Use custom account instead of service account in Google API - google-app-engine

I am trying to connect to Google Drive from my App Engine code. But it requires Client code. Google App engine generates Client code (P12 key) only for the service account. But I want it for a technical user we have created.
How can I do that?

If the "technical user" you are referring to is a #gmail account, then your only option is to do the OAUTH dance once to obtain a oauth token and refresh token. You have to create a "Client ID for web application" to do this. Once you have the auth and refresh token, you can connect as your "technical user" to Google drive.
If the "technical user" you are referring to is a Google Apps account, then you can authorize the consumer key/secret related to the service account in the Google Apps control panel with the required Drive scopes. You will have to indicate in the API call what user (i.e. the technical user) you want to impersonate when you connect to Google Drive.

Related

When should I select openid or email as scope in msal.js executin in browser

I have an entirely client side web page that makes ajax calls to Microsft ASP.NET Core client REST services. Both this UI application and the web service are registered in Azure ActiveDirectory tenants. I have successfully used another ASP.NET Core app registered in the directory to do user authentication and then request a JWT token for the web service and authenticate against that. Nowhere is the ASP.NET Core Authentication code did I have to specify scopes anywhere. If I wanted to call the graph API, I requested a token for https://graph.windows.net and used that.
Looking at this sample, which I made work in my AD, requesting a token for 'user.read' seems to be necessary. However, other samples just use ['openid'] or ['openid', 'email']?
I know that user.read is the AzureAd pernmission to read my entire user profile with the graph api. Does that imply whatever openid and email gives me?
The openid and email scopes are used in Azure AD v2 applications to get access to different info. They are not needed in v1 applications.
Quoting from documentation:
If an app performs sign-in by using OpenID Connect, it must request the openid scope. The openid scope shows on the work account consent page as the "Sign you in" permission, and on the personal Microsoft account consent page as the "View your profile and connect to apps and services using your Microsoft account" permission. With this permission, an app can receive a unique identifier for the user in the form of the sub claim. It also gives the app access to the UserInfo endpoint.
And about the email scope:
The email scope can be used with the openid scope and any others. It gives the app access to the user's primary email address in the form of the email claim.
User.Read is a scope for the Microsoft Graph API. Actually the fully qualified form is https://graph.microsoft.com/User.Read. But MS Graph API is a special case :)

Server-side OAuth for user impersonation via GMail API

I am trying to perform server-side OAuth so I can use a specific user account in my domain to send emails (hence using GMail API) via my application.
Mine is a purely server-side app and I cannot perform "user consent" via a UI.
I have created a project in Google App Engine and have obtained service account credentials (P12 key).
My code looks like this -
new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(googleEmailerServiceAccountId)
.setServiceAccountPrivateKeyFromP12File(new File(googleEmailerServiceAccountPrivateKeyLocation)).setServiceAccountScopes(Collections.singleton(GmailScopes.GMAIL_COMPOSE))
.setServiceAccountUser("xxx#xxx.com")
.build()
I have delegated domain wide access to the application (for GMAIL COMPOSE scope) via the admin console as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount.
And I still get an Unauthorised 401 when I try to send emails from my app.
Since there is no explicit documentation for the Gmail API that says it allows domain wide delegation, I am guessing it is not allowed for Gmail.
Is there any way of achieving this programatically?
Any idea would be much appreciated.
Thanks!
As far as I know you cant use a service account with Gmail. Service accounts must be pre authorized.
Authorizing Your App with Gmail
All requests to the Gmail API must be authorized by an authenticated
user. Gmail uses the OAuth 2.0 protocol for authenticating a Google
account and authorizing access to user data. You can also use Google+
Sign-in to provide a "sign-in with Google" authentication method for
your app.
Share a Google drive folder with the Service account. Add the service account email as a user on a google drive folder it has access
Share a Google calendar with the service account, just like any other user.
Service accounts don't work on all Google APIs. To my knowledge you cant give another user access to your Gmail so there will be now to pre authorize the service account.
Recommendation / work around / hack
Create a dummy app using the same client id, authenticate it get the refresh token then use the refresh token in your application.

Trying to understand if I need to give domain-wide authority to my appengine service account so that it can access data on Google Drive

I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com

UserName in Google Provisioning api

i am developing an app.i am using google provisioning api in this app.in documentation it is mentioned that for getting information related to a user account we have to pass a parameter userName in url
GET https://apps-apis.google.com/a/feeds/domain/user/2.0/userName
i am logged in an application i can get his email address ,his Id using basic profile info api (https://www.googleapis.com/oauth2/v1/userinfo?access_token={accessToken})but how to get userName of the logged in user .please some one help!!
Google provisioning API is only available to Google Apps user (Google Apps domain user), not for personal account. 2Legged Oauth1.0 should be used on authentication, Not Oauth 2. Not clear about what's your situation.

Google App Engine authorization with Google Apps Domain

I have successfully followed the examples to gain an AuthSub token to authorize my GAE application to have access to the user's Google Calendar.
I have added the domain parameter to the method gdata.auth.generate_auth_sub_url so that the application is authenticated against a Google Apps Domain user. The app is then installed in one of our test domains.
This is working fine, however, each user in the domain has to go through the process of authorizing the app to use the calendar. In other Marketplace Apps that I have tried, this authorization is done once for the whole domain when the app is installed.
How is this achieved?
This page describes how Marketplace apps can access the gdata APIs on a user's behalf.

Resources