I am looking for some clarification on how the Google OAuth 2.0 architecture handles the management of multiple Google Analytics accounts.
The scenario is straightforward: I am developing an analytics tool that hooks into a Google Analytics account and generates a report. I have a service account set up and verified and working with my own analytics account. My question is how to elegantly expand this so that incoming users can simply share permissions to their Google Analytics accounts with me, I can collect their data and pull up a report for them?
The confusion comes from the service account/OAuth 2.0 documentation. It seems that simplest thing I can do is create a client id and credentials, have users click a button, collect an authorization code and use it to generate an access and refresh token, then store the refresh token for later use. However, there also appears to be a means of using a service account that has permissions granted to is and simply changing the account id that I embed in the analytics query. There's also documentation of using Flow and Credential objects to perform authentication and access procedures.
I am mixing all of these up and can't get my bearings on what actually does what and with what limitations. Any help outlining the use cases and proper usages of these systems would be greatly appreciated. Thanks!
Related
We have a python fast api based application, that uses Salesforce credentials (username, password and security token) to fetch data from salesforce using SOQL queries.
I want this app to be published in Salesforce appExchange or Salesforce marketplace, so other users can find it.
How do I do this? Should I use connected apps? I also read somewhere about only API apps.
A tutorial or a head start will be much appreciated.
Thank you.
You will need to become a Salesforce partner (Trailhead) to list your solution on the AppExchange, and you'll need to pass the Security Review. If your application is paid, fees will be involved.
Note that some of the materials you'll find about AppExchange publishing will not apply to your situation as you are not building a Salesforce package, but an integrated application. You can disregard Trailhead modules on packaging.
Your application should be using OAuth, not raw user credentials and a security token. It is possible that this architecture will cause you to fail Security Review. (I am not a reviewer, but if I were, I would fail an application for this insecure design).
You will need to create a Connected App in a Salesforce org once you transition to using OAuth. This Connected App will identify your application.
Disclosure: I am a Salesforce employee but do not work on AppExchange.
I have an Google Analytics Account that I want to automate some custom reports from, but I have some problems understanding what kind of Credentials I need. Most of the tutorials I have seen says I need to use OAuth client ID but the google developers console site says I need a Servide Account key.
What is the difference between the two? Using another Analytics Account I tried to setup a OAuth connection, and it worked, but I now got unsure about what kind of key I should use.
What I want to do is to just have a Python script set up to run at some times, and then to get the data I want to query for. The data is just the same as the one I can get from logging into the Google Analytics UI, so there is no need for any users to consent to giving me access to any personal data or what ever else the Consent form should be used for.
Can someone explain what the difference is between the two Credentials and what one would be the correct one to use for my project?
Both Service accounts and OAuth2 are used to access private user data. Private data is data that is accessible only by logging in. My posts on Google+ are public anyone can see them. The information in my Google Analytics is private owned by me only I can see it and those I grant access to it.
With Oauth2 access is granted at run time. The first time an application is run the user will be asked if your application can access their data. If the user accepts and grants your application access you will be given a refresh token. This refresh token can be then used to get an access token which is used to access the private user data. Access tokens are only good for about an hour. After the hour is up you use the refresh token to get access again. That's why I say access is granted at runtime. You only have to ask the user for access once to get the refresh token though.
Service accounts on the other hand are pre authenticated. Service accounts are like dummy users they have their own google drive account and google calendar account. Because if this it is possible to shire data with them like you would any other user. You take the service account email address and add it as a user under the admin section of google analytics at the ACCOUNT level it must be the ACCOUNT level. Then using the service account in your code, you will be able to access the data for that Google Analytics account without requesting authentication from a user the first time.
Service accounts are most often used by developers to grant others access to the data owned by the developer. Oauth2 on the other hand would be used to access data of your customers for whos accounts you the developer does not personally have access to.
Technically speaking you can use either for your project as long as you store the refresh token you could technically use Oauth2 for your project. However I would not recommend it refresh tokens can expire under certain circumstances, which I will not go into.
I would recommend using a service account in your case it will be much easer for you to administrate as you will only need to set it up once.
My tutorials on the subject:
Google Developer console service account
Google Developer Console Oauth2 credentials
I was going through googles's api python-client-library and google analytics api . I was able to do all steps mentioned in official docs but then I got some doubts. Since I've never done this kind of thing before, so I need your valuable suggestions/tips.
My Goal:
Want to design a web application in Python(using django/flask) and google-api-python-client. I have few matrices(coming from my web ecommerce product that is using GA.) and I'm not sure if google analytics dashboard by default support at that deep level. so I will use Google's analytic api to customize data according to my need and show in my analytic web app(which can be accessed by any one).
Doubts/Queries:
1) first of all which reporting api I would be needing for this mentioned here. core api or metadata api?
2) while I was setting up the project and client key, I chose 2nd option(OAuth 2.0 client ID)
is that ok or should I chose service account? once I selected 2nd options there were couple of radio buttons(web, android, ios, other, etc.) I chose other or should I chose web?
3) once i chose other option from radio button list, I executed my script and it prompt a browser to ask for permission, I allowed. here my question is if I put my application on production would there not be any browser, what would happen in that case?
I would really appreciate if you can help me in these queries, sorry for long question, this is my first question.
PS: Bottom line is how one should structure and develop there analytic web application in general.
The key thing to understand is that Google Analytics is an authenticated API. It is designed make it easy to allow the end user to access their own data. It is designed to be hard to allow the end user to access data they do not own.
If you are building a web application to allow your users to access their own private data It is recommended that you use a client side authentication method, such as in this example or this example.
If you are trying to build a web application that shares your private data with your users there are a few ways to go about it:
You could collect the data server side in python using a service account (note you will have to add the service account the GA account you wish it to have access).
You can take a hybrid approach and have a service account generate an access token and use the embed api to actually make the query.
In the end I would encourage you to spend some time to read Using OAuth 2.0 to Access Google APIs, and understand senarios descussed and ask yourself which of these senerios will work best for my application.
I am new to web programming- I've recently been familiarizing myself with the webapp2 framework. I'm trying to start building a website, and would like users to login to the site with Facebook and I'll need access to their friends list. I've been trying to find a way to do this- I found out about OAUTH2, and I think this may be a way to do this. All the tutorials for python and OAUTH2 that I've found have been using the google API, I'm not sure if it's any different, but I haven't been able to get it to work.
Does anyone have sample code they can post that uses OAUTH2 (or anything else) to get users to sign in through Facebook? Or any good resources that can help me with this?
Your app needs to authorize users with Facebook, since there's where the resources you need are (e.g. friend lists).
This is a classic use of OAuth2 and you don't have a way around it, because FB implements this protocol.
My suggestion is that you look at the Google sample and then adjust it for FB API. The important changes are:
The endpoint URLs (e.g. authorize, token and user profile
The scopes that define the extent of permissions you are requesting (e.g. list of friends)
The user profile (e.g. the information returned by FB on a user: name, e-mail, etc)
This is a very simple sample that does this in Python. It was meant to run in Google App Engine. The only caveat is that it uses our own library to encapsulate the flow. But you can use it to study how the basic protocol works. Run the live demo and turn on dev tools on your browser to see the network activity.
You will notice that OAuth2 is a rather simple protocol, using simple HTTP requests.
I am using Google OAuth2 authentication with the following scope included:
https://www.googleapis.com/auth/plus.login
This allows my application to access a user's Google plus account information (basic).
Is it possbile to get a list of the user's "Circles" using the google-api-python-client
If yes, how?
Note: I am not using the Google+ Domains API, but the Google Plus API v1
There is no way to do this with the regular Google+ API. As you seem to be aware, it can be achieved with the Google+ Domains API but that requires your target user to be a Google Apps account and you to have admin access to the domain.