Simplify service account user code

[redgetan]

The code in https://github.com/tpitale/legato/wiki/OAuth2-and-Google#service-accounts can be simplified (no need to initialize Google::APIClient.new)

def service_account_user(scope="https://www.googleapis.com/auth/analytics.readonly")
  key = Google::APIClient::PKCS12.load_key("YOUR_PRIVATE_KEY_FILENAME", "notasecret")
  service_account = Google::APIClient::JWTAsserter.new("YOUR_API_EMAIL_ADDRESS@developer.gserviceaccount.com", scope, key)
  access_token = service_account.authorize.access_token
  oauth_client = OAuth2::Client.new("", "", {
    :authorize_url => 'https://accounts.google.com/o/oauth2/auth',
    :token_url => 'https://accounts.google.com/o/oauth2/token'
  })
  token = OAuth2::AccessToken.new(oauth_client, access_token, expires_in: 1.hour)
  user = Legato::User.new(token)

  # after an hour or so
  user.access_token.expired?
end

[vrodokanakis]

Google::APIClient::JWTAsserter is deprecated (http://www.rubydoc.info/github/google/google-api-ruby-client/Google/APIClient/JWTAsserter) and service accounts are now supported directly in Signet.

The above code can be written as:

def service_account_user(scope = "https://www.googleapis.com/auth/analytics.readonly")
  key         = Google::APIClient::KeyUtils.load_from_pkcs12("YOUR_PRIVATE_KEY_FILENAME", "notasecret")
  auth_client = Signet::OAuth2::Client.new(
                  token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
                  audience: 'https://accounts.google.com/o/oauth2/token',
                  scope: scope,
                  issuer: 'YOUR_API_EMAIL_ADDRESS@developer.gserviceaccount.com',
                  signing_key: key,
                  sub: 'YOUR_ANALYTICS_EMAIL@example.com')

  access_token = auth_client.fetch_access_token!

  oauth_client = OAuth2::Client.new("", "", {
    authorize_url: 'https://accounts.google.com/o/oauth2/auth',
    token_url: 'https://accounts.google.com/o/oauth2/token'
  })

  token = OAuth2::AccessToken.new(oauth_client, access_token["access_token"], expires_in: 1.hour)
  user  = Legato::User.new(token)

  # after an hour or so
  user.access_token.expired?
end

The benefit of this way is that the key sub can passed which addresses the issue of having to add YOUR_API_EMAIL_ADDRESS@developer.gserviceaccount.com email address to every analytics account.

If sub is not passed then the response is the following:

`request': {"errors"=>[{"domain"=>"global", "reason"=>"insufficientPermissions", "message"=>"User does not have any Google Analytics account."}], "code"=>403, "message"=>"User does not have any Google Analytics account."}:  (OAuth2::Error)
{"error":{"errors":[{"domain":"global","reason":"insufficientPermissions","message":"User does not have any Google Analytics account."}],"code":403,"message":"User does not have any Google Analytics account."}}

I think the docs should be updated, it will save many hours searching.

[tpitale]

What is Signet? Is that a Google gem, or some other library?

[tpitale]

https://developers.google.com/identity/protocols/OAuth2ServiceAccount, that whole section of the Wiki may just need a rewrite.

[vrodokanakis]

Yes, signet is a google gem (https://github.com/google/signet).

Its a dependency of google-api-client gem (https://rubygems.org/gems/google-api-client) and it is used to handle authorization.

The google-api-client docs suggests to use the new way. See https://github.com/google/google-api-ruby-client#authorization

[basex]

google-api-client or googleauth (a dependency of google-api-client) are not needed. The code can be simplified by just using the signet gem that is a dependency of googleauth.

require 'signet/oauth_2/client'

def service_account_user(scope = 'https://www.googleapis.com/auth/analytics.readonly')
  key         = OpenSSL::PKCS12.new(File.read('YOUR_PRIVATE_KEY_FILENAME'), 'notasecret').key
  auth_client = Signet::OAuth2::Client.new(
                  token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
                  audience: 'https://accounts.google.com/o/oauth2/token',
                  scope: scope,
                  issuer: 'YOUR_API_EMAIL_ADDRESS@developer.gserviceaccount.com',
                  signing_key: key,
                  sub: 'YOUR_API_EMAIL_ADDRESS@developer.gserviceaccount.com')

  access_token = auth_client.fetch_access_token!

  oauth_client = OAuth2::Client.new('', '', {
    authorize_url: 'https://accounts.google.com/o/oauth2/auth',
    token_url: 'https://accounts.google.com/o/oauth2/token'
  })

  token = OAuth2::AccessToken.new(oauth_client, access_token['access_token'], expires_in: access_token['expires_in'])

  user  = Legato::User.new(token)

  # after an hour or so
  user.access_token.expired?
end

[tpitale]

Updated the wiki. https://github.com/tpitale/legato/wiki/OAuth2-and-Google

[nicooga]

Hi there, I'm getting PKCS12_parse: invalid null pkcs12 pointer when doing this:

key = OpenSSL::PKCS12.new(config.fetch('private_key'), 'notasecret').key

where config is the parsed json file that I've downloaded from Google Console, that looks like this:

{
  "type": "service_account",
  "project_id": "xxx",
  "private_key_id": "xxx",
  "private_key": "-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----\n",
  "client_email": "xxxxx@appspot.gserviceaccount.com",
  "client_id": "xxxxx",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "xxxx"
}

Do you recognize the error?

[tpitale]

I just tried to create a new service account and there is a new setting for JSON vs. P12. I'm guessing it needs to be P12 to work with OpenSSL::PKCS12. I'm not sure what to do with the JSON file.

[tpitale]

I'm looking at https://github.com/google/google-auth-library-ruby now to see what they're doing with JSON.

[tpitale]

To use JSON you're going to have to follow these instructions https://developers.google.com/identity/protocols/application-default-credentials and use the googleauth gem, it seems.

[tpitale]

It's essentially looking for the path to the JSON file to be in the env variable GOOGLE_APPLICATION_CREDENTIALS

[tpitale]

Digging in more, looks like googleauth still uses Signet https://github.com/google/google-auth-library-ruby/blob/37ed189b2e5165243918fcde127ebe323e9a06b5/lib/googleauth/service_account.rb#L48

[tpitale]

Ah! Here is the secret: https://github.com/google/google-auth-library-ruby/blob/37ed189b2e5165243918fcde127ebe323e9a06b5/lib/googleauth/service_account.rb#L56-L70

The JSON file has an RSA key, not a P12 key. So use OpenSSL::PKey::RSA.new(private_key) instead of OpenSSL::PKCS12.

[tpitale]

I've updated the wiki with this new information.

[nicooga]

Thank's @tpitale, you rock!