I am trying to get account credentials for my Google account which can be stored in a command line file. The script expects these 3 parameters to be set.
local client_id = ""
local client_secret = ""
local refresh_token = ""
So I expect I need some kind of OAuth token which will never be invalidated.
Does anyone know how to acquire it?
You get the client id and the client secret from the Google dev console. You get the refresh token by doing a one-time authorization.
All of the steps are detailed in this answer How do I authorise an app (web or installed) without user intervention? (canonical ?)
Be very careful about how you secure the refresh token. It acts like a username/password for your Drive account, so could be used by "bad dudes". It's a good idea to use the most restrictive scope (step 8 in the above list). drive.file is a good choice if your script is uploading. If your script needs to download files, try drive.readonly.
Related
I am creating an application in which I am getting a Client_secret.json file, and in my application I'm trying to load that json file and get the credentials from it using the following code:
credentials=get_credentials(filename)
http = credentials.authorize(httplib2.Http())
service = discovery.build('admin', 'directory_v1', http=http)
userinfo = {'primaryEmail': primaryEmail,
'name': { 'givenName':user },
'password': password
}
service.users().insert(body = userinfo).execute()
It gives the following error:
httpError 403 when requesting https
//www.googleapis.com/admin/directory/v1/users?alt=json returned
insufficient permission
I'm not sure what I'm doing wrong or am I missing something? I was wondering if the problem is in the json file which I'm creating?
Any help would be appreciated.
Thanks,
Aman
Well, you can start by checking a few things:
If you're using a service account, be sure to enable the "wide domain delegation option" to allow a service account to access user data on behalf of your users and perform operations.
Check if the scope https //www.googleapis.com/admin/directory/v1/users is authorized for your client ID on your google admin console > Security > Advanced settings > Authentication > Manage API client access.
Check if the user that you're using to insert the new user have enough privileges a.k.a super admin privileges.
Check if the Admin SDK API is active on your project.
Keep in mind that just downloading the client_json and activating a API isn't enough to allow these types of operations. For certain APIs like Admin SDK, the user you're gonna use to consume those services need to have specific privileges.
Here's a few helpful links
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
https://support.google.com/a/answer/162106?hl=en
I would first check to make sure that you have the correct Admin privileges on the account that you are trying to use OAuth credentials on. I would try logging into the account and going to this reference page in the Directory API for Users:insert
https://developers.google.com/admin-sdk/directory/v1/reference/users/insert
On the right hand side you should go to the Try this API section and see if that account has permissions to create new users.
Also another thing I noticed as well, is that you're not setting the required field familyName inside of the name field. familyName is a required property.
What i need to do is to authenticate myself into the GoolgeDrive API (I use it in python) to access my drive to do some automatique task.
I would like that my script run alone every hour without any intervention. So what i need is a way to create a credentials object with my login and password.
Is it possible without any redirection and so on?
I think it is not possible to achieve this with user id and password. The way Google Drive implements this is using a refresh token. That means that you authenticate your app one time interactively. This enables you app for one hour. If the refresh token mechanism is properly configured, the app will renew the token every time it needs it subsequently.
Basically the following steps need to be taken
Visit console.developers.google.com
Register a project and obtain Oauth Client IDs
Select as type web server and enter "http://localhost:8080/" as authorized redirect URL
Download the client_secrets.json and store it in the root of your python app
Create a file called "settings.yaml" at the same place with the following content
client_config_backend: settings
client_config:
client_id: YOUR_CLIENT_ID_GOES_HERE
client_secret: YOUR_CLIENT_SECRET_GOES_HERE
save_credentials: True
save_credentials_backend: file
save_credentials_file: credentials.son
get_refresh_token: True
oauth_scope:
- https://www.googleapis.com/auth/drive.file
- https://www.googleapis.com/auth/drive.install
In your python code you need to do proper authentication and credential saving:
gauth = GoogleAuth()
gauth.settings["get_refresh_token"]=True
gauth.settings["approval_prompt"]="force"
if exists(self.credsFile):
gauth.LoadCredentialsFile(self.credsFile)
if gauth.credentials is None:
# Authenticate if they're not there
gauth.LocalWebserverAuth()
gauth.SaveCredentialsFile(self.credsFile)
elif gauth.access_token_expired:
# Refresh them if expired
gauth.Refresh()
gauth.Authorize()
else:
# Initialize the saved creds
gauth.Authorize()
# Save the current credentials to a file
gauth.SaveCredentialsFile(self.credsFile)
self.driveInstance= GoogleDrive(gauth)
Make sure that you pass in self.credsFile as a valid filename
Executing this code should give you a URL at the console. Copy it to a browser, authenticate and give your consent. Google should ask you for two consents, the second is to authenticate for Google Drive - which is actually done by the refresh token.
The redirect url from the initial credential config in the developer console is called once the consent is given. It calls the temporary web server started by your application. This is how the call back is done. (This implies you have to run browser and your app on the same machine for this step - you may copy over all three files to your server)
From now on your app should run forever without requiring user interaction.
I 've the follow simple scenario:
a server of my boss
some costumers with google drive accounts
so I'd like to transfer daily some files to costumers google drive...
My question is: if a customer have pc disconnected or is not logged to my site is possible from my server upload a file into costumer google drive?
And if yes there's a limit of user or daily transfer?
p.s.
better if I can use A Google Drive spreadsheet and update data
thanks
Yes it is possible, but there are many steps in between.
1.- You would need an application, so you can perform this operations through your app. check the documentation.
2.- You would need to set the offline access, this way you will be able to upload files even if the user is not logged. Oauth Offline access.
3.- The users (customers with Google Drive account) will have to authorize your application to access their Drive accounts. After this you will be able to get an access token and a refresh token.
4.- With the refresh token you can refresh the access token (it expires after an hour) without having the user to login again and get a new access token. (you have to store this refresh token)
5.- Now you can call the function Drive.Files.Insert in order to upload a file into the customer's Drive. When calling this function you need to provide the access token related to the user.
6.- There are limits that apply to the API. These quotas are against the application. If you make too many calls to the API, you may reach these limits for your application. You can check these limits in the Developer Console of your application.
I hope this helps. I know it's a lot of information but is the procedure you need to follow.
I would like to use GAS script as some sort of a web service. Basically, I would like to post some parameters and then using Drive service do some manipulations of Google Doc and all of this has to be done from backend, without use of browser. Now I have issue with authentication - When I deploy GAS as a Web App (Execute the app as user accessing the app, Anyone can access app), when trying to execute script via Http request, I get Google Login response (/accounts/ServiceLogin). Obviously user has to authenticate access. I was not able to find if we can apply OAtuh at that point. So my question is - What can be done to achieve this? Is there any mechanism that can be used to atuhenticate to GAS from a server side? Or am I forced to use browser with GAS?
You could have your own authentication check in the Apps Script code. You would have NO security settings with the publishing, but implement your own password check in the Apps Script code. You would set the publish "Execute the app as:" setting to ME, and the setting of "Who has access to the app:" to Anyone, even anonymous. That allows the app to be run by anyone with no authentication. Then create your own authentication by passing a password in the URL search string.
Even though putting a password in the URL search string is encrypted over a HTTPS connection, it's still considered "bad practice", because the search string could be stored in plain text in the browser history. But you aren't going to use a browser.
So, your Apps Script App would read a search string parameter from the URL, and either allow the script to be run or not. You would be implementing your own authentication system.
But you need to evaluate and decide what the security is on your server, or whatever server is sending the request. If you can send a HTTPS request to an Apps Script with a password in the URL search string, and it's not a security concern on your server, or whatever server is sending the HTTPS request, then you can consider that and make your decision.
If you want to get a response back from Apps Script to your server without anything opening up in the browser, use the Content Service:
Google Documentation - Content Service
Hi I have a very simple Google Apps Script, i.e. one that is created when in Google Drive and click create and then script.
What I would like to be able to do is have users authenticate using the oauth 2 protocol, receive the authorisation code and exchange that for an access token and refresh token. This requirement is for an IPhone app so I would rather save the refresh token so users do not have to login repeatedly.
My issue is that I do seem be able to get the access and refresh token, I can see the client_id of the app in the url returned from the authentication step, however I believe I also need client_secret to request the access and refresh token from:
https://accounts.google.com/o/oauth2/token.
I'm asking it this even possible, if so do you know of any examples and if not could you recommend a different approach (perhaps use an application specific password).
Many thanks
You should be able to obtain this from the Oauth Playground.
Oauth Playground