I would like to use Google Forms as a means for the users of my system to enter their login credentials to various system tools.
The reason this is important is because as their admin, I will need to manage various aspects of their tools.
Users are (rightly so) anxious of entering passwords in clear text boxes. What is the best method for retrieving such information in a safe and user-friendly manner?
You should NEVER collect user credentials for 3rd party services, e.g. collecting username/password to Google accounts. Not even if this is a Google Apps account belonging to your organisation (note that google gives admins the ability to reset password but not to view it). Also, a lot of users are now using two-step verification, so collecting user credentials will not work.
If you need to access Google services in the name of the user, than you should look into OAuth.
Related
GmailApp.search is great for pulling emails but what if I want to access a specific Gmail account logged in or not logged in is this possible with GmailApp or maybe some other method I am unaware of? Or am I forced to use the email address the user is logged in?
Due to security and privacy concerns, GmailApp service as well as the rest of the services provided by Google Apps Script and Google REST APIs can only access the logged-in user's data. In order to access another user's data, he/she will have to manually log in using the oAuth2 flow. As an option, you may create a WebApp that the end-user would connect to and manually authorize your application to be run using his/her data.
I am trying to understand what is the intended use case for app auth and app users. Im basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I hope this makes sense. Any assistance would be appreciated.
Thanks.
App Auth and App Users -- which is officially called Box Platform -- is essentially a white-labeled version of Box. I think of it this way: "Box" as we know it is software-as-a-service. It offers a web app, mobile apps, and all the trimmings. Box Platform is the platform layer upon which the SaaS is built, providing API-based management of users/content/comments/collaborations/etc. With Box Platform you have a walled garden in which you can build apps that leverage all the features of the APIs, but are not otherwise "Box apps."
I'm basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
This is an appropriate use case. With Box Platform you will be the owner and administrator of a Box enterprise and all the accounts and data contained within.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I think it's generally cleanest to create unique accounts for each user as opposed to giving users a special subdirectory in the admin account. From there you can use the App Auth workflow to get an access token specific to that user.
Google have multiple products like Youtube, Gmail, Google Drive and many more. When we login into one product like gmail then while hitting another product like youtube we will enter into this account without login. Then My question is how google uses cookies for different domain like youtube, gmail and any other. If anyone knows about this please let me know thanks in advance
This is not google specific thing. You have to study more about single-sign-on and claims based authentication to understand how this is achieved.
The common protocols used in these scenarios are OAuth and OpenId Connect.
Basically 3 parties involved here. The User, The Application, The IP(Identity Provider).
In this example Gmail, youtube and google drive, all are applications. They all use google(accounts.google.com) as identity provider. When user try to access an Application(gmail,youtube) he is redirected to the identity provider(accounts.google.com) and get authenticated. The identity provider issue a cookie(from accounts.google.com domain) to the user. The application receive Token from Identity provider saying user is authenticated and after validation of the token, application also issue another cookie(from gmail.com or youtube.com) to the user.
As long as user has the cookie issued from identity provider, he don't want to sign in again when he logs into an application that use the same identity provider.
I'm using Google Apps Script UI to create forms for students at my school. I've restricted access to my domain for added security, and to capture users' email addresses.
The problem is that many of our students have separate Gmail accounts. If they are already logged into Gmail (not our domain), they don't get a log-in page, but something prompting them to request access.
Any suggestions for avoiding this?
Thought I saw a request in the issue tracker for an account choosing feature, but my guess is that you'll want to allow anyone to access your web app and show a custom prompt if their email is non-domain. I don't know how well this would work with shared computers, but creating separate Chrome user accounts for each of my Google accounts has solved all my multiple sign-in pain.
I have a web application that we are building. We need a text editor to allow for our registered users to create and or edit documents. We want the documents to be used within our app, but would like to use the Google drive interface to create/edit/upload docs. What I am concerned about is the OAuth2 process. I would like for our web app to be the authenticator, and allow our users access to our files/folders that are under our account rather than theirs. Can we do this? All of our users are authenticated by our application already, and we do not want them to have to use their personal credentials to access files used by our application.
According to Google's documentation:
Each Gmail account intended and designed for use by an individual
user. If you have multiple users frequently accessing the same account
from various locations, you may reach a Gmail threshold and your
account will be temporarily locked down.
Anecdotal evidence confirms this: a worker at a school reported a 403 error possibly caused by too many people logging into the same account at the same time.