in form.
Is it possible to use this same service with jQuery? If so, can i change the design of the sign-in form to blend in with the design of my jQuery app?
jQuery Mobile is just a template designer created directly for mobile web applications using a mobile web browser. It does not possess any connections with server side scripting automatically.
You need to create a connection using server side scripting.
Once you login in using the Google Login, your app associates it with the Google account.
jQuery is just a browser scripting. It does not have an automatic connection with the server unless you connect using AJAX to request to a server, but still need to code the server using HTTP protocol (as a tunnel) and server side scripting language like Java, Python, or PHP.
If you just want to get the "username" using a javascript, you may use REST to get the user information after login. You may look for how JSON or XML REST is created (but putting the username on local storage is not a bad option, without the password, however it may get deleted if you clear the root), but knowing that you are already connected with Google Sign in, just as long as you are already logged in with Google, your app should be able to retrieve the Google username.
Udacity also contains a complete course about web development focused on Google App Engine using Python, and how you may use cookies, password encryption, as well as user login. A detailed information about HTTP protocol is also discussed.
https://www.udacity.com/course/cs253
Note that the course I took existed 2 years ago. It may be different now.

Adding Instant Messaging (possibly XMPP) to my website on AppEngine (without using Google Login IDs)

I have developed a dating website built on top of the Google App Engine, to which I would like to add instant messaging, and possibly/probably audio and video conferencing.
Given that the users on the website do not want to share their personal details or real contact information, I am handling all of the login information and sessions without assuming that the clients have (or even want) a google account ID or any other login that is associated with their real identity.
I would like to hear suggestions on how I could go about adding instant messaging to my website given that I cannot just directly access Google Talk or some other existing service.
Would it make sense to use XMPP for this, and if so will Google Talk or any other XMPP service provider allow me to register new user accounts without manual intervention (ie. after a user is registered on my site, automatically register them with the XMPP provider)? Or, if not, perhaps I can use a single google ID with Google Talk with a different resource identifier for each user (me#google.com/user1, me#google.com/user2, etc...), and send messages between the different resources? Could this work, and/or would having thousands of simultaneous connections to a single account get me banned from Google Talk?
Perhaps some kind of AJAX based solution might make more sense given the fact that users are already registered on my website, but are not registered for an XMPP service?
Any suggestions about how I might approach this problem would be greatly appreciated.
Kind Regards
-Alexander
Text chat is the easier problem. You can do either with or without XMPP. Without XMPP, you'll be building a Facebook chat type client on your pages that sends messages from each user to the app, and the app then shows then on the recipient's screen.(The client can be polling, or use comet when it comes out). Check out olark to see how this works.
Once you build code to use the app as a switchboard that routes the correct message to the correct person (anonymously, maybe), you can port this easily to XMPP if you require. Both parties add you.dating.site#appspotchat.com to their buddy lists, and you send all messages from girl#site.com to guy#site.com and vice-versa. (assuming a heterogeneous site.)
Audio and video, I have no clue how to do without sharing details between the parties :-/

Resources