I've set up oauth and am properly retrieving an access token.
Here is the response I get from hitting
https://www.google.com/accounts/AuthSubTokenInfo?access_token=<token>
parsed_response="Target=645428735890.apps.googleusercontent.com\nSecure=false\nScope=https://www.googleapis.com/auth/userinfo.profile\nScope2=https://www.googleapis.com/auth/userinfo.email\nScope3=https://www.googleapis.com/auth/glass.timeline\nScope4=https://www.googleapis.com/auth/glass.location\n"
which I believe properly shows that I have requested the correct permissions.
A call to
https://www.googleapis.com/mirror/v1/timeline?access_token=<token>
yields:
"errors"=>[{"domain"=>"usageLimits", "reason"=>"accessNotConfigured", "message"=>"Access Not Configured"}]
Having trouble figuring out what this means. I don't have an actual piece of glass hardware. The docs make it seem like this access token would allow me to make any requests to the mirror api.
Is there an additional setup or permission I need to ask for that I missed? On the application side? Is this related to my google account and having not set up glass?
EDIT:
Okay, from the authorization docs:
Select the Services tab in your API project, and enable the Google Mirror API.
However, I'm not seeing Google Mirror API listed on the services tab?
The Mirror API is currently in developer preview and access is limited to I/O Explorers who have received their Glass device. You can subscribed to this issue on our issue tracker to get updates on when the Mirror API will be public.
Related
I am work on a web application as an interface with Google Cloud Storage(GCS).
I am using a backend service to retrieve the list of files I stored on GCS and their URL with the JSON API and return that to my web application. However, I was not really able to load the files through those URL, which always came back with 403 forbidden.
I am not sure how GCS authentication work behind the scene and whether it is possible to directly grant access to web application. I am not sure how could I attach application authentication information via http request. What I know is I can do that via the backend service but for the reason of simplicity I wonder if it is possible to get around with that. One of the thing I tried is adding the web application domain(which will be sent via referrer in http request) into ACL to that bucket, which doesn't work at all.
And thanks to what #Brandon pointed out below. I am ok to grant anyone whoever have access to the application to view the content of the GCS since it is an internal app and I have already checked their authentication when I first serve the web application.
====
Solution
I ended up using the signedUrl that expire in 5 minutes and I highly recommend interact with gcs using gcloud (Their python document is really good). Thanks again for the thorough answer!
You have a user on a web browser who wants to download an object that only your application's service account has read access for. You have a few options:
Expand access: make these object publicly readable. Probably not the best choice if this info is sensitive, but if it's not, this is the easiest solution.
Give your app's credentials to the user so that they can authenticate as your app. This is a REALLY bad idea, and I probably shouldn't even list it here.
When a user wants to download a file, have them ask your app for it, and then have your app fetch the file and stream its contents to the user. This is the easiest solution for the client-side code, but it makes your app responsible for streaming file contents, which isn't really great.
When a user wants to download a file, have them ask your app for permission, and reply to them with some sort of token they can use to fetch the data directly from GCS.
#4 is what you want. Your users will ask your app for a file, your app will decide whether they are allowed to access that file via whatever you're doing (passwords? IP checks? Cookies? Whatever.) Then, your app will respond with a URL the user can use to fetch the file directly from GCS.
This URL is called a "signed URL." Your app uses its own private key to add a signature to a URL that indicates which object may be downloaded by the bearer and for long the URL is valid. The procedure for signing URLs is somewhat tricky, but fortunately the gcloud storage libraries have helper functions that can generate them.
I would like to show number of visitors on a site since beginning of the month, number of users on the current day and currently on site.
I have Google Analytics installed, I tried to solve this issue with Embed API by enabling Google Analytics API from developer console - but I requires user authorization, etc.
What would be the easiest way to show analytics on-site without user authentication and accepting access by Embeded API, etc. Application is written in Angular, so Javascript API is the one I look for.
Thank you for any suggestion.
Authorization has to happen in order to get the data you want. Either you can let visitors to your site authorize themselves, or you'll have to authorize server-side on their behalf.
Once authorized, you can do something similar to what the Third Party Visualization Embed API demo shows. It uses a custom ActiveUsers Embed API component and includes the source code to show how it works.
Whether you use the ActiveUsers component or not, the basic gist is that once the users is authenticated via the Embed API, you have access to the method gapi.client.analytics.data.realtime.get, which you can use to query this data.
Here's where that happens in the source code for the ActiveUsers component:
https://github.com/googleanalytics/ga-dev-tools/blob/master/src/javascript/embed-api/components/active-users.js#L69-L87
Authentication with the Analytics service is mandatory. But the OAuth 2.0 Service Accounts (for Server to Server Applications) can be used to automate it in many cases.
It's unclear to me (from a quick scan) if the Auth options of the Embeed API would work with the automated authentication scheme, you may want to go through the details.
You should be able to use the Analytics Core Reporting API and maybe the Analytics Real Time Reporting API (beta) which work with the automated authentication according to their guides (look for the Authorisation sections on the left frames of the respective guides).
Donno if this qualifies as easy, tho, YMMV :)
I need to create a (demo) application for Google Glass with a simple user interaction: insert a card on Glass and get a response back to the application.
I think this can be done by using the Mirror API.
This application is not a web application so I think I need to use a service account.
I have created an API project on the Google APIs console https://code.google.com/apis/console/ and enabled the Google Mirror API.
After that I created a new client ID with application type "service account" (calls Google APIs on behalf of your application instead of an end-user; more info at https://developers.google.com/accounts/docs/OAuth2#serviceaccount).
The result is a client id, email address and public key fingerprint and a P12 key with password.
The problem is that I cannot find an example how to do the service account authentication and for example a card insert.
Any ideas? The used programming language is less important...
See also Can I use OAUTH2 Service Accounts with Glass Mirror API? but unfortunately without an answer.
Edit:
From the answer below I understand I cannot use the service account for this.
Is it then correct that I always need a web application where Google Glass has a callback url so data can be send from Glass to the application?
We develop a Warehouse Management System where the operator in the warehouse uses a voice client (like http://www.epf-gmbh.de/bilderorg/talkman_joe.jpg) that communicates with the server. The server sends commands to the client and the operator can send voice commands back to the server.
For demo purposes I would like to replace the voice client with Google Glass.
Edit 2:
Something like this: http://youtu.be/kbcskj4yAvo
You cannot do timeline operations with a service account. Most Mirror API operations (on the Timeline, Contacts, and Subscriptions) require a user's account since these operations must be done on behalf of the user in order to correctly identify which Glass will be used.
Update:
Your followup questions don't exactly relate to the authentication question, and they may be better asked in a new question, but two quick points:
Yes, when working with the Mirror API if you want to get information from Glass into your server you'll need a webapp which can take callbacks. You'll be registering this as part of a Subscription.
The example you pointed at uses the GDK, not the Mirror API.
I'm new to App Engine and am trying to figure out how to disable the API Explorer from showing all my APIs, which are currently public and available to anyone visiting [MYPROJECT].appspot.com/_ah/api/explorer
Supposedly Snapchat uses AppEngine, however visiting https://apis-explorer.appspot.com/apis-explorer/?base=https://feelinsonice.appspot.com/_ah/api#p/ does not reveal their APIs.
Viewing network activity for that page you'll see that requests are being made to https://feelinsonice.appspot.com/_ah/api/discovery/v1/apis but returning a 404.
How do I do the same?
When visiting the API Explorer using my project ID I see this:
Is this the culprit?
Endpoints is the 'culprit'. I'm assuming you are using endpoints since you've included that tag, and I guess snapchat doesn't use endpoints.
There is nothing you can do to change this other then stop using endpoints.
I'm writing an application that takes a user's Evernote notes and displays them in a website inline. By its very nature, people accessing the resources attached to a note will not be logged in. I'm looking at the bottom of this page and saw how to pass authentication credentials via POST and get the resource. This is exactly what I need.
My question is how does this work in the real world? If I pass authentication tokens to the Javascript client (not secure in the first place), I can't get the resource because of Access-Control-Allow-Origin restrictions. The only other way I can think of doing this is saving all of the resources to my server and serving them from there, but that's not ideal (Google App Engine).
Ideas?
Yea, Evernote does not support CORS yet. You can do it in a chrome extension or get it on the server side.