I want to have access to a specific work user's OneDrive. I could register an application in Azure AD and assign one of two types of permission(delegated or application).
Based on the Microsoft Documentation if I register an app with the application-level access it could have access to all users' drive and based on this question in Stackoverflow there is no way to limit this access to a specific drive. So I ignored this approach.
On the other hand, based on the Microsoft Documentation if I want to assign delegate permissions to the defined app I have to manually approve the access list on the consent page. This is not desired for me as I'm looking for a code-base solution which runs behind the scene regular bases.
Is there any solution that I could have access to a specific OneDrive by python code?
If you want to connect with only 1 user's Onedrive you can use ROPC flow which can work in your scenario. But this is not recommended by microsoft because of security concerns. And yes, if you have MFA enabled, you cannot use it.
One of the good recommendations can be to use Graph API for OneDrive.
For example, one of the use case can be to Get current user's OneDrive:
The signed in user's drive (when using delegated authentication) can
be accessed from the me singleton.
If a user's OneDrive is not provisioned but the user has a license to
use OneDrive, this request will automatically provision the user's
drive, when using delegated authentication.
Http Request:
GET /me/drive
Resources that will help you to call Graph API from Python:
https://github.com/microsoftgraph/python-security-rest-sample
Edit:
Further, I have found a way in which you can disable user consent.
To configure user consent settings through the Azure portal:
Sign in to the Azure portal as a Global Administrator.
Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Under User consent for applications, select Do not allow User Consent.
Select Save to save your settings.
If you want consent permissions other than this, you can design your own Consent.
Related
I have a OneDrive for Business user account within a large organization. I'd like to have a daemon service running (Python) that automatically uploads files to this user's OneDrive.
This service will be running in a headless VM, so browser-based authentication (especially if it needs to be done more than once) is very difficult.
What are my options for authenticating this app to allow it to write to the user's OneDrive? I've registered an app and created a client secret for it. I was experimenting with the authorization flow described here, but that SDK is deprecated and no longer supported, so I'd prefer to use Graph if possible.
What are my options for authentication with Python in this scenario, and is any sample code / example available?
Both delegated and application permissions are supported on MS Graph API: https://learn.microsoft.com/en-us/graph/api/drive-list?view=graph-rest-1.0&tabs=http. Application permissions might not be acceptable for your use case since they would allow access to all users' OneDrives?
Application permissions would definitely be the easiest choice.
But you can also implement this scenario using delegated permissions
You would need the user to initialize the process by authenticating interactively once.
When they do that, store the refresh token in a secret store accessible by the server application.
Then it can use the refresh token to get a new refresh token + access token when needed.
This approach has some more complexity but does allow you to only give access to this one user's OneDrive for the app.
Also, keep in mind that refresh tokens can expire.
The user would need to re-authenticate if that happens.
If this process is critical, application permissions can be a really good idea despite the downsides.
Is there any way to use Python to access the Google Adsense API from a server without any user interaction?
This is typically done by setting up a "service account", but Google's docs say that "AdSense doesn't support Service Accounts".
They say to use the web or installed application flows, but these require the user to manually confirm access for every access. My application needs to run on a headless server, without user interaction, so it can pull data every hour, so this won't work. This similar question suggests going through the user consent screen once and then caching the token on the server, but this isn't feasible in my case since my process needs to be 100% automated, and the token will eventually expire and require user interaction.
Unfortunately, Google's docs are quiet unhelpful, and even worse their Python coding examples haven't been updated in 7 years, and don't even seem to have worked back then, as many of them don't even run Python 2.7, much less 3.
It's true that the AdSense Management API doesn't support service accounts. While there is setup required at first with the Web Flow, the same is true for service accounts which also have to be granted permissions on the account being accessed.
Regarding the tokens expiring, the Web Flow will yield a refresh token, which you can use to generate new access tokens (known as offline access, which doesn't require user involvement after the initial setup).
I have two separate google cloud accounts. I access/view some services that are currently only editable via the browser (not supported in the google-cloud api).
In order to that, I have to 1) login to account 1 and view/edit services 2) Logout, and then again repeat step 1 for account 2
This is quite cumbersome. Now, google-cloud normally supports storing credentials for two separate accounts. But is there a way to login via the browser using these stored credentials.
To clarify, I'm talking of logging in generically to a google account without using stuff like selenium+chromedriver. I'd prefer if some sort of stored credentials could be used. In my use case, convenience (and speed of login/logout) matters somewhat more than security.
Is there a way to do this using python or some other language?
You can sign in to multiple Google accounts at once in browser.
If you have more than one Google Account, you can sign in to multiple
accounts at once. That way, you can switch between accounts without
signing out and back in again.
For more details check Sign in to multiple accounts at once
If you want to do this for gcloud (not browser) check gcloud config configurations
I have an Google Analytics Account that I want to automate some custom reports from, but I have some problems understanding what kind of Credentials I need. Most of the tutorials I have seen says I need to use OAuth client ID but the google developers console site says I need a Servide Account key.
What is the difference between the two? Using another Analytics Account I tried to setup a OAuth connection, and it worked, but I now got unsure about what kind of key I should use.
What I want to do is to just have a Python script set up to run at some times, and then to get the data I want to query for. The data is just the same as the one I can get from logging into the Google Analytics UI, so there is no need for any users to consent to giving me access to any personal data or what ever else the Consent form should be used for.
Can someone explain what the difference is between the two Credentials and what one would be the correct one to use for my project?
Both Service accounts and OAuth2 are used to access private user data. Private data is data that is accessible only by logging in. My posts on Google+ are public anyone can see them. The information in my Google Analytics is private owned by me only I can see it and those I grant access to it.
With Oauth2 access is granted at run time. The first time an application is run the user will be asked if your application can access their data. If the user accepts and grants your application access you will be given a refresh token. This refresh token can be then used to get an access token which is used to access the private user data. Access tokens are only good for about an hour. After the hour is up you use the refresh token to get access again. That's why I say access is granted at runtime. You only have to ask the user for access once to get the refresh token though.
Service accounts on the other hand are pre authenticated. Service accounts are like dummy users they have their own google drive account and google calendar account. Because if this it is possible to shire data with them like you would any other user. You take the service account email address and add it as a user under the admin section of google analytics at the ACCOUNT level it must be the ACCOUNT level. Then using the service account in your code, you will be able to access the data for that Google Analytics account without requesting authentication from a user the first time.
Service accounts are most often used by developers to grant others access to the data owned by the developer. Oauth2 on the other hand would be used to access data of your customers for whos accounts you the developer does not personally have access to.
Technically speaking you can use either for your project as long as you store the refresh token you could technically use Oauth2 for your project. However I would not recommend it refresh tokens can expire under certain circumstances, which I will not go into.
I would recommend using a service account in your case it will be much easer for you to administrate as you will only need to set it up once.
My tutorials on the subject:
Google Developer console service account
Google Developer Console Oauth2 credentials
I am looking for some suggestions to implement authentication (and authorization) in our GAE app. Assuming that our app is called someapp, our requirement is as follows:
someapp is primarily for google apps users of the domain its installed for but can also authenticate users from other google apps domains.
For example, lets say google apps is configured on domainX.com and domainY.com. Additionally the admin for domainX.com has added someapp to their domain from the apps marketplace. The admin for domainX.com invites userA#domainX.com and userB#domainY.com log on to the application. Both google app domain users should be able to use their SSO (single sign-on) functionality.
As far as we know, current authentication options in the app engine allow either domain login, which allows only the users of one domain to log in to the app or federated/openid login which would allow the users of any domain to log in to the app. There is no in-between option which would allow only the users of previously authorized domains to log on to the app. Does that mean our only option is to leave aside google apps authentication and implement our own custom authentication?
Also in our sample scenario above, what if domainX.com and domainY.com have both added someapp. If userA#domainX.com navigates to someapp.appspot.com, which installation of the app will be used, the one installed on domainX.com or the one installed on domainY.com.
Authentication does not imply authorisation. All that the federated ID system does for your application is give you a username/userid that you can trust. So you can setup your user accounts tied to this infomation and rely on the fact that whenever you see that userid you are talking to the same user. Or in the case of domain-wide applications, whenever you see someone with that domain in their userid.
It is completely up to your application to decide if that userid has any meaning on your application. If I login to your app now with my google account, it should say "Oh I haven't seen you before, would you like to join?" ... it should (depending on your app) not just assume I'm authorised to use your application, just because I told you my name.
I'm not sure where you got the "domain login model" from? The only two choices are Google Account and Open/FederatedID neither of those attempt to restrict user access.
In your final example, users spanning multiple google accounts will see different results depending on if they have enable multiple-signin or not. Most users will be presented with a screen to choose which google account they mean before continuing.