2

I'm building a web application for a customer and I'm not really sure I'm doing the right thing...

Basically, I created a PHP application that read, edit, delete calendars on Google and keeps a copy on my own web application DB (for various reasons). Now, I read about the OAuth 2.0 and realise it could be safer to use this than have my client general Google password (that access ALL google services (calendar, email, etc)) directly in my web app in a PHP file (in other words, if a hacker enter the server than he can steal her password...).

So I created the OAuth 2.0 account, add the classes/folders from this page http://code.google.com/apis/calendar/v3/using.html#setup and added the proper scripts on a test page to "authorize access to your information" (see "Instantiating the client " in the same page) ...

Here is my questions: If I am logged in my gmail with MY login info (not my Client) and I go to my test page, it will ask ME to authorize access to my Google Calendar. But I want my client's calendar, NOT MINE! So, let's pretend I logout, log in with my customer info and go to the test page : it's perfect, I authorize the account, then I'm redirected to my app where i can see HER calendar.

But this is not practical OR logical... Since, for example, I want people on her GENERAL PUBLIC website to go on a page, and fill a form in order to automate her appointments. The script must check her google calendar.... and ask permission for THEIR gmail accounts? No, I want HER calendar.

So this is my problem / question. What am I doing wrong? Is this the right way to do so or did I miss a step? Was this API meant to do this?

How can I use the API to work in the way described above?

Thanks all to light my candle

Joel

Joel
  • 895
  • 4
  • 13
  • 33

2 Answers2

1

If I'm understanding you correctly, you've got the authentication right. The problem is that you don't want to display the calendar of the logged-in user; you want to display your client's calendar.

A user can write to a calendar in one of two circumstances:

  1. The user owns the calendar, or
  2. The owner has given write access to the user explicitly, by specifying the user's email address.

Clearly the second situation doesn't scale. And in either case, you'd need to embed your client's credentials in your application, then use them either to create appointments on behalf of an authenticated user, or to share the calendar with the user. Of course, you'll want to encrypt your client's credentials--don't simply hard-code them in your app!

Rather than using your client's "real" account, it would seem more secure to create a new account (with a unique email address and password) specifically for this calendar. Your client could then access it through your application as her customers would, or you could share the calendar with her and give her write access.

Another possibility might be to make the calendar read-only to the users, and rather than allowing them to create appointments directly on your client's calendar, your app could let them request appointments: it would create the events on the users' calendars and send invitations to your client's calendar. Then your app won't need any embedded credentials. It would also give your client the opportunity to confirm or decline each appointment, automatically sending her response to her users. Another benefit is that each user's appointments would appear on his/her own personal Google calendar.

I'd be interested to know if you (or anyone else) finds a better solution.

Adam Liss
  • 47,594
  • 12
  • 108
  • 150
  • Thanks for your answer. When you say "encrypt", how do you exactly do that? If you encrypt it and then you need to access the calendar, you need to decrypt it before sending the request to google, therefore the hacker will see the decrypt script and just run it? Should I use the API key instead `http://code.google.com/apis/console-help/#UsingKeys`? – Joel Nov 25 '11 at 01:09
  • Your app resides on App Engine, so there's no need to transmit your client's credentials to/from the user. Your app only needs to store and retrieve them in order to complete the OAuth handshake. But the more I think about the idea of an app allowing one person (the user) to perform an action on behalf of someone else (your client), the more uncomfortable I get. The second option seems to be both more secure and more feature-rich, if it will work for you. – Adam Liss Nov 25 '11 at 01:19
  • Ok. I'm trying to find information on how to use the api key in my php script and can't seem to find it, where is that hidden? When I go to my console, the only thing they say is `To use this key, add the key= parameter in all requests`? How do I use the 'Simple API Access'? Thanks – Joel Nov 25 '11 at 01:51
0

I have the same problem, i solved using zend framework, even if i don't like it as it is yet and i'm trying to do with google api directly. ( and i'm not able ) Zend wrap around them i suppose.

I know the question is very old anyway, i embeded zend loader class, and a calendar extension. Then i just use:

if($something) {
    $client = getClientLoginHttpClient($usergmail, $passgmail);
    createEvent($client,$dbcon,$id_event);
}

where $dbcon is a connection to my dv, and $id_event is an id where i can find the data i want insert, ( date, content, title, time and so on ). I don't like it but it works.

AndreaBogazzi
  • 14,323
  • 3
  • 38
  • 63