I'm developing an AppEngine application which lists files from my Google Drive using the Google Drive API. I'm getting an 500 error when one of my users tries to run my app:
HttpError: https://www.googleapis.com/drive/v2/files?q=%27[ID sanitized]%27+in+parents&alt=json&maxResults=5 returned "Invalid Credentials">
The code pulls files from a specific google drive folder. The folder and files are shared with the user, and the app is authorized to use the Google Drive API.
At some point, I figured that I should start from scratch, so I revoked the authorization from that user's account. Didn't seem to make a difference and now to add insult over injury it appears that my app no longer asks that particular user for authorization.
Does anybody have any recommendations at this point? My code uses the Google API client for python and the decorators (with oauth_required) for handling authorization:
CLIENT_SECRETS = os.path.join(os.path.dirname(__file__), 'client_secrets.json')
MISSING_CLIENT_SECRETS_MESSAGE = """
<h1>Warning: Please configure OAuth 2.0</h1>
<p>
To make this sample run you will need to populate the client_secrets.json file
found at:
</p>
<p>
<code>%s</code>.
</p>
<p>with information found on the APIs Console.
</p>
""" % CLIENT_SECRETS
http = httplib2.Http(memcache)
service = build("plus", "v1", http=http)
files_service = build("drive", "v2", http=http)
decorator = oauth2decorator_from_clientsecrets(
CLIENT_SECRETS,
scope='https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/drive.readonly',
message=MISSING_CLIENT_SECRETS_MESSAGE)
[...]
class MainPage(webapp2.RequestHandler):
#decorator.oauth_required
def get(self):
[...]
try:
kb_param = {}
kb_param["maxResults"] = 5
kb_param["q"] = "'[sanitized]' in parents"
kb_files = files_service.files().list(**kb_param).execute(http=http)
template_values = {
'kb_files': kb_files["items"]
}
Any insight would be greatly appreciated :)
Thanks!
Rick.
The token might be revoked, or the credentials might actually be wrong.
Related
I am developing an application that interacts with Google Drive and will work as follows: When a user adds/modifies a file in Drive Share, my application will receive a notification and I will handle it. I did the development locally using Auth2 authentication and everything works perfectly, but this application will be hosted on a Cloud Functions and because of that I am not able to use Auth2 authentication, as user consent is required.
Due to this problem, I went to the perspective of using a Service Account, where I added it as the manager of my share drive, used it to create the function, and gave it all the necessary permissions, but when I modify a file, the my endpoint that was supposed to receive the message, just doesn't.
I did a search and saw that it's due to the service account not having access to user data, so it makes sense that no notification would be created.
Below I am attaching the code I am using to create the watcher on the drive and the authentication process by SA:
Code responsible for get credentials to authentication
SCOPES = [
"https://www.googleapis.com/auth/drive",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/drive.readonly",
"https://www.googleapis.com/auth/drive.metadata.readonly"
]
credentials, project_id = google.auth.default(scopes=SCOPES)
credentials.refresh(req.Request())
Code responsible for creating the watch
drive = discovery.build("drive", "v3", credentials=credentials)
params = {
"kind": "api#channel",
"id": "id_watcher",
"type": "webhook",
"address": "address cloud functions"
}
# r = drive.changes().watch(fileId=file_id, body=params, supportsAllDrives=True, supportsTeamDrives=True).execute()
r = drive.changes().watch(pageToken=1,
body=params,
driveId=driverId,
includeCorpusRemovals=True,
includeItemsFromAllDrives=True,
includePermissionsForView=None,
includeRemoved=True,
includeTeamDriveItems=True,
pageSize=None,
restrictToMyDrive=None,
spaces=None,
supportsAllDrives=True,
# supportsTeamDrives=True,
# teamDriveId=driverId
).execute()
My question would be if there is a way to use Auth2 without the need for user consent, that is, without the step of opening the browser and allowing the generation of the token. If not, can you help me with a method that might work?
Remembering that this code will be in a cloud functions.
Thank you very much!
Two suggestions, one for the user consent scenario and one alternative for the notifications:
Domain Wide Delegation and Impersonation
If you are using Google Workspace and building the application for the organization. You can use Domain Wide Delegation if you are utilizing Service accounts. This would allow you to start the process of impersonation and avoid the consent of the users.
As suggested by the official documentation you can also apply and review the ways to grant the service account with the option to impersonate users.
Generating Notifications
Another suggestion could be utilizing Pub/Sub or push notifications to have your alerts. You would be able to utilize the Service account and your code and get the notifications and have them similar to an Audit log:
The image is a sample of a Gmail APi for watch and list.
References:
https://cloud.google.com/pubsub/docs/overview
Google Drive API - file watch does not notify (webhooks sample)
I'm trying to download a Google doc to PDF or Sheet to XLS given an ID programmatically from the CLI.
Steps I've tried so far:
Contact support, but can't see a (?) help icon
Google for 10 minutes... I think Google Drive API does this (not sure)
Enable the Google Drive API
Signed up for a GCP project
Navigated thought the UI to enable the API
Trying the GET API results in 400 Invalid field selection using the fields for the ID of the document
I'm a bit stuck now and I am not sure how to proceed. Any suggestions?
Warning: hopefully
informative wall of text ahead! I've also uploaded the full Jupyter Notebook for you to clone and run here since, as you've realized, putting this sort of stuff together can be challenging.
Since we're going to be exporting files via the google drive API, we need credentials for that scope as detailed in https://developers.google.com/drive/api/v3/reference/files/export#auth.
However, first we need to choose an authentication method as detailed in https://developers.google.com/identity/protocols/oauth2#scenarios.
Since you mentioned creating a GCP project, I assume you're interested in using a GCP service account
as detailed in https://developers.google.com/identity/protocols/oauth2#serviceaccount
You can create a service account at https://console.developers.google.com/apis/credentials
or as explained in https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount
Make sure to enable domain-wide-delegation for that service account while creating it and grant it https://www.googleapis.com/auth/drive scope under https://admin.google.com/ac/owl/domainwidedelegation since you otherwise won't be able to impersonate other users, including yourself, and download their files.
We then use the SERVICE_ACCOUNT_FILE we just downloaded and the SCOPES we defined to create a Credentials object.
However, you'll need to first install the Python bindings for the Google API as per https://developers.google.com/drive/api/v3/quickstart/python (pip3 install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib)
With that, the following should be enough to authenticate to the API:
from googleapiclient.discovery import build
from google.oauth2 import service_account
SCOPES = ['https://www.googleapis.com/auth/drive']
SERVICE_ACCOUNT_FILE = 'credentials.json'
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE,
scopes=SCOPES)
# Remember, you must have created credentials.json with domain-wide delegation!
credentials = credentials.with_subject('user#example.com')
# We then build a drive_v3 service using the credentials we just created
service = build('drive', 'v3', credentials=credentials)
We can access the files resource as shown in https://developers.google.com/drive/api/v3/reference/files/get and request the metadata of a file to which user#example.com has access https://docs.google.com/document/d/fileId/edit. In your case fileId=141g8UkQfdMQSTfIn475gHj1ezZVV16f5ONDxpWrrvts.
files = service.files()
print(service.files().get(fileId='1U3eMevKxTwDxzvOBUsqa36zvwBzKPVYOFgy3k_9vxb8').execute())
{'kind': 'drive#file', 'id':
'1U3eMevKxTwDxzvOBUsqa36zvwBzKPVYOFgy3k_9vxb8', 'name': 'empty',
'mimeType': 'application/vnd.google-apps.document'}
We access the files resource again but this time to export the file as detailed in
https://developers.google.com/resources/api-libraries/documentation/drive/v3/python/latest/drive_v3.files.html#export
This could also be achieved using https://developers.google.com/drive/api/v3/manage-downloads.
Valid MIME types are listed in https://developers.google.com/drive/api/v3/ref-export-formats.
fconr = files.export(fileId='1U3eMevKxTwDxzvOBUsqa36zvwBzKPVYOFgy3k_9vxb8',
mimeType='application/vnd.openxmlformats-officedocument.wordprocessingml.document')
fcont = fconr.execute()
print('{}...'.format(fcont[:10]))
file = open("/tmp/sample.doc", "wb")
file.write(fcont)
file.close()
b'MN\xc30\x10\x85O\xc0\x1d"'...
As you can see, fcont contains a binary blob that corresponds to the document and of which I'm showing the first 10 bytes. Finally, the blob is saved to sample.doc.
ls -alh1 /tmp/sample.doc
-rw-rw-r-- 1 jdsalaro jdsalaro 6,0K Jan 20 23:38 /tmp/sample.doc
As mentioned above, I encourage you to experiment with the Jupyter notebook once you've created the service account with domain-wide delegation, have saved it to credentials.json and have granted it the https://www.googleapis.com/auth/drive scope.
I am developing an add-on for google drive.
As a part of the functionality of this add-on, I would like to incorporate a google vm server that performs some processing on a user's google drive files (i.e. you click on a file through the add-on, send a request with a download link to the server, the server downloads the file, then finally responds to the request with some helpful information about the file). Both the apps script for the add-on and the vm instance are connected to the same google "project."
I am struggling with google's OAuth2.0 system and how I can connect the authorization of the add-on and the vm instance together.
Currently, when users open the add-on for the first time, they are brought to the authorization screen like so .
Once they authorize, my add on has access to all the expected scopes, including read access to google drive files.
Now I want my server to have access to them as well. Unfortunately, I do not understand how to do this.
I have tried simply requesting the url returned from file.getDownloadUrl() in python. While the request returns a status code of 200, I cannot seem to get the file to download.
I have also looked into the Google Drive API for python (I am running a flask server). Unfortunately, it appears that I need an entirely new authorization flow to make it work.
Any clarity on this issue would be greatly appreciated. Frankly, I find google's documentation on this matter very scattered and confusing. So, even knowing the right place to look would extremely helpful.
Much Thanks!
EDIT
I am adding some additional code to help provide some clarity. This is currently how I make a request to my server from the add-on:
var route = http://exampleurl.com/process
var data = {
'oAuthToken': ScriptApp.getOAuthToken(),
'stateToken': ScriptApp.newStateToken().withTimeout(120).createToken(),
'fileId': e.parameters.fileId,
'fileType': e.parameters.fileMimeType
};
var options = {
'method' : 'post',
'payload' : data
};
var response = UrlFetchApp.fetch(route, options);
This code successfully sends information to my vm instance running my server.
Now, I need to authorize the server to download the file specified by fileId.
When developing, I closely followed this tutorial to set up OAuth2.0 access to the Drive API. Here are two key routes:
#app.route('/google/login')
#no_cache
def login():
session = OAuth2Session(CLIENT_ID, CLIENT_SECRET,
scope=AUTHORIZATION_SCOPE,
redirect_uri=AUTH_REDIRECT_URI)
uri, state = session.create_authorization_url(AUTHORIZATION_URL)
flask.session[AUTH_STATE_KEY] = state
flask.session.permanent = True
return flask.redirect(uri, code=302)
#app.route('/google/auth')
#no_cache
def google_auth_redirect():
req_state = flask.request.args.get('state', default=None, type=None)
if req_state != flask.session[AUTH_STATE_KEY]:
response = flask.make_response('Invalid state parameter', 401)
return response
session = OAuth2Session(CLIENT_ID, CLIENT_SECRET,
scope=AUTHORIZATION_SCOPE,
state=flask.session[AUTH_STATE_KEY],
redirect_uri=AUTH_REDIRECT_URI)
oauth2_tokens = session.fetch_access_token(
ACCESS_TOKEN_URI,
authorization_response=flask.request.url)
flask.session[AUTH_TOKEN_KEY] = oauth2_tokens
return flask.redirect(BASE_URI, code=302)
Is there a way to plug in the two tokens I generate from the add-on into this Oauth flow? It appears that Google isn't anticipating this setup given that I am required to provide a redirect URL, which wouldn't make much sense in the case of my add-on/server tech stack.
Currently, you can successfully send the access token from the Apps Script project (retrieved with getOAuthToken()), to the flask server.
Since you already got the access token, you don't need to go through all the OAuth process as defined here (use the application credentials to request the access token, provide user consent, redirect, etc.). Sending the access token through the API request is actually the last step in the OAuth flow.
You just need to use the token to build the service, and the server will be able to access the file.
Using access token to build service:
from googleapiclient.discovery import build
import google.oauth2.credentials
ACCESS_TOKEN = requestBody['oAuthToken'] # Data coming from Apps Script via UrlFetch
creds = google.oauth2.credentials.Credentials(ACCESS_TOKEN)
drive_service = build('drive', 'v3', credentials=creds) # Build Drive service
Using Drive service to download files:
After you've build the Drive service to access the API, you can use this code sample to download Google Documents, or this one for other files (both examples include a tab with a Python sample).
Note:
You might need to Install the Google Client Library if you haven't done so.
Reference:
Using OAuth 2.0 to Access Google APIs
I'm trying to use the what Google terms a 'Domain-wide delegation' service account: https://developers.google.com/admin-sdk/directory/v1/guides/delegation
The specific API I'm trying to access with this delegation is: https://developers.google.com/apps-script/api/
Here's the code:
from google.oauth2 import service_account
import googleapiclient.discovery
import json
import os
SCOPES = ['https://www.googleapis.com/auth/script.projects', 'https://www.googleapis.com/auth/drive']
SERVICE_KEY = json.loads(os.environ['SERVICE_KEY'])
credentials = service_account.Credentials.from_service_account_info(SERVICE_KEY, scopes=SCOPES)
delegated_credentials = credentials.with_subject('fred.bloggs#my-gapps-domain.com')
script = googleapiclient.discovery.build('script', 'v1', credentials=delegated_credentials)
response = script.projects().get(scriptId='<myscriptId>').execute()
print json.dumps(response)
This fails with:
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', u'{\n "error" : "unauthorized_client",\n "error_description" : "Client is unauthorized to retrieve access tokens using this method."\n}')
I'm pretty sure I've followed all the steps at https://developers.google.com/api-client-library/python/auth/service-accounts, including authorizing the 'https://www.googleapis.com/auth/script.projects' scope with the client ID of the service account json key I downloaded.
Note, I was able to successfully get this particular snippet to work by skipping with_subject, and going in to the Script dashboard as the user, and 'sharing' the script project.
Unfortunately though that still doesn't allow upload a new set of files (as 'sharing' doesn't give the ability to delete). It does at least confirm my calling code is correct, albeit not authenticating properly with the json service key.
To clarify:
The script in question is what I believe is termed 'standalone' (not a web app)
It's owned by a bot user I've setup just like a regular GSuite user (as I didn't want scripts in regular user's Google Drives)
The script started in a Google Cloud Project that seemed to be automatically created, and with 'No organisation'. I then created a new project manually within the organisation, and moved the script to that project.
There's an official Google Apps Script client now, so I asked there too https://github.com/google/clasp/issues/225#issuecomment-400174500 - although they use the Javascript API (via Typescript), the principles should be the same.
I had one winform application which used to upload photos to picasa. I had used oAuth authentication and user grants permission for the following
Picasa Web Albums
Profile Information
I store authentication token for later use. This works perfectly.
Now I want to extend it to include GOOGLE DRIVE also, so what I have done is I have added scope to Authentication as below
By file Drive API
So now user grants Permission for all three, i.e. Picasa, Profile info and Google Drive.
But I am not able to upload photos to google drive, reason being I dont know how to create object of Google Drive Service.
for Picasa I used code as below
OAuthParameters parameters = new OAuthParameters()
{
ConsumerKey = CONSUMER_KEY,
ConsumerSecret = CONSUMER_SECRET,
Token = AuthToken,
TokenSecret = AuthSecret
};
requestFactory = new GOAuthRequestFactory("XXXX", "XXXX", parameters);
service = new PicasaService(requestFactory.ApplicationName);
Is there anything similar for google drive?
I need to create object DriveService(auth) ..
In short I need to know how can I create OBJECT of DRIVESERVICE from four information which I have i.e. CONSUMER_KEY, CONSUMER_SECRET, AuthToken, AuthSecret.
thanks.
Check the Google Drive SDK documentation for instructions on how to retrieve and use OAuth 2.0 credentials to instantiate a service object:
https://developers.google.com/drive/credentials
Please note that the Drive API is supported by the Google APIs Client Library for .NET:
http://code.google.com/p/google-api-dotnet-client/