OAuth 2.0 – Google API Business Intelligence Implementation

December 18, 2013   //   Business Intelligence, , , , , , , ,

I recently had the pleasure of working with OAuth 2.0 in tandem with Google API’s for one of my clients and thought I would share my experience with all of you today.

What is OAuth 2.0?

OAuth 2.0 is an open industry standard and framework that provides a method for clients to access server resources on behalf of a resource owner by means of authentication from the resource owner with approval interaction between the resource owner and the HTTP service, or by allowing third-party applications to gain access on its own behalf. OAuth 2.0 can provide a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair).

That’s great and all, but what does OAuth 2.0 have to do with my BI Solution?

OAuth 2.0 is being used to obtain massive amounts of data on a daily basis from many different sources (RSS/ATOM feeds, Google Analytics, Google Drive, Google Calendar, Facebook, Twitter and the list goes on…).

How Does the Authentication Process Work?

There are a few different methodologies for how authentication can be obtained (Web Server Applications, Installed Applications, Client-Side Applications and Service Accounts) and you just have to decide which way works best for your use-case/application.

Web Server Applications via Google API

The authorization sequence begins when your application redirects a browser to a URL. The URL includes query parameters that indicate the type of access being requested. Google handles the user authentication, session selection and user consent. The result is an authorization code, which the application can exchange for an access token and refresh token. The application should store the refresh token for future use and use the access token to access an API. Once the access token expires, the application uses the refresh token to obtain a new one.

Installed Applications via Google API

The Google OAuth 2.0 endpoint supports applications that are installed on devices such as computers, mobile devices and tablets. When you register an application through the Google Cloud Console, you can select Android, iOS, Chrome or native as the platform. The registration process will result in a client ID and in some cases, a client secret which you embed in the source code of your application. The authorization sequence is obtained the exact same way as it is in the above mentioned Web Server Applications via Google API.

Client-Side (JavaScript) Applications via Google API

The Google OAuth 2.0 endpoint supports JavaScript applications that run in a browser. The authorization sequence beings when your application redirects a browser to a URL. The URL includes query parameters that indicate the type of access being requested. Google handles the user authentication, session selection and user consent. The result is an access token, which the client should validate before including it in a Google API request. When the token expires, the application repeats the process.

Service Accounts Applications via Google API

Google API’s can act on behalf of an application without accessing user specific information. When an application accesses these API’s the application needs to prove its own identity, but there is no need to gain a user’s approval. In enterprise scenarios, an application can request delegated access to some resources. Google’s OAuth 2.0 endpoint supports these type of server-to-server interactions which makes this the optimum choice for a Business Intelligence (BI) solution because we can use a script task and not require any user interaction to complete the authorization process. Once the service account is created, you have access to the private key and a client ID. You use the private key and client ID to create a signed JWT and construct an access-token request in the appropriate format. Your application then sends the token request to the Google OAuth 2.0 Authorization Server, which returns an access token. The application then uses the access token to gain access to a Google API. When the token expires (1 hour expiration time), the application should repeat the process.

To learn more about BI and all of the exciting new features SWC has for the business intelligence community; please join us for our next informative Business Intelligence event.

If you enjoyed this post from Jason, please check out a few of our past posts on business intelligence:

My Search For The Business Intelligence Chupacabra
Ask SWC: What’s So Great About Tableau?
An Agile Approach to Business Intelligence
How to Fast Track Business Intelligence
Can’t afford BI? Try the BI Analytics Tools in Everyday Software
How to Break Business Intelligence Users’ Excel Addiction
Ask SWC: What Is A New Technology That You Find Interesting?
Agile BI Software Solution
SWC’s Virtual Database Administration (VDBA) Solution