Open Authentication


Open AuthenticationAre you in the process of developing an application to work with one of the Google APIs? Do you already have an application and want to add Google Login support? Are having problems Authenticate to Google and access your data? I am here to shed a little light on the Google Authentication system.
If you are, hear you have probably seen this page Google oauth2. While that page is very nice and informative, I find it hard to understand if you are new to Oauth2. In this article I am not going to show you any code what I am going to do is explain to you the different parts of Google Authentication so that you can better judge what system you need to use. Once you have decided that you can look for a tutorial that will suit your needs either here on my website if you are using PHP or C# or on someone else’s tutorials or even the Google Documentation. Let us get started ….


How can I access Google APIs with a login and password?

I see this question at least a few times a week on StackOverflow.com. The answer is you cannot. April 2015 Google began the process of shutting down the client login servers. May 2015 they finished any code you find that shows how to login and access a Google API using a login and password will no longer work. In order to access Google APIs now you must use Open Authentication.

What is OAuth?

OAuth (Open Authentication) provides client applications a ‘secure delegated access’ to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts and data.    The owner of the Data can grant an application access to their data.   The user does not have to share their login and password with the application, if the user later changes there password the application will still have access.    The user can also give the application-limited access.   In the old world of client login if I gave an application, my login and password to Google the application would have access to my full Google account.    With Open authentication, I can give the application just access to my Google Drive account without giving them access to my GMail data.

In order to use open authentication you have to register your application with Google via the Google developer console. We register our applications so that Google can keep track of who is using there APIs. There are 3 different types of authentication for accessing Google APIs

Public API Key

You can use a Public API if you are access public data, public data is data that isn’t owned by anyone. Posts to Google+ that are set public. The Google Analytics Meta Data API is also public data. YouTube also has a way of searching for public videos. Google Maps is also public data
Creating Public API key

Google Public API Access

Example of a request.

3 legged OAuth2

If you want to access a users data you need to use OAuth2, and ask a user for permission to access their data.    You have probably seen Open Authentication in work before,  it is normally a web browser window that pops up and asks you if you want to grant an application access to something.

For example:   If your application allows users to upload files to there Google drive account,  you need to have permission to upload to there Google drive account.   If you want to access my Google Analytics data you would have to ask me first, if you want to access my google drive again this is my data you need my permission to access it.

Oauth2 authentication  window
This is what a user will see when they try to authenticate your application using OAuth2.

In the image to the left, you can see that the application Google Analytics windows would like to view your Google Analytics data. You now have a choice to either accept it and give the application access or cancel it and not give the application access.   If you do not give an application access to the data it needs then you will not be able to use the application.

Note: The different permissions are called to as scopes, the scope of access your application needs.   It is very important only request the permissions your application requires in order to do what it was designed to do.   If you do not need Gmail access don’t ask for it.

In order to use Oauth2 you must also register your application in the Google Developer console.   When creating a new client ID you can choose between Client Id for native application, which would be a mobile application or a windows application, or you, can chose a web application.   The main difference being the redirect URI.     The authentication server needs to know where to return the authentication.  In the case of native applications, the authentication server returns authentication to the sample IP address or location as the request is received from.    In the case of web applications, the server returns the authentication to the website.

Client ID for native application  Client ID for web application


Service Account

Think of a service account as a SUDU user. A service account has its own Google drive account, Google Calendar and probably a number of others. However, it also has email address, which you can use to grant it access to your data. With the service account, email address you can grant a service account access to data like you would any other user.
I could for example give a service account access to a folder on my Google drive account it would then have permissions to upload files to my google drive. I could also grant it access to my Google Analytics data and it would be able to read my Google Analytics data.
Service accounts are very good for accessing data you the developer own. You cannot use it if you do not personally have access to that data already. For that, you need to use Oauth2 and ask a user for permission.
Not all of the Google APIs support service account authentication, Blogger and YouTube are two examples that I have found of APIs that do not support service account authentication.

service account

Conclusion

You should now understand the different ways of accessing data from the Google APIs. If you only need to access public data then you can use a Public API key, if you need to access another users data then you will need to use Oauth2 and finally if you are accessing data you the developer own you can use a service account. I hope this article helped to clear up a little of the mystery behind google authentication.