all
I successfully can use OAuth to work with GA service, there are a lot of code already written for this. And for security purposes, i can't store user google account credentials.
So, i prefer to use OAuth.
But, i can't found any examples how to use OAuth with Google Adwords / AdSense services.
Because they use SOAP and ClientLogin, but on this page http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html
Google suggest to use OAuth instead of ClientLogin (but at this page http://googlecodesamples.com/oauth_playground/ no AdWords / AdSense scopes defined)
Does anyone have a solution?
Thx
You can leverage Google's OAuth libraries quite easily to accomplish this, but the AdWords API is a little more tightly controlled than other Google API services.
The AdWords SDK includes an AdWordsUser entity which handles OAuthing for you, you just need to configure it properly.
Step 1: Sign up for the AdWords API. Upon approval, you will get a developer token.
https://developers.google.com/adwords/api/docs/signingup
Step 2: Create an application at the Developers API console.
Go to https://console.developers.google.com
Click on Credentials
Create a new "Client ID", which will generate Client ID and Client Secret credentials. Make sure you pick the right application type (native/embedded vs web application). You will need to whitelist the redirect URLs of your own application here to allow the end user to bounce back to the app. If this is a server-side application, choose "Client ID for native application". You will use fancy things like refresh-tokens to gain access.
Step 3: Grab an Adwords SDK in the language of your choosing (https://github.com/googleads) and configure it with the credentials needed.
Note
When requesting scopes in OAuth if you're not using the AdWords API Client SDK, make sure to include the scope "https://www.googleapis.com/auth/adwords" otherwise the credentials you get back won't actually let you do anything against the AdWords API. This is critical! (http://googleadsdeveloper.blogspot.com/2014/07/new-oauth-20-scope-for-adwords-api.html)
Related
Fellow programmers,
It is hard for me to wrap my head around this whole token based OAuth authorization flow so please forgive me my eventual stupidity and broken english (I'm from Poland).
I'm developing a web service using .NET's Web API 2 technology and 2 native clients: Windows Store (8.1) & Windows Phone 8.1.
Some controllers on the API side of course need authorization. I want the users not to be forced to create a new account in my system with seperate login data so I've decided to use Microsoft authentication.
I've created an application on Live.com developers and got my client ID & secret. Then I've enabled the Microsoft authentication in App_Start\Startup.Auth.cs with correct ID & secret.
Now, I've made a native client (Win Store app) using Live SDK 5.6 (newest available) and associated it with the store. I managed to sign in to my account in the client using that SDK and get some basic data about me just for testing purposes.
But that's all I managed to do. My question is:
How can I use the Live SDK on the client to login to my own Web API? What's the flow?
I've found this:
http://leastprivilege.com/2013/02/02/asp-net-web-api-authentication-using-the-microsoft-account/
And it says I have to send the authentication token to my service using auth header, but my authentication token in null, I only have the access token. Also, to which URL do I send it?
Some other "useful" info about what I've done (will update):
When creating the LiveAuthClient I didn't give the constructor any redirect URL
I have a Web API application and I've understood OAuth would be the standard security model for APIs where an Authentication Server would become responsible to generate Authorization Tokens so that the user can send to our server and consume the services.
I'm very new to this but I understand the roles involved:
Resource Owner
Client
Resource Server
Authorization Server
But what is OAuth exactly in practice, not in theory? Is it a .NET library? Is it a service provided by a separate Company? Is it something I can configure on my local development machine and see how it works?
How to get started with OAuth to secure a Web API application?
OAuth is a protocol; the current version is OAuth 2.0. More to your question, that link lists several implementations of the protocol in various technologies. For use with the .NET Web API you're probably interested in DotNetOpenAuth which provides implementations of both OAuth 1 and OAuth 2.
I'm using DotNetOpenAuth in an app I'm working on now to secure a .NET Web API. I've got an OAuth2Handler which extends DelegatingHandler which is inserted into the Web API pipeline before incoming requests reach any controllers. OAuth2Handler does the following:
Instantiates a DotNetOpenAuth ResourceServer
Calls ResourceServer.GetPrincipal() which reads and decrypts an access
token (issued elsewhere by the AuthorizationServer and returns an
OAuthPrincipal (In my case I'm reading additional data that the DotNetOpenAuth implementation allows you to pass and creating a ClaimsPrincipal.)
Assigning the IPrincipal containing the user information read from the access token to the User property of the thread and current HTTP context so it is available from the ApiController.User property in the service controllers: httpContext.User = Thread.CurrentPrincipal = principal;
Honestly, getting this all working (e.g. setting up the authorization server, resource server, certificates, etc.) isn't trivial. Unfortunately there didn't seem to be a good guide on the DotNetOpenAuth site. Here's a few other tasks you'll have ahead of you if you go this route:
Implement IAuthorizationServer - This is the interface provided by
DotNetOpenAuth that allows you to plug in to the library and use
their implementation to issue OAuth2 access tokens. You'll also need to implement INonceStore and ICryptoKeyStore which I did using an EntityFramework context for storage.
Configure Certificates - The AuthorizationServer and ResourceServer each use certificates to encrypt/decrypt the access token ensuring they are only accessible to each other. I built some custom configuration so I could manage this configuration in the web.config files of my authorization server app and my Web API services (resource server).
Manage Refresh Token - When first requesting an access token from the authorization server you'll get back (depending on your configuration) both an OAuth2 refresh token and an access token. The services use the access token which should be short-lived. The refresh token is used to get more access tokens. The refresh token should be kept secret (whatever that means in your scenario). For me it means the refresh token is never exposed to client-side javascript in my web app.
I hope that helps give you a high level idea of how to get started with OAuth and .NET Web API. Here's a blog post demonstrating some of these steps. This SO answer gives a few more high level details of the client side of the picture.
(The DotNetOpenAuth online docs appear to be down right now... sorry for no links to them; Apparently it has happened before).
I am developing a website using ASP.Net and I want to integrate Social Network that gives the user to share a page to their Facebook, twitter,Google plus, linked in and other accounts
These sites will use OAuth, which you will need to integrate into your site.
For example, you could create a Facebook Application using the developers section on Facebook and then use the c# Facebook API from your ASP.Net application to authenticate with the application and post content to the users timeline. I implemented something like this recently, it's pretty simple to do.
You won't have a 'universal set of credentials' for all of the social media that you have mentioned, so you would need to manage and perform OAuth for each of the different Media, e.g. As well as post to Facebook, create a tweet for the user as well.
It's certainly possible, there are Social Marketing applications that do something like this, you just need to manage the access to the OAuth partners.
Just remember, never store credentials that the user has entered in your site. They are not managed by your site so you should never attempt to store them or do anything with them, always delegate to the 3rd party site and receive your access token back. That's all your application should be interested in
Have a read up on how OAuth works. Also, visit each sites developer documentation to see how their specific implementation of OAuth works. There are c# client applications for accessing the sites (c# facebook api, c# twitter api etc etc)
I have an application running on a server that periodically extracts data from Google Analytics. It doesn't issue many queries so I don't think any limit would be a problem.
I have a prototype running, however I had to provide a login a password for the authentication (in code).
I see that I can generate API keys and other kind of authentication bits and pieces in the Google APIs Console, however I am not sure how to use them and whether they can be used in place of the login/password.
It just doesn't seem right to use a user login/password to authenticate a server application.
Is there another way?
(I am using the C# client library)
You should be using OAuth 2.0. See:
http://code.google.com/p/google-gdata/source/browse/trunk/clients/cs/samples/oauth2_sample/oauth2demo.cs
for a sample OAuth workflow.
The best way to do this is with Google Service Accounts
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
However, I don't know off the top of my head the best library for c#, but there does appear to be support for it in the Google library. http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2#Service_Accounts
Here's a answer specifically about the PHP client.
Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?
I am in the processing of developing a web application which will integrate directly with a Google Calendar associated with a specific Google account. The account being accessed by the Google Data API is not likely to change, so I'm unsure what the most appropriate account authentication method is going to be.
I've reviewed the options avilable and it would seem that AuthSub and OAuth are inappropriate as I will not be logging users into their own account- only displaying and updating a fixed account. The other options available are ClientLogin and Gadgets authentication. Of all of them, ClientLogin seems the best fit, but the documentation states that it is intended for installed applications. While the web application I am developing is not specifically an installed application, it closely mirrors one in this scenario- which is why I think ClientLogin makes the most sense.
Which Google authentication option would be the best fit in this scenario?
After reading http://code.google.com/apis/gdata/docs/auth/overview.html it seems to me that OAuth is the most secure way to achieve your goals. Google recommends OAuth or AuthSub over ClientLogin for Web Applications. In addition using OAuth and AuthSub prevents your application from ever having control of the users email and password meaning you dont need to take the extra steps to protect and update the information. Between OAuth and AuthSub, OAuth is more universally adopted, and more secure due to the fact that requests are signed. Hope that helps.
EDIT: So I misunderstood exactly what your application was doing, if you are only using your google account any method of authentication is probably fine, that said google recommends OAuth or AuthSub for web apps. However the important thing to find out about OAuth and AuthSub is what the life of the token is. If there is no way to make the token last for a long time (months, years) then I would try to use ClientLogin, because then your application will always be able to login to the account. As a side note however for security I would recommend you NOT use your primary google account for the application instead create a second account and simply share the calendar with your primary account, that way if you application was compromised you would not lose your primary google account.