using two different styles of Google authentication
btbonval opened this issue · 5 comments
It appears we configure for client_secrets.json
, which is a web application style authentication primarily meant for web browsers to access Drive using Javascript and HTML. The creation of this style of account is poorly documented and in fact not noted besides the expectation of having client_secrets.json
.
We also configure for a p12 key, which is the service account style authentication. The service account style authentication makes sense for backend systems running e.g. Python.
- Do we use web application style authentication at all?
- If we use it, can we remove it and consolidate into strictly service account auth?
Google Client Secrets use in code:
- (loading from environment)
- (extract email address)
karmaworld/karmaworld/apps/notes/gdrive.py
Lines 57 to 59 in 9c3e0a8
Google p12 Key use in code:
- (loading from environment)
- (decoding p12 key)
karmaworld/karmaworld/apps/notes/gdrive.py
Lines 57 to 59 in 9c3e0a8
It looks like we only use client_secrets.json
for extracting the service account email address. How is that different from GOOGLE_USER
environment variable?
In the signed credentials, we're using extracted email as a positional parameter and GOOGLE_USER
and a keyword parameter for sub
. Looking at production, GOOGLE_USER
refers to the user whose Drive is being accessed, while the service account email address is a uniquely generated account for API access. So these are distinct.
When downloading the p12 key, no auxiliary information is given in that file. However, looking at the Credentials page where the p12 key is downloaded, they do have a "email address" which looks like the same sort of unique email address for the service account. We could probably code this into environment directly and skip the client_secrets.json
part, but documentation would need to note that.
Commit in 1b3d2eb
Untested, but should suffice. These changes need to be submit to beta and tested there before this ticket can officially be closed.
Peeking at Drive config for our production Drive user, it looks like we have two different email addresses for the web app and service account, but they only differ slightly.
Looking at the console (numbers changed but consistent across these two examples):
- web app:
12341234-hrn555@developer.gserviceaccount.com
- service account:
12341234@developer.gserviceaccount.com
Interestingly, in the json for client_secrets.json
used in production and staging, the client_email
field is 12341234@developer.gserviceaccount.com
, matching the service account, even though client_secrets.json
was downloaded for the web app.
That means we should be able to completely drop the web app config in favor of the google service account config for our running Heroku apps following the same instructions as in the updated README.
Applied these changes to the staging system. Uploaded a .doc
file and it got converted properly. It seems Google upload/download continues to work with much less work to get it running.
Hooray.