1

I have made a flask/python website which can create and edit events on a user's google calendar. Obviously the user has to give their permission via OAuth2 (which I struggled to understand but managed to make work in the end). Currently I am forcing the user to register and login to my site and I store various user settings and the refresh token attached to whatever username they select when they register with my site.... But now I want the user to be able to allow the user the use my site without having to register. I still want to store user settings and a refresh token but now I need to have some sort of label to identify the user so I know it's them when they come back (perhaps they will access my site from a different PC). Is there some string that I will have access to as part of the OAuth2 process that would serve to uniquely identify the user or do I need to do some additional step to grab such a string...

EDIT: looking at the comment made by shox and looking at the most upvoted answer to this SO question it seems that at the end of the oauth process I should...

send a GET to https://www.googleapis.com/oauth2/v3/userinfo, using the OAuth2 bearer token you just received, and you will get a response with some information about the user (id, name, etc.).

Unfortunately I'm not quite sure what that means nor how to code it in python. My best guess was as follows:

r = requests.get( "https://www.googleapis.com/oauth2/v3/userinfo",
                   params = {'token': credentials.token } )

data = r.json()

But data turns out to be {'error': 'invalid_request', 'error_description': 'Invalid Credentials'}

SOLVED: ... seems I needed to use the string "access_token" instead of "token" and now data contains an email address and a few other bits and bobs.

r = requests.get( "https://www.googleapis.com/oauth2/v3/userinfo",
                   params = {'access_token': credentials.token } )

data = r.json()
Mick
  • 8,284
  • 22
  • 81
  • 173
  • 1
    Not part of the process but part of the endpoint. Which may be different for different providers. See this answer: https://stackoverflow.com/questions/21145560/how-to-uniquely-identify-user-logging-in-via-oauth – shox Jun 08 '20 at 15:33

1 Answers1

0

One way to uniquely identify a Google user via OAuth 2.0 is to record the user's unique identifier. That identifier is known as the id property of the Source object.

To read that identifier you'll need to make a call to People.get() with people/me as the resourceName and metadata as personFields. The first value will identify the authorized account as the one that we are interested in. In the second parameter, personFields, we are indicating that we want metadata about the target account. The latter isn't needed per se, but because we need to fill a valid value in personFields. In summary, the request should look like this (if done with cURL):

curl \
  'https://people.googleapis.com/v1/people/me?personFields=metadata&key={API KEY}' \
  --header 'Authorization: Bearer {ACCESS TOKEN}' \
  --header 'Accept: application/json' \
  --compressed`

With that request you'll get a JSON response which first lines will read:

{
  "resourceName": "people/{ID HERE}",
  …

That would be the id that you want to use for user identification. Please, ask me any question if you need more help.

Jacques-Guzel Heron
  • 2,480
  • 1
  • 7
  • 16
  • At a glance I get the feeling that the "People API" is something you may have access to if you have sought permission to have access to the users "contacts". I have not requested such permission so I suspect that this would not work. I have simply sought permission to access a users calendar. – Mick Jun 09 '20 at 15:08
  • Hi there @Mick! Please update your scopes and test if the solution works for you. Come back with your findings so I can keep helping you. – Jacques-Guzel Heron Jun 12 '20 at 14:00