Google APIs - Permissions to Application Concepts
To work with Google APIs its necessary to understand some concepts that are repeated in all the implementations that we mae, once we understand this we could use them very easily.
In this article I detail these concepts and how apply them.
Google OAuth
All APIs need permisions (SCOPE) to access the user tool
SCOPES = ['<https://www.googleapis.com/auth/><SCOPE>', '<https://www.googleapis.com/auth/><SCOPE>']Without these permissions the code will be executed but having to comumnicate with the Google API will return us an error saying that we are not authorized
The list is extensive and applies to every Google Tool, not just GMP, but also GCP.
Below i put a link in case you want see them all, i also think that the most practical way is to go to the documentation of the API that we are working on and look inside the function we are going too execute, what permission it needs, it is usually declarated.
Tokens
Google has a security system in which our app redirects the user to a Google URL where we include the access (SCOPES) we request,
Google processes this and return 2 tokens, one is Acess Token and the other is Refresh Token.
The App we are making needs to store the Refresh Token to use in the future, and Access Token to get into the API.
When Access Token expired, Refresh Token serve us to generate a new one.
The generation of the token is easy, at the beginning of the function where we declare the permissions we add the following code.
# The file token.json stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
if os.path.exists('token.json'):
creds = Credentials.from_authorized_user_file('token.json', SCOPES)
# If there are no (valid) credentials available, let the user log in.
if not creds or not creds.valid:
if creds and creds.expired and creds.refresh_token:
creds.refresh(Request())
else:
flow = InstalledAppFlow.from_client_secrets_file(
'credentials.json', SCOPES)
creds = flow.run_local_server(port=0)
# Save the credentials for the next run
with open('token.json', 'w') as token:
token.write(creds.to_json())Accout Service
Here we go into the Google Cloud Platform world, where we will have modules for a diversity of tasks.
Among them is the “APIs & Service” module, which gives us the possibility of generating credentials, in our case we centralize in the “Service Accounts”.
In case we want work with Google APIs from our app without user authorization (for example sending a file to Cloud Storage), we can set an Account Service (in which we must configure the SCOPES that we know we will work with)
at the moment in when aour app call the API, it will do in the name of the Service Account previusly configured and we will have access granted.
To configure this Service Accounts we will use a .json file that allows us to download when we create them, we will store this file in our app and we will instantiate it in a variable
Example Code
from google.oauth2 import service_account
SCOPES = ['<https://www.googleapis.com/auth/sqlservice.admin>']
SERVICE_ACCOUNT_FILE = '/path/to/service.json'
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)With these 3 clear points we can work with almost any Google API withut problems.
Each one has a minimum access and for certain functions (which perform more sensitives actions) will ask us some for extra SCOPES.
In the next articles I will show how to use the Google OAuth2 API for different cases.
