2

Currently, I have been tasked to utilize the Google People API to ask for a user's basic Google information along with their public phone numbers. So far the results have been positive.

The solution my team and I have incorporated the Google People API integration in has the capacity to be utilized across thousands of domains. As a result, my question is simply, How can my team members and I ensure that any our clients that utilize our solution with their own particular domain get our new functionality built with the Google People API?

Keep in mind, our clients have the flexibility to have http/https and any subdomain on their site. Entering each domain possibility for our client base one by one would not be an easy task. I'm seriously hoping there is a solution around the single, explicit origin entries.

Thank you for your time and help.

bbird40
  • 301
  • 1
  • 2
  • 9
  • I have a similar problem which can't be sure if this is the same as yours... Our application has a server which safely connects to Google Services without revealing our secret API key, and it is required to add/update/remove Authorized JavaScript Origins. But I cannot find any doc to do the job. Any help is appreciated? – Rafe Nov 16 '21 at 14:10

2 Answers2

1

Warning:

You must remember that if this is source code you are giving your clients that you are not allowed to release your client id and client secret. This includes plugins and scripts.

On November 5th 2014 Google made some changes to the APIs terms of Service.

Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.

So if your clients could view the code of your application and see your client id and secret you should not be giving it to them.

Read more about this issue Can I really not ship open source with Client ID?

Recommendation:

The best solution for you will be to instruct your users now to create there own project on Google Developer Console and create their own JS origins.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • I wish that was the case then the "ball would not be in our court." However, we manage everything for them. Our solution lets them do what they do best while entrusting us to do what we do best. We are providing them a SaaS solution. – bbird40 Jun 01 '17 at 14:39
  • As long as you are aware that you are violating the terms of service you signed when you created the project. If Google detects it they will shut down your developer account you will not get it back to my knowledge. – Linda Lawton - DaImTo Jun 01 '17 at 14:59
  • DaImTo, thank you very much for your quick input on this. This is the input I need to move forward in our efforts. Currently, I'm reading through the terms of service, what specifically do you see this could be in violation of? – bbird40 Jun 01 '17 at 15:14
  • What language is your application in? Do you users install your application on their own server? Could your users view the source code and find your client id and secret? – Linda Lawton - DaImTo Jun 01 '17 at 15:18
  • We were able to accomplish the integration in both JS and C#. We are going to go with the C# implementation because of the easiness of securing those credentials. They do not install our application - we host it for them on cloud servers. Moreover, they are unable to view the client id and the secret. On a side note, we do not utilize the secret. We are able to obtain the three pieces of information we need without it. – bbird40 Jun 01 '17 at 15:47
  • Then you don't have a problem with the tos. You are still going to have to add all of the JavaScript origins though there is no way around that unfortunately – Linda Lawton - DaImTo Jun 01 '17 at 15:57
  • 2
    Thank you for all your time and input DaImTo. This has been a huge help. I am super grateful to have your opinion. – bbird40 Jun 01 '17 at 16:12
0

You may just have to provide your own wrapper around the target API where you authorize the client request yourself and then do the request from Google using your own credentials.

  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Aug 18 '22 at 16:12