How to grant acces permantly with OAuth2

Question

I have tried to use OAuth2 to build a group settings service with the following:

def groupSettingsService(request):
    CLIENT_SECRETS = os.path.join(os.path.dirname(__file__), 'client_secrets.json')
    FLOW = client.flow_from_clientsecrets(CLIENT_SECRETS, scope=['https://www.googleapis.com/auth/apps.groups.settings'], message=tools.message_if_missing(CLIENT_SECRETS))
    storage = Storage('groups-settings.dat')
    credentials = storage.get()
    if credentials is None or credentials.invalid:
        credentials = run(FLOW, storage)
    http = httplib2.Http()
    http = credentials.authorize(http)
    return discovery.build('groupssettings', 'v1', http=http)

But the problem is when the token isn't valid anymore (expires) it redirect to a page to tell a user to grant access again to that scope...things that is inappropriate for API calls !

is there a way to work with a username/password or client_secret to grant a full access permanently to the API without asking to grant access or not ?

score 1 · Accepted Answer · answered May 29 '14 at 09:21

1

You need to ask for access_type=offline when you redirect the user to Google.

You will than get an code, which can be exchanged (by POSTing with your client_id and client_secret) into an access_token (that is the one you are already using) and a refresh_token.

When your access_token expires, you can POST the refresh_token, client_id and client_secret to get another access_token. You can do that multiple times if you need (or weeks later...)

answered May 29 '14 at 09:21

Ruediger Jungbeck

2,836
5
36
59

yes you are right, but here we should grant the access for the first time with a humain action...what about API call from an Application to revoke access without asking to grant any access by any user? I'm an Administrator for a domain i'm développing an application that change groupsSettings déponds of time. So it should do it itself without granting access even for the first time. Any idea ? – Drwhite May 29 '14 at 13:29
If your application is in Google Apps Marktplace (or you find another way of granting access to a service account), you should be able to use a service account to get offline access: Request an access_token for your service account (and specify the email address as sub). I have only read that, but never done it myself. – Ruediger Jungbeck May 30 '14 at 08:08
Maybe the answer to this question helps http://stackoverflow.com/questions/20668643/google-apps-marketplace-sdk-domain-wide-oauth-2-sso – Ruediger Jungbeck May 30 '14 at 08:10

score 0 · Answer 2 · answered May 28 '14 at 06:18

0

Did you save the credentials to storage upon getting a credentials successfully?

answered May 28 '14 at 06:18

mengcheng

331
1
3

yes, i save them in a file called `groups-settings.dat` and i get and work with them. But the problem when i try to test them again after 1 or 2 days it take me to the grant access page and the file is here with credentials. I think it seems they would not be valid, someting linked to expiration i guess ! – Drwhite May 28 '14 at 08:01

How to grant acces permantly with OAuth2

2 Answers2