If you’re designing an app that utilizes one of the many, many API’s available through Google, but don’t need to access or store user data it may not be necessary to incorporate authentication that requires the user to sign-in to Google at all. But no surprise, authentication will be required in some capacity to use the API. An alternative is to create a service account and authenticate using server-to-server OAuth 2.0 authentication. The service account essentially makes your server into a “user” with its own set of credentials. By setting up your app with the proper credentials, the service account or “user” that your server imitates maintains a cycle of verification, thus allowing you to make use of the API.
To get started, you’ll need to get the appropriate credentials from Google. Open a new project in the Google Developer Console. Under credentials, click on “Create Credentials” then choose “Service Account Key.” Keep in mind that you will need to get the appropriate API key for the specific API or API’s you intend to use, as well. While you’re investigating your API, make sure to check that the requests you intend to make to the API do not specifically require user sign-in. There are cases where server-to-server authentication is not possible.
Fill out the form and choose the JSON key type. The service account key will download to your computer. Keep in mind, this is only sent once, so keep track of it! Create an auth.json file and put it somewhere easily accessible in your project’s directory, but before we get too far ahead of ourselves make sure you add this file to .gitignore. You do not want to accidentally commit this file to your public GitHub profile and have someone find it and use it for malicious ends! Now add a reference to this file in your .env like this (GOOGLE_APPLICATION_CREDENTIALS=’./auth.json’), but with the appropriate relative path.
The specific package requirements may vary depending on what API you intend to use, but in your server file you will need to require the necessary packages once you’ve installed them as dependencies of your project. More than likely you’ll at least need the ‘googleapis’ package. You’ll also need to require the auth.json and assign it to the variable “key.” As you can see in the above example, there is a variable called scopes. This will be an array of all the API scopes your application will need access to. Read the API docs regarding the specific API you’re using to find what scopes will be necessary. The scopes will vary depending on how you’re utilizing the API, and will basically tell Google what your app is requesting access to exactly. As you can see in the above example, access to the scopes “/calendar” and “/calendar.events” was necessary for the app to function.
Then using the information stored on the “key” variable from the auth.json you’ll need to create what’s called JSON Web Token and store it to the variable “jwt”. This token is an encrypted version of the contents of your service account credentials that will be sent to Google before each API request to prove the identity and credentials of the service account. You can think of this as the stand-in “user” that is your server signing-in to Google. This “user” will sign-in before every request to the Google API by making an authorization request with the JSON Web Token. This is accomplished by calling jwt.authorize( ). This function sends the credentials to Google. If all your credentials are correct, Google will send a response message that contains an access token, which can be thought of as a permission slip. Google is giving your application permission for that request to the API, so when you make the actual API call from within the successful authorization, you’ll need to send the access token in the headers. You can use the example below for reference. This access token expires every hour, so don’t expect to be able to save it and avoid making the authorization call again and again. But, that’s it. Once you are successfully getting all the appropriate data back from the API your app is set-up to maintain persistent verification with Google.
Although it may seem confusing and daunting at first, server-to-server authentication is a relatively straight-forward way to get the functionality you want from Google API’s without forcing the user to login when it’s not necessary.