I am running a research project where we create the participant's Jawbone accounts. I am writing a piece of program that captures all of the participants' step counts. I am wondering how I can feed the username and password without having this page below pop up.
In essence, I want to streamline the process so that I can get the oauth access token without any user manual input. I am writing all of this in Python (Google App Engine).
The only way to avoid that page is to have already stored the OAuth tokens for the user. As part of the OAuth protocol, each user has to grant your application access to the data.
How are you planning to gather the users' accounts and credentials?
I would recommend that instead of gathering users' emails and passwords manually, you:
Build a simple sign up flow in your app according to the UP Authentication doc.
Have your users run that flow
Save their OAuth tokens for later use
Related
I am attempting to programmatically create federated user account and setup that user account using automation.
The reason for this is because we would want to create customized user environments (by logging in the user).
By Default when a domain is federated at IBM, the user account at that domain is not created, the user has to login for the account to be created. See notes from Documentation:
I want to have the user created so automation scripts can provision services and resource using Schematics SDK (Workspace)
I found that the user can be logged in and trigger account creation by using CLI
https://cloud.ibm.com/docs/account?topic=account-federated_id
The program is that when using CLI, it prompts for a one-time code for SSO logins (federated)
It says to avoid the one-time codes for automation scripts, you have to use API key
https://cloud.ibm.com/docs/account?topic=account-federated_id#api_key
However you can only get the API key after the user has been created. Which brings me to this question.. how do we get the API key before getting the user logged, is there a way programmatically or what have others done in python to get around this one-time token prompt to log in the federated user so that their environment and account is created for schematics and other automation scripts to deploy instances etc.?
Background info
I'm currently in the process of making a system that tracks work sessions, and the shifts done by people in those sessions. It will consist of a discord bot for alerts and responses to invites, a python app for initiating these sessions & invites, and eventually a rails web app for everything. Users will log on with their google accounts. MySQL database currently stores all the data.
Question
I want to make it so my python script (and eventually web app) users can log on using their Google accounts. What's the simplest use of OAuth2 to just get the user's email? The SQL database has their email and it would be nice to just have some simple call to the Google API that returns the email of the user, so I can cross-reference that with my user table to find which user is logging on.
Also...
This isn't just me being lazy and wanting someone else to give me the code for this project, I've actually done Google authentication before with accessing spreadsheets shared with users, however in this example I feel as though it could be simplified as I don't need access to any of the user's Google account, just which email they used to sign in, and I can't find a way myself.
I have an Google Analytics Account that I want to automate some custom reports from, but I have some problems understanding what kind of Credentials I need. Most of the tutorials I have seen says I need to use OAuth client ID but the google developers console site says I need a Servide Account key.
What is the difference between the two? Using another Analytics Account I tried to setup a OAuth connection, and it worked, but I now got unsure about what kind of key I should use.
What I want to do is to just have a Python script set up to run at some times, and then to get the data I want to query for. The data is just the same as the one I can get from logging into the Google Analytics UI, so there is no need for any users to consent to giving me access to any personal data or what ever else the Consent form should be used for.
Can someone explain what the difference is between the two Credentials and what one would be the correct one to use for my project?
Both Service accounts and OAuth2 are used to access private user data. Private data is data that is accessible only by logging in. My posts on Google+ are public anyone can see them. The information in my Google Analytics is private owned by me only I can see it and those I grant access to it.
With Oauth2 access is granted at run time. The first time an application is run the user will be asked if your application can access their data. If the user accepts and grants your application access you will be given a refresh token. This refresh token can be then used to get an access token which is used to access the private user data. Access tokens are only good for about an hour. After the hour is up you use the refresh token to get access again. That's why I say access is granted at runtime. You only have to ask the user for access once to get the refresh token though.
Service accounts on the other hand are pre authenticated. Service accounts are like dummy users they have their own google drive account and google calendar account. Because if this it is possible to shire data with them like you would any other user. You take the service account email address and add it as a user under the admin section of google analytics at the ACCOUNT level it must be the ACCOUNT level. Then using the service account in your code, you will be able to access the data for that Google Analytics account without requesting authentication from a user the first time.
Service accounts are most often used by developers to grant others access to the data owned by the developer. Oauth2 on the other hand would be used to access data of your customers for whos accounts you the developer does not personally have access to.
Technically speaking you can use either for your project as long as you store the refresh token you could technically use Oauth2 for your project. However I would not recommend it refresh tokens can expire under certain circumstances, which I will not go into.
I would recommend using a service account in your case it will be much easer for you to administrate as you will only need to set it up once.
My tutorials on the subject:
Google Developer console service account
Google Developer Console Oauth2 credentials
I migrated away from Google App Engine several months ago. But I am still relying on it for authentication, because my users are identified by their user_id attribute on GAE.
For this purpose my (now external) applications redirect the user to a Google App Engine application using a encrypted, signed and timestamped login request. The GAE application then performs the login using GAE's "Users" service. After successfully being logged-in on GAE, the user is again redirected using a encrypted, signed and timestamped response to my external application.
The rudimentary implementation can be found here and here. As you can see, this is very basic and relies on heavy crypto that leads to bad performance.
My external applications, in this case Django applications, are storing the user_id inside the password field of the user table. Besides the user_id, I only get the email address from GAE to store username and email in Django.
Now I would like to remove the dependency on the GAE service. The first approach which comes to mind would probably be to send an email to each user requesting him to set a new password and then perform my own authentication using Django.
I would prefer a solution which relies on Google's OpenID service so that there is actually no difference for the user. This is also preferred, because I need to send the user to Google anyway to get AuthSub tokens for the Google Calendar API.
The problem is that I couldn't find a way to get the GAE user_id attribute of a given Google Account without using GAE. OpenID and all the other authentication protocols use different identifiers.
So now the question is: Does Google provide any API I could use for this purpose which I haven't seen yet? Are there any other possible solutions or ideas on how to migrate the user accounts?
Thanks in advance!
The best way to do this is to show users a 'migration' interstital, which redirects them to the Google OpenID provider and prompts them to sign in there. Once they're signed in at both locations, you can match the two accounts, and let them log in over OpenID in future.
AFAIK, the only common identifier between Google Accounts and Google OpenID is the email.
Get email when user logs into Google Account via your current gae setup. Use User.email(). Save this email along with the user data.
When you have emails of all (most) users, switch to Google OpenID. When user logs in, get the email address and find this user in the database.
Why don't you try a hybrid approach:
Switch to OpenId
If your application already knows the userId, you are done
If not ask the user, if he has an account to migrate
If yes, log him in with the old mechansim and ttransfer the acount
If not create a new account
Google has a unique identifier that's returned as a parameter with a successful OpenID authentication request - *openid.claimed_id* . If you switch to using OpenID you could essentially exchange the user_id for this parameter the first time a user logs in using the new method without the user noticing anything different about their login experience.
Documentation for the authentication process is outlined here. I'd recommend using the hybrid OpenID+OAuth approach so that you can associate your request token with a given id, then, upon return, verify that the openid.claimed_id matches your original request token.
How does one handle logging in and out/creating users, without using Google Users? I'd like a few more options then just email and password. Is it just a case of making a user model with the fields I need? Is that secure enough?
Alternatively, is there a way to get the user to log in using the Google ID, but without being redirected to the actual Google page?
I recommend using OpenID, see here for more -- just like Stack Overflow does!-)
If you roll your own user model, you're going to need to do your own session handling as well; the App Engine Users API creates login sessions for you behind the scenes.
Also, while this should be obvious, you shouldn't store the user's password in plaintext; store an SHA-1 hash and compare it to a hash of the user's submitted password when they login.