Authenticating in a Google sheets application

Question

I have a batch-like application which is periodically invoked by a scheduler, no human user involved. It uses the Perl Net::Google::Spreadsheets package to update some cells in a Google-sheets spreadsheet, by data fetched from a database.

For a long time it was simple to authenticate itself by just providing a username and a password to the 'new' method of the package. But as of lately, Google require us to authenticate using the OAuth2 protocol.

J.T. provided a solution that I am sure is very helpful to many people more knowledgeable than I am. I will appreciate however if somebody could answer some questions to clarify it, as follows:

1. Creating credentials: once you created a project in the Google Developer Console and you are asking to create a new client ID, you are presented with three options:

   • For a "Web Application" (It then asks to provide an "Authorized JavaScript origins" and an "Authorized redirect URIs". Are these relevant to my situation?)
   • For a "Service Account" (I Suspect this is the choice for me, but without answers to the following questions I can't verify it.)
   • For an "Installed application" (Can one give examples to such?)

   Which one should I choose for may application?

2. Should I asked for a JSON or a P12 key?

3. What do I do with the various types of entities I get? What do I embed in the Perl script?

4. At line 13, J.T commented that "you will need to put code here and receive a token". What kind of code? Doing what?

5. Since there is no human user, I need the application to do the full authentication process by itself. J.T.'s code prompts a user for a 'code'. Is this code one of the "credentials" entities? How do I do it?

In other words, I need somebody to walk me gently through the whole process, step by small step.

Thanks folks!

MeirG

Answer 1

I had to go through this too, without knowing much at the start, so I'm happy to help explain it. Here are the answers, but feel free to ask for clarification. Basically, you need to first run a script that requires manual intervention - this lets you obtain an access token from Google, which your batch-like script can then use over and over without human intervention. So you have to jump through some hoops at the start, but once that's done, you're all set. So:

1. Choose "web application". Not intuitive, but it will work.

1b. You'll be asked to configure a "consent screen". Doesn't really matter what you put here - just give the project a title.

1c. For "redirect uri", delete the provided "example.com" value and enter "https://developers.google.com/oauthplayground".

Ignore the JSON and P12 keys; they are for other types of applications. Once you fill in the above info and click "Create Client ID", you'll get a page (after a pause) that displays a client ID and client secret. Those are the two strings you'll need in the code below.

The code below is essentially the same solution that you linked to above (and I relied heavily on it), but I've edited it to change a few things, primarily to give more information about what's going on. Once you have added your client ID and client secret to the code below, run it. Then you'll go through these steps:

1. Copy the URL that the script prints out, and paste it in a browser.
2. Log into Google if it asks you to. Then click "allow access" on the next page.
3. On the following page in the browser, there will be a box toward the left labeled "Authorization code". (Like this: https://members.orcid.org/sites/default/files/image06.png but your auth code will be longer.) Don't click the button below the code, but do copy that string, being sure to get the whole thing (which may stretch out of sight in the dialog box).
4. Go back to the terminal where you ran the script, and paste in the code you've copied.

If all goes well, the script will exchange that code for an access token, and save the token on disk. Then your batch script can use that token repeatedly.

Here's the expanded code to do all of this:

#!/usr/bin/perl

# Code to get a web-based token that can be stored 
# and used later to authorize our spreadsheet access. 

# Based on code from https://gist.github.com/hexaddikt/6738162

#-------------------------------------------------------------------

# To use this code:

# 1. Edit the lines below to put in your own
#    client_id and client_secret from Google. 
# 2. Run this script and follow the directions on 
#    the screen, which will give step you 
#    through the following steps:
# 3. Copy the URL printed out, and paste 
#    the URL in a browser to load the page. 
# 4. On the resulting page, click OK (possibly
#    after being asked to log in to your Google 
#    account). 
# 5. You will be redirected to a page that provides 
#    a code that you should copy and paste back into the 
#    terminal window, so this script can exchange it for
#    an access token from Google, and store the token.  
#    That will be the token the other spreadsheet access
#    code can use. 


use Net::Google::DataAPI::Auth::OAuth2;
use Net::Google::Spreadsheets;
use Storable; #to save and restore token for future use
use Term::Prompt;

# Provide the filename in which we will store the access 
# token.  This file will also need to be readable by the 
# other script that accesses the spreadsheet and parses
# the contents. 

my $session_filename = "stored_google_access.session";


# Code for accessing your Google account.  The required client_id
# and client_secret can be found in your Google Developer's console 
# page, as described in the detailed instruction document.  This 
# block of code will also need to appear in the other script that
# accesses the spreadsheet. 

# Be sure to edit the lines below to fill in your correct client 
# id and client secret!
my $oauth2 = Net::Google::DataAPI::Auth::OAuth2->new(
    client_id => 'your_client_id.apps.googleusercontent.com',
    client_secret => 'your_client_secret',
    scope => ['http://spreadsheets.google.com/feeds/'],
    redirect_uri => 'https://developers.google.com/oauthplayground',
                             );
# We need to set these parameters this way in order to ensure 
# that we get not only an access token, but also a refresh token
# that can be used to update it as needed. 
my $url = $oauth2->authorize_url(access_type => 'offline',
                 approval_prompt => 'force');

# Give the user instructions on what to do:
print <<END

The following URL can be used to obtain an access token from
Google.  

1. Copy the URL and paste it into a browser.  

2.  You may be asked to log into your Google account if you 
were not logged in already in that browser.  If so, go 
ahead and log in to whatever account you want to have 
access to the Google doc. 

3. On the next page, click "Accept" when asked to grant access. 

4.  You will then be redirected to a page with a box in the 
left-hand column labeled  "Authorization code".  
Copy the code in that box and come back here. 

Here is the URL to paste in your browser to get the code:

$url

END
    ;

# Here is where we get the code from the user:
my $code = prompt('x', 'Paste the code obtained at the above URL here: ', '', ''); 

# Exchange the code for an access token:
my $token = $oauth2->get_access_token($code) or die;

# If we get to here, it worked!  Report success: 
print "\nToken obtained successfully!\n";
print "Here are the token contents (just FYI):\n\n";
print $token->to_string, "\n";

# Save the token for future use:
my $session = $token->session_freeze;
store($session, $session_filename);

print <<END2

Token successfully stored in file $session_filename.

Use that filename in your spreadsheet-access script to 
load the token as needed for access to the spreadsheet data. 

END2
    ;

Once you've gotten that working and have the token stored on disk, then the beginning of your batch script can set up the spreadsheet access like this:

use Net::Google::Spreadsheets;
use Net::Google::DataAPI::Auth::OAuth2;
use Net::OAuth2::AccessToken;
use Storable;

# Authentication code based on example from gist at 
#  https://gist.github.com/hexaddikt/6738247

# Get the token that we saved previously in order to authenticate:
my $session_filename = "stored_google_access.session";


# Be sure to edit the lines below to fill in your correct client 
# id and client secret!
my $oauth2 = Net::Google::DataAPI::Auth::OAuth2->new(
    client_id => 'your_client_id.apps.googleusercontent.com',
    client_secret => 'your_client_secret',
    scope => ['http://spreadsheets.google.com/feeds/'],
    redirect_uri => 'https://developers.google.com/oauthplayground',
                             );

# Deserialize the file so we can thaw the session and reuse the refresh token
my $session = retrieve($sessionfile);

my $restored_token = Net::OAuth2::AccessToken->session_thaw($session,
                                auto_refresh => 1,
                                profile => $oauth2->oauth2_webserver,
                                );

$oauth2->access_token($restored_token);
# Now we can use this token to access the spreadsheets 
# in our account:
my $service = Net::Google::Spreadsheets->new(
                         auth => $oauth2);