Get User's first and last name via Google API - google-chrome

Currently I am developing a Chrome-GMAIL extension which requires me to get the logged in user's first and last names. For experimentation, I have used the following goggle API (userinfo) and have successfully obtained the names I wanted:
https://www.googleapis.com/auth/userinfo.profile
However, using the userinfo APIs will cause a change in the OAuth2 scopes in my manifest. This change will in turn cause a permission-prompt to my existing users (if a domain wide delegation is not setup in place). Point being the idea of having more prompts in front of my user, or additional oauth scope is not really something I desire.
Currently our extensions use the following OAuth scopes and API :
Chrome's Identity API
Chrome's Storage API
GMAIL.modify
GMAIL.send
My question is, is it possible to get the first and last names using an API that is defined/allowed/provided for by any of the above scopes/permissions I listed? or is userinfo the only way to go?
Thank you very much.

Profile data like first name and last name is private data. You are corect that some Google apis give you access to some data that would normally require an extra scope. For email normally you would need to to request the email scope to get this back however the Gmail api does have an endpoint getprofile which will return the current users email address without you requesting the email scope.
However i am not aware of any apis that will give you access to the users first and last name without you requesting the profile or user.profile scope.
If you do decide to add the scope, I do recommend going though the people api rather then the userinfo endpoint as the data returned by the user info endpoint is not guaranteed to always return the name.

Related

How to use OAuth 2.0 with a Google Apps Script library, with a static redirect URL?

I can't figure out how to make a shared Google Apps Script library, that uses OAuth 2.0.
The problem is that the usercallback redirect URL changes, every time I use the library in a different script. However, that means I'd need to add a new app and whitelisted redirect URL to Asana for each spreadsheet I use the script in. I'm using https://github.com/googlesamples/apps-script-oauth2.
Is there a way to always authenticate with the same redirect URL, so that the library I make can be used from any script, without registering a new redirect URL in Asana?
I'm a Developer Advocate here at Asana. If I understand your question correctly, then yes, you'll have to handle the callback separately for each script. For security reasons, we validate that the OAuth app registration registers the same url as an integration actually requests when authenticating. If this weren't true, for instance, it'd be possible to create a malicious script that uses the client_id from a legitimate script but asks for the redirect to go to its own credential-grabbing endpoint. This is fixed if the app that got the client_id on app registration also specifies precisely which endpoint should be the legal endpoint to redirect to. That means each OAuth app needs to have its own unique and consistent redirect URL :(
I suppose you could possibly create a single "router" Google Apps script which would set the state parameter with some user/script pair when hitting Asana's oauth_authorize endpoint and forward the user credentials on to the script that exists behind the router script based on that user/script pair when the response comes back, but it's not super trivial.
One final option would be to use a Personal Access Token to access Asana's API. This one token can be used by an unlimited number of scripts for access. The downside is that this token "looks like you", that is, it takes action on behalf of not a third party user but you yourself - your scripts would be an automated version of the user whose Personal Access Token they use. This can be mitigated to some extent by creating a "bot account" to access our API and giving it access inside of Asana to the projects or teams you want to gather data on. The other downside to this approach is that every script that uses the personal access token will break if you ever revoke the one token, so if that ever happens by either intent or accident, you'll have to update the Personal Access Token information in every script that uses it.
Hopefully this helps you to evaluate the options and choose which one of these options works best for your script.

Setting the client name for an Authorized API client in Google

I have developed a few small apps that connect to our google domain. However each time I have to authorize one of these apps I need to add a different
Authorized API client by using it's "Client Name". Is there a way to set this client name to something of my choosing? It would make it much easier to quickly understand what apps are OK to remove from the list later on.
Thanks!
...edit...
I may not have been specific enough, here is an image of where I want to change the value. This is from the google admin console for google apps under Security -> Show More -> Advanced Settings -> Manage API Client Access
CLient Name Field
For all the apps I've developed so far my Client Name(which I pull from the google developers console) is either a seemingly random string of only numbers or a random string of numbers and letters follow by "apps.googleusercontent.com". Yet I've seen other apps that somehow have their company name listed there. How can I choose my own Client Name as I've seen in other apps?
You can set client name and the scope by goinog on the Manage client API access page. Register your client in the Authorize a new API client settings.
Enter the client name provided by the third-party vendor and specify the scope. Add a new client by entering the client name (OAuth consumer key) and API scope and clicking "Authorize". You should verify that the client is known to you and that they have an appropriately small scope of access.
For each client, you can specify multiple APIs, separated by commas. For example, to allow access to both the Contacts and Documents List APIs: "http://www.google.com/m8/feeds/, http://www.google.com/feeds/". The list of clients is unique, and cannot have two entries in the list for one OAuth client. You can use any of the Google APIs that currently support two-legged OAuth for Google Apps domains
Authorized API Clients
Add your APIs from the list of approved clients and their scope.
After the client has been added, you can remove a client that has a specified API scope by clicking the "Remove" link. If the client is the OAuth consumer key for your Google Apps domain, you'll see the link, "Manage". Clicking this link takes you to the Manage OAuth key and secret for this domain page where you can edit the client (for example, turn off global API scope access).
For more information about OAuth, please follow this link: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
In case you meant how to set the application name when you connect with the php api client, you can use:
$client->setApplicationName('App Name Here');

Can one track the usage of a shared resource from google drive

Does anyone here know if you on Google Drive somehow can track if a public shared link to a file have been used?
That is, the resource have been downloaded, viewed or otherwise "touched"?
Yes, and no
No: For consumer accounts.
Yes: For within a domain for Google Apps unlimited account, you can using the Admin API to receive view events.
Find the documentation here: enter link description here, relevant except follows.
Retrieve Google Drive events by event name
To retrieve a report of all instances of specific event type such as creating or editing a document, use the following GET HTTP request using the authorization token described in the authorization documentation. The userKey is the primary email address of the user in the report. The eventName can either be a access or acl_change event. For the eventName information, see the Drive event names reference information. For more information about the request's query strings and the response properties, see the API Reference. For readability, the following example is formatted with line returns:
GET https://www.googleapis.com/admin/reports/v1/activity/users/all
/applications/drive?endTime=a date&startTime=a date
&filters=event name parameter relational operator parameter value,...
&actorIpAddress=user's IP address
&maxResults=maximum number of events returned on a response page
&eventName=either a view or edit event

Graph API: User Access Token

I'm trying to use the Graph API to get the feed of multiple public groups then that of multiple users.
When it comes to the feed of groups, it works flawlessly, all I have to do is fetch the following :
graph.facebook.com/$group_id/feed?limit={feedLimit}&access_token={access_token}
My access token being comprised of: AppID|AppSecret
However when it comes to fetching the feed of a user (Whose confidentiality settings are set to public of course) all I get is an empty answer. I would've thought it impossible to get such info and stopped there but then I stumbled upon ApiGee. All I have to do then is authenticate as a user (facebook-Authenticated-user) and it works.
Here's an image of it: http://s9.postimg.org/ynq5tar9r/feed.jpg
My question is : "How is that possible? I've read all I could in the docs and I still can't understand how it works. And how can I remedy that?"
Thank you.
The token you are using is an App token (AppId|AppSecret). With the app token you can't really get users personal feeds. With ApiGee you authenticated to get a user token, which can be used to fetch posts on the authenticated user's feed.
Read more about Facebook's access tokens

value attribute for Permissions Resource not populated in responses

Looking at:
https://developers.google.com/drive/v2/reference/permissions#resource
the values attribute which contains the email address value for the ACL is not returned by the API. It's not clear why the value isn't returned, I assume it's a privacy issue but it means Drive SDK can't support document migration (from one Google account to another) use cases where the old Documents List API v3 can:
https://developers.google.com/google-apps/documents-list/#retrieving_the_acl_for_a_document_file_or_collection
for now I'm looking at adding both Drive API and Docs v3 API scopes for my project and just using the Docs API call to retrieve the ACLs but ideally I'd be able to use just Drive API calls. Am I missing anything? Could a special scope be added to Drive API that allows ACL email address retrieval or is there some other way to handle this?
Jay
Thanks for your question Jay and thanks your answer Ali Afshar!
Unfortunately I do not understand how Google believes the following scenario should work without the email address of the users:
In Documents List API v3 you could copy a file A to file B, retrieve the ACL-information of file A (including the users email adresses) and simply add them as ACL to file B.
With Drive API you can retrieve almost the same Permission information, but without the user email address, which is still required to re-share file B to the same users.
As a sidenote: If you use GAS DefaultService DocsList, you can still receive the editor/viewers with getEditors() or getViewers(). If you manually share a file you can see all email addresses as well.
So if you ask me, the privacy issue is a valuable argument, but it does simply not apply here.
Jan
Since this question was posted, Drive API has been updated to allow permissionId to be sent on permissions.insert() (the id attribute). This allows for migration of ACLs without ever needing to know the email addresses (just straight copy the permissionIds over to the new file).
Additionally:
the permissions.getIdForEmail() API call provides a quick way to get the ID for a given email address
when returning permissions for a file with permissions.get() or permissions.insert(), the domain attribute is included which should help determine if the ACL raises security concerns.
I believe these features cover most use cases where the actual ACL email address retrieval was needed.
You are absolutely correct, the email address is hidden for privacy. It is not right that a user should see the email addresses of all other users that have access to the file. But I'm not sure I quite get the problem. Are you migrating using service accounts, or are users individually authorizing the migration?
The value in the permissions feed is consistent for each user, and that value is available in the about feed for a user. I assume you know the email address of the users, so you can authorize for each of them With a service account, and you can migrate the data.
You should not need the Drive API scope and the Docs v3 API scope, they are pretty much the same scope.
Also resurrecting this old thread, I had the same issue while migrating documents.
A workaround:
- Create a temporary folder
- Insert a permission for the user
- retrieve the id from the permission
Not nice, but works for me.