UPDATE TITLE: "Why does RCLONE work with Drive API without credentials, while Gmail API doesn't?" to "Is it true that the Drive API does not revoke the token but the Gmail API revokes when the account password is changed?"
What does the link below say are only valid for the Gmail API? Because with the rclone application, even if the password was changed, the token was never revoked.
https://support.google.com/a/answer/6328616?hl=en
I don't know how RCLONE works, but at a certain point it has to make the OAuth process to authenticate your app and let it use the Drive API.
OAuth 2.0 The authorization protocol that Google Drive API requires to
authenticate your app users. If your application uses Google Sign-in,
it handles the OAuth 2.0 flow and application access tokens.
Now, this PHP Quickstart will give you guidance on how to use the Gmail API, there it shows how to download and use the credentials.json file.
Docs
For more additional info, read this:
Authenticate your users
Enable the Google Drive API
Related
I am making a server side web app that integrates with Google Drive's "Open With" button.
I've been able to get a refresh token with the InstalledAppFlow in the python client library (go to my install endpoint redirect user to consent screen and google uses the redirect_uri to send the code to my server) and access the data I want.
What I don't understand now is how do I get a refresh token after a user installs and consents to the permissions requested by my app in the GSuite marketplace? Does Google post the information to one of the redirect URIs of your OAuth2.0 client Ids? Do I have to ask the user for consent again and get the refresh token as before when he uses "Open With" from Google Drive?
Its not clear to me how the oauth flow works with apps installed through the GSuite Marketplace. Thanks for any help!
I've figured out my problem. What I was looking for doesn't exist. Google doesn't already generate credentials when the app is installed from the G-Suite marketplace, unless you use a service account. Presumably you have to authorize the user yourself the first time he uses your app.
Is it possible to authenticate to third-party service in G-Suite (Gmail) Add-ons, but without oAuth. The service I want to authenticate works on REST API and has no oAuth support.
The best for me would be to open a new window (as with oAuth), login there and return token to the Gmail add-on frame. If that won't be possible, I'd go with giving a username and password in dedicated Card in add-on, but I'm not sure it that solution will pass Google verification when publishing in Marketplace.
I'll be grateful for all the suggestions.
Unfortunately no. When connecting your add-on to third party services(ex. your application server), Gmail forces you to set up a separate authentication process for user to go through to use your services.
However, if the non-Google service does require authorization, you'll have to configure OAuth for that service. You can make this process easier by using the OAuth2 for Apps Script library (there is also an OAuth1 version).
Your service can still use Google OAuth to authenticate the user, you just need to set it up separately from your Gmail add-on.
You can read more on it here: https://developers.google.com/gmail/add-ons/how-tos/non-google-services
Also in my post I explain the process of connecting your non-google services to gmail add-on in more detail
Can I authorize and get oauth2 access token in chrome extension for currently logged in user in gmail instead of chrome user.
Thank you
You can follow this documentation for the user authentication.
Use the Chrome Identity API to authenticate users: the getAuthToken for users logged into their Google Account and the launchWebAuthFlow for users logged into a non-Google account. If your app uses its own server to authenticate users, you will need to use the latter.
Here are the five steps you need to complete for Google account authentication:
Add permissions to your manifest and upload your app.
Copy key in the installed manifest.json to your source manifest, so that your application ID will stay constant during development.
Get an OAuth2 client ID for your Chrome App.
Update your manifest to include the client ID and scopes.
Get the authentication token.
Apps can get OAuth2 tokens for these users using the getAuthToken API.
You can also check these tutorials:
Using OAuth 2.0 for Client-side Web Applications
OAuth 2.0 from chrome extensions
Can I authenticate with just Google account username and password instead of using OAuth? If not, is it planned to support this kind of authentication in the future versions of Google Drive API?
I am currently using Google Documents List API which allows to authenticate with just username and password. So I am wondering if I can I do the same thing with Google Drive API.
Are there any reasons you cannot use OAuth 2.0 as your authorization mechanism?
Client Login is currently being deprecated and it would be better for you and your users to use OAuth 2.0.
There are multiple code samples available in the Drive SDK documentation as well as in the various client libraries project page to help you get started.
If you are running a server application, consider using a service account with OAuth2 and the Drive API. This will allow you to run the app on a server without a user having to provide OAuth2 credentials on the console or through a UI. You can also do impersonation if you want your app to act on documents with a specific account.
GoogleCredentials credentials = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("[[SERVICE_ACCOUNT_EMAIL]]")
.setServiceAccountScopes(DriveScopes.DRIVE, DriveScopes.DRIVE_FILE,
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile")
.setServiceAccountPrivateKeyFromP12File(Auth.keyFile)
.setServiceAccountUser("[[impersonateduser#domain]]")
.build();
credentials.refreshToken();
I've found this blog post somewhere (possibly here): http://blog.databigbang.com/automated-browserless-oauth-authentication-for-twitter/.
I know it is regarding Twitter, but it uses the same method, so I reckon it just needs a little tweak in the names. In short: if the script is run only by server, install Jython + HTMLUnit, simulate user going to the generated authorization link and clicking 'allow access' button and get token.
Use Case
As admin service account, transfer Document Ownership using the Google Docs API, similar to the built in cPanel "Advanced Tools" -> "Document ownership transfer"
Constraints
APIs are being invoked in context of a Google Apps admin service account rather than the end-user account since APIs are being invoked from Google Apps Script in Sites page
Authorization is OAuth 1.0 since this is what Apps Script supports
What works:
Transferring ownership of the admin service account's own files to another user's account as documented here
What is required:
Transfer ownership of another user's files, ideally without them sharing any permissions with the admin service account; if there's no other way of doing it, they could share edit permissions on the file with the admin service account.
Currently this returns a
" ServiceException - You do not have permission to share these item(s):"
What you're trying to do is possible by impersonating the user using the admin account. The documentation shows how to do this here.
Essentially, start by requesting the API URL with default replaced with the current owner's email address. The request must be made while authorized as the admin user, though.
https://docs.google.com/feeds/user#yourdomain.com/private/full/
Once that URL is requested, all feed URLs will be returned with that email already present. Then, simply change ownership as you would normally.