Service Accounts #32
Comments
|
Thanks @whoward for sharing this information! I'm not sure what a "Google Service" account is … Does this wiki information help you? https://github.com/tpitale/legato/wiki/OAuth2-and-Google It looks very similar to the process you're using. |
|
Hi Tony, A Service Account on the other hand allows you to get an access token without the use of a browser by instead providing a secure private key which is stored as a secure file on your server. Sadly as far as I could see the OAuth2 gem does not provide an easy to find method to achieve this so I had to use Google's API Client gem to do the authorization. more information here: https://developers.google.com/accounts/docs/OAuth2ServiceAccount |
|
Oh, I see. For that, I've still used oauth 1, but with additional tokens provided by google. I don't run that script anymore, so they may have turned it off eventually. |
|
Yeah the problem with oauth 1 is that they've deprecated it and I'd rather not have to update this later when they eventually remove it haha |
|
Absolutely! Totally makes sense. I'd love for an article in the wiki on why you'd want to use a service account and how to get that token. Any other info you'd like to gather and write out would be great. I'll be happy to review and edit as needed. Thanks! |
|
First of all, many thanks to @whoward for getting started on this! A pretty clear use case for a service account is a stats dashboard or autogenerated report. For example, I'm using dashing to attractively present various GA data I'm trying to get with Legato. However, I'm having a problem with the code provided: All my config data I pulled right from the Google API Console project...I'm pretty darn sure the user has a Google Analytics account! Any thoughts? |
|
Ah. When you create the Client ID in the API Console, the email address it gives you is something like 123@developer.gserviceaccount.com. Google doesn't treat this as being equivalent to your foo@gmail.com address, so you need to go to Google Analytics and manually give the gserviceaccount account access. I wrote something up for the wiki--I know it would've saved me a lot of time if I'd seen this issue when I was reading the OAuth page on the wiki yesterday. Feel free to edit or remove as you see fit. It'd be nice to integrate add whoward's code to Legato proper to make it easier for end-users ...but at the same time, we don't want to add a dependency to google-api-client when we don't have to. @tpitale can make a judgment call. |
|
You can use Ruby's OpenSSL::PKCS12 class to open and read the private key file, the only bit I don't know about is how to get a token from the private key - doing that should make it possible to drop the google-api-client gem |
|
@tsmacdonald I appreciate the article! I linked to it from the wik homepage explicitly. I'd rather not add any specific auth code. For the most part, legato just wants you to give it the oauth2 token so it can make requests, it doesn't want to care where you get it from. I really like the approach of telling people how it can best be handled in their own code. There are so many different ways to do it, and many different needs. Making service accounts easy could be its own gem, even. 😄 @whoward If you do figure out how to get the token out of the key, please open a new issue and we can do something with that info. Or reopen this one. Thanks everyone! |
|
Hi, just implemented this Service account example, thanks for doing all the hard work! Just one thing though, the Wiki page says the service accounts never expire, but they actually do after one hour: https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration I handle this expiration in my code by passing an options hash into Oauth2::AccessToken.new like so: This allows me to look at the cached Legato user instance and determine if I need to re-authorize: Would be great if you could update the wiki and example code! Thanks! |
|
Thanks @RichardJohansson, I've updated the page! |
|
For me, this only worked after doing the following: def login_service_account(scope = 'https://www.googleapis.com/auth/analytics.readonly')
client = Google::APIClient.new(
:application_name => 'MYAPP.COM',
:application_version => '1.0'
)
key = Google::APIClient::KeyUtils.load_from_pkcs12('/PATH/TO/KEY.p12', 'notasecret')
client.authorization = Signet::OAuth2::Client.new(
:token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
:audience => 'https://accounts.google.com/o/oauth2/token',
:scope => scope,
:issuer => 'LONG-EMAIL-ADDRESS@developer.gserviceaccount.com',
:signing_key => key)
client.authorization.fetch_access_token!
oauth_client = OAuth2::Client.new('', '', {
:authorize_url => 'https://accounts.google.com/o/oauth2/auth',
:token_url => 'https://accounts.google.com/o/oauth2/token'
})
token = OAuth2::AccessToken.new(oauth_client, client.authorization.access_token, expires_in: 1.hour)
Legato::User.new(token)
endI'm not if something has changed in |
Hi everyone,
I'm just writing because I couldn't find any docs on how to use Google Service accounts with Legato (I believe I need a service account since this is used for an automated reporting process), but I kind of hacked a working solution together so I thought I would share - maybe it would make a good wiki article.
The solution uses the
google-api-clientgem to authorize a service account and get an access token which it then injects into the OAuth2 gem (this is a lot of unnecessary boilerplate code IMO and very hacky so please by all means if you see a way to improve it let me know!)the
config("google")call loads up the secure authorization data as a hash, I'll give you some dummy data to make it more clear whats going onSo again this is very hacky and if you'd like to improve on this to make it simpler and not requiring the extra
google-api-clientgem I'd love to hear about it!The text was updated successfully, but these errors were encountered: