Home  ›  Google Calendar Authentication Code Expired

Google Calendar Authentication Code Expired

Written By Wednesday 6 April 2022 Add Comment Edit

Google APIs use the OAuth ii.0 protocol for authentication and authorization. Google supports common OAuth ii.0 scenarios such as those for spider web server, customer-side, installed, and limited-input device applications.

To begin, obtain OAuth 2.0 customer credentials from the Google API Console. Then your client awarding requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that y'all want to access. For an interactive demonstration of using OAuth 2.0 with Google (including the option to utilise your own client credentials), experiment with the OAuth ii.0 Playground.

This page gives an overview of the OAuth 2.0 authorization scenarios that Google supports, and provides links to more detailed content. For details near using OAuth 2.0 for authentication, see OpenID Connect.

Basic steps

All applications follow a basic blueprint when accessing a Google API using OAuth ii.0. At a loftier level, you follow v steps:

i. Obtain OAuth 2.0 credentials from the Google API Console.

Visit the Google API Console to obtain OAuth 2.0 credentials such as a client ID and client surreptitious that are known to both Google and your awarding. The prepare of values varies based on what type of application you are edifice. For example, a JavaScript application does non crave a secret, simply a web server application does.

Before your awarding can admission private data using a Google API, it must obtain an access token that grants admission to that API. A unmarried access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an admission token permits. During the access-token asking, your application sends ane or more values in the scope parameter.

There are several ways to make this request, and they vary based on the type of application you are building. For case, a JavaScript application might request an admission token using a browser redirect to Google, while an awarding installed on a device that has no browser uses web service requests.

Some requests require an hallmark step where the user logs in with their Google account. After logging in, the user is asked whether they are willing to grant ane or more permissions that your application is requesting. This procedure is called user consent.

If the user grants at to the lowest degree i permission, the Google Authorisation Server sends your application an admission token (or an authorization code that your application can use to obtain an access token) and a list of scopes of admission granted by that token. If the user does not grant the permission, the server returns an error.

It is generally a best practice to asking scopes incrementally, at the time admission is required, rather than up front. For example, an app that wants to support saving an event to a calendar should non request Google Calendar access until the user presses the "Add together to Calendar" button; see Incremental authorization.

3. Examine scopes of access granted by the user.

Compare the scopes included in the access token response to the scopes required to access features and functionality of your application dependent upon admission to a related Google API. Disable whatever features of your app unable to function without access to the related API.

The scope included in your request may not match the scope included in your response, fifty-fifty if the user granted all requested scopes. Refer to the documentation for each Google API for the scopes required for access. An API may map multiple scope string values to a single telescopic of admission, returning the aforementioned scope string for all values allowed in the request. Example: the Google People API may render a scope of https://www.googleapis.com/auth/contacts when an app requested a user authorize a scope of https://www.google.com/m8/feeds/; the Google People API method people.updateContact requires a granted scope of https://www.googleapis.com/auth/contacts.

4. Send the access token to an API.

After an application obtains an access token, information technology sends the token to a Google API in an HTTP Authorization asking header. It is possible to send tokens as URI query-cord parameters, but nosotros don't recommend it, because URI parameters can end up in log files that are not completely secure. Also, it is good Residue practice to avert creating unnecessary URI parameter names.

Access tokens are valid merely for the gear up of operations and resources described in the scope of the token request. For example, if an access token is issued for the Google Calendar API, it does not grant access to the Google Contacts API. You can, withal, send that access token to the Google Calendar API multiple times for similar operations.

5. Refresh the admission token, if necessary.

Access tokens take limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, information technology can obtain a refresh token. A refresh token allows your awarding to obtain new admission tokens.

Scenarios

Web server applications

The Google OAuth ii.0 endpoint supports web server applications that utilise languages and frameworks such as PHP, Java, Python, Ruby, and ASP.Net.

The authority sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the type of access being requested. Google handles the user hallmark, session selection, and user consent. The result is an authorisation code, which the application can exchange for an access token and a refresh token.

The application should store the refresh token for time to come utilise and apply the access token to access a Google API. In one case the admission token expires, the awarding uses the refresh token to obtain a new 1.

Your application sends a token request to the Google Authorization Server, receives an authorization code, exchanges the code for a token, and uses the token to call a Google API endpoint.

For details, run into Using OAuth 2.0 for Spider web Server Applications.

Installed applications

The Google OAuth two.0 endpoint supports applications that are installed on devices such as computers, mobile devices, and tablets. When you create a customer ID through the Google API Console, specify that this is an Installed application, and so select Android, Chrome app, iOS, Universal Windows Platform (UWP), or Desktop app every bit the application type.

The process results in a client ID and, in some cases, a customer surreptitious, which you embed in the source code of your application. (In this context, the client secret is patently not treated equally a clandestine.)

The authorization sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that point the type of access beingness requested. Google handles the user authentication, session selection, and user consent. The result is an authorization code, which the application can exchange for an admission token and a refresh token.

The awarding should store the refresh token for future use and use the access token to access a Google API. Once the access token expires, the awarding uses the refresh token to obtain a new one.

Your application sends a token request to the Google Authorization Server, receives an authorization code, exchanges the code for a token, and uses the token to call a Google API endpoint.

For details, see Using OAuth ii.0 for Installed Applications.

Customer-side (JavaScript) applications

The Google OAuth 2.0 endpoint supports JavaScript applications that run in a browser.

The authorisation sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the blazon of access being requested. Google handles the user authentication, session selection, and user consent.

The upshot is an access token, which the client should validate before including it in a Google API request. When the token expires, the application repeats the procedure.

Your JS application sends a token request to the Google Authorization Server, receives a token, validates the token, and uses the token to call a Google API endpoint.

For details, meet Using OAuth two.0 for Client-side Applications.

Applications on limited-input devices

The Google OAuth 2.0 endpoint supports applications that run on limited-input devices such every bit game consoles, video cameras, and printers.

The authorization sequence begins with the application making a web service asking to a Google URL for an authorisation code. The response contains several parameters, including a URL and a code that the application shows to the user.

The user obtains the URL and code from the device, then switches to a separate device or computer with richer input capabilities. The user launches a browser, navigates to the specified URL, logs in, and enters the code.

Meanwhile, the application polls a Google URL at a specified interval. After the user approves admission, the response from the Google server contains an access token and refresh token. The application should store the refresh token for futurity use and use the admission token to access a Google API. In one case the access token expires, the application uses the refresh token to obtain a new one.

The user logs in on a separate device that has a browser

For details, run into Using OAuth two.0 for Devices.

Service accounts

Google APIs such as the Prediction API and Google Cloud Storage tin act on behalf of your awarding without accessing user data. In these situations your awarding needs to prove its own identity to the API, simply no user consent is necessary. Similarly, in enterprise scenarios, your application can request delegated access to some resources.

For these types of server-to-server interactions you need a service account, which is an account that belongs to your application instead of to an individual end-user. Your application calls Google APIs on behalf of the service account, and user consent is non required. (In non-service-account scenarios, your awarding calls Google APIs on behalf of end-users, and user consent is sometimes required.)

A service account'due south credentials, which you obtain from the Google API Panel, include a generated email accost that is unique, a client ID, and at to the lowest degree i public/private fundamental pair. You employ the customer ID and one private fundamental to create a signed JWT and construct an access-token request in the appropriate format. Your application so sends the token request to the Google OAuth 2.0 Authorization Server, which returns an admission token. The application uses the token to access a Google API. When the token expires, the application repeats the process.

Your server application uses a JWT to request a token from the Google Authorization Server, then uses the token to call a Google API endpoint. No end-user is involved.

For details, see the service-account documentation.

Token size

Tokens can vary in size, up to the following limits:

  • Potency codes: 256 bytes
  • Access tokens: 2048 bytes
  • Refresh tokens: 512 bytes

Access tokens returned by Google Cloud'south Security Token Service API are structured similarly to Google API OAuth 2.0 access tokens merely accept unlike token size limits. For details, see the API documentation.

Google reserves the right to change token size within these limits, and your application must back up variable token sizes accordingly.

Refresh token expiration

You must write your code to anticipate the possibility that a granted refresh token might no longer work. A refresh token might stop working for i of these reasons:

  • The user has revoked your app's access.
  • The refresh token has non been used for half-dozen months.
  • The user inverse passwords and the refresh token contains Gmail scopes.
  • The user business relationship has exceeded a maximum number of granted (live) refresh tokens.
  • The user belongs to a Google Deject Platform arrangement that has session control policies in issue.

A Google Deject Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in seven days.

At that place is currently a limit of 50 refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without alarm. This limit does not employ to service accounts.

In that location is as well a larger limit on the total number of refresh tokens a user account or service account can have across all clients. Almost normal users won't exceed this limit but a developer's account used to test an implementation might.

If yous need to authorize multiple programs, machines, or devices, ane workaround is to limit the number of clients that you authorize per Google Business relationship to fifteen or 20. If you are a Google Workspace admin, yous can create additional users with administrative privileges and use them to authorize some of the clients.

Dealing with session command policies for Google Cloud Platform (GCP) organizations

Administrators of GCP organizations might require frequent reauthentication of users while they access GCP resources, using the Google Cloud session command feature. This policy impacts access to Google Cloud Panel, the Google Cloud SDK (also known equally the gcloud CLI), and whatever third party OAuth application that requires the Deject Platform scope. If a user has a session control policy in place so on the decease of the session duration, your API calls will mistake out similar to what would happen if the refresh token was revoked - the call volition fail with an error type invalid_token; the sub-error type can be used to distinguish between a revoke token and a failure due to a session control policy. As session durations can be very express (between ane hr to 24 hours), this scenario must be handled gracefully by restarting an auth session.

Equally, you must not apply, or encourage the use of, user credentials for server to server deployment. If user credentials are deployed on a server for long running jobs or operations and a customer applies session control policies on such users, the server application will neglect as there will be no mode to re-authenticate the user when the session duration expires.

For more information on how to help your customers deploy this feature, refer to this admin-focussed assist article.

Client libraries

The following customer libraries integrate with popular frameworks, which makes implementing OAuth ii.0 simpler. More than features will be added to the libraries over time.

  • Google API Customer Library for Java
  • Google API Client Library for Python
  • Google API Client Library for Go
  • Google API Client Library for .Net
  • Google API Client Library for Ruby
  • Google API Client Library for PHP
  • Google API Client Library for JavaScript
  • GTMAppAuth - OAuth Client Library for Mac and iOS

ortizsobjecold1950.blogspot.com

Source: https://developers.google.com/identity/protocols/oauth2

0 Response to "Google Calendar Authentication Code Expired"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel