0

I wanted to know if it was possible possible to use a service account to request data from any google API but using this library: https://github.com/google/google-api-javascript-client

I managed to find out how to use the library with OAuth2.0 credential from google cloud console. But my real need requires me to use a service account to fetch these data.

Here's the code I used to fetch data from OAuth2.0 credentials:

initClient() {
      return gapi.client.init({
        apiKey: this.GSC_API_KEY, // already defined in the application
        client_id:
          "xxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
        scope:
          "https://www.googleapis.com/auth/webmasters https://www.googleapis.com/auth/webmasters.readonly",
        discoveryDocs: [
          "https://www.googleapis.com/discovery/v1/apis/webmasters/v3/rest"
        ]
      });
    },

   gapiList() {
      this.initClient()
        .then(() => {
          // Executes an API request, and returns a Promise.
          // The method name `webmasters.sites.list` comes from the API webmasters.
          return gapi.client.webmasters.sites.list();
        })
        .then(
          response => {
            console.log(response.body);
          },
          err => {
            console.error(err.details);
          }
        );
    },

Here's the code that request the API: 

gapi.load("client", this.gapiList);

It does return me good data.

But my final purpose requires me to use a service account.

The initClient function does need a client_id to load correctly. If I'm giving the client_id of the service account it does return me an error.

"Not a valid origin for the client: http://localhost:8080/ has not been whitelisted for client ID xxxxxxxxxxxxx. Please go to https://console.developers.google.com/ and whitelist this origin for your project's client ID.

The error message is telling me to whitelist the localhost (where I am currently working) but I don't find how to whitelist localhost for a service account.

Hope I gave enough informations.

Thank for any reply and help.

LIM Jacky
  • 1
  • 1
  • 5

2 Answers2

0

As the message tells, you need to allow localhost:8080 as an origin to call the API. To protect you and your users, Google restricts your OAuth 2.0 application to using Authorized Domains. If you have verified the domain with Google, you can use any Top Private Domain as an Authorized Domain.

After you add an Authorized Domain, you can use any of its subdomains or pages, and any other associated country codes. Add your Authorized Domains before you add your redirect or origin URIs, your homepage URL, your terms of service URL, or your privacy policy URL.

To accomplish this, follow these steps:

  1. In the GCP Console, click APIs & Services and then OAuth consent screen. You might have to click Menu Menu first.
  2. In the Application name field, enter G Suite Migrate and click Save.
  3. In the left menu, click Credentials.
  4. Click Create credentials and then OAuth client ID.
  5. Select Web application.
  6. In the Name field, enter a name for the OAuth web client.
  7. In the Authorized JavaScript origins field, enter the URL that you’ll use to access the G Suite Migrate platform (for example, http://localhost:5131).
  8. Click Create.
  9. Make a note of the client ID shown in the Client ID field. You’ll need it when you set up the G Suite Migrate platform. Tip: You can also access the client ID from APIs & Serviceand thenCredentials.
  10. Click OK.

Note: It might take some time for the authorization process to complete.

Extra: If you want a service account to be able to call an API on a users behalf, you will also need to delegate domain-wide authority to the service account. This is explained in detail here.

Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
  • Thank you for complete answer @Nebulastic but how would this work for a service account since service account doesn't have "Authorized JavaScript origins field" ? I do really appreciate your help ! – LIM Jacky Feb 26 '20 at 09:15
  • Hi @LIMJacky, I updated the answer accordingly. You will need to delegate domain-wide authority to your service account. This way the service account will be able to call API's on your behalf. – Cloudkollektiv Feb 26 '20 at 09:44
  • Hi @Nebulastic , thank you for your fast reply. I did delegate domain-wide authority and enable every API needed but the result is the same, I still get this error : Not a valid origin for the client: http://localhost:8080 has not been whitelisted for client ID xxxxxxxxxxxxx. Please go to https://console.developers.google.com/ and whitelist this origin for your project's client. Any thought about this issue ? – LIM Jacky Feb 26 '20 at 11:35
  • Did you do both the delegation and whitelist/authorize localhost:8080 origin? – Cloudkollektiv Feb 26 '20 at 11:40
  • I did the delegation but how to white/authorize localhost:8080 origin since there isn't this section for service account ? Did I missed it somewhere ? – LIM Jacky Feb 26 '20 at 11:51
  • You need to whitelist it under your own account as mentioned in the steps in my answer, the service account then operates under your account due to the delegation you did. – Cloudkollektiv Feb 26 '20 at 12:05
  • Using web application credential does work properly because I can whitelist origin but this doesn't appear for my service account client. Is whitelisting localhost:8080 even possible ? I'm a bit lost with service account. – LIM Jacky Feb 26 '20 at 13:56
  • API & Services > Oauth Consent screen > find "Authorised domains" > fill in "localhost:8080" – Cloudkollektiv Feb 26 '20 at 14:10
  • I did try but it does say that "localhost:8080" isn't valid. I guess localhost can't be whitelisted in this case ? – LIM Jacky Feb 26 '20 at 14:38
  • Could you check if your API key has certain restrictions? API & Services > Credentials > Your key > HTTP referrers OR Website Restrictions – Cloudkollektiv Feb 26 '20 at 15:57
  • My API key has no restrictions, setting up a service account seems pretty hard. But thanks for your time and help ! – LIM Jacky Feb 26 '20 at 16:44
  • Another suggestion is that you could delete your credentials and add them again through API & Services > Credentials. This is suggested here and has a lot of upvotes: https://stackoverflow.com/questions/44068680/not-a-valid-origin-for-the-client-from-google-api-oauth – Cloudkollektiv Feb 26 '20 at 19:06
  • Or empty browser cache! – Cloudkollektiv Feb 26 '20 at 19:15
0

You can not use service account with Google JavaScript client library.

You should use to Oauth2 authentication. If you have to use service account you need to use server sided language such like node.js or python etc.

Jeet
  • 13
  • 1
  • 5