Closed btbonval closed 9 years ago
Google Client Secrets use in code:
Google p12 Key use in code:
It looks like we only use client_secrets.json
for extracting the service account email address. How is that different from GOOGLE_USER
environment variable?
In the signed credentials, we're using extracted email as a positional parameter and GOOGLE_USER
and a keyword parameter for sub
. Looking at production, GOOGLE_USER
refers to the user whose Drive is being accessed, while the service account email address is a uniquely generated account for API access. So these are distinct.
When downloading the p12 key, no auxiliary information is given in that file. However, looking at the Credentials page where the p12 key is downloaded, they do have a "email address" which looks like the same sort of unique email address for the service account. We could probably code this into environment directly and skip the client_secrets.json
part, but documentation would need to note that.
Commit in 1b3d2eb88eba7a2a7b9d6de44a6fc467d7d7ee70
Untested, but should suffice. These changes need to be submit to beta and tested there before this ticket can officially be closed.
Peeking at Drive config for our production Drive user, it looks like we have two different email addresses for the web app and service account, but they only differ slightly.
Looking at the console (numbers changed but consistent across these two examples):
12341234-hrn555@developer.gserviceaccount.com
12341234@developer.gserviceaccount.com
Interestingly, in the json for client_secrets.json
used in production and staging, the client_email
field is 12341234@developer.gserviceaccount.com
, matching the service account, even though client_secrets.json
was downloaded for the web app.
That means we should be able to completely drop the web app config in favor of the google service account config for our running Heroku apps following the same instructions as in the updated README.
Applied these changes to the staging system. Uploaded a .doc
file and it got converted properly. It seems Google upload/download continues to work with much less work to get it running.
Hooray.
It appears we configure for
client_secrets.json
, which is a web application style authentication primarily meant for web browsers to access Drive using Javascript and HTML. The creation of this style of account is poorly documented and in fact not noted besides the expectation of havingclient_secrets.json
.We also configure for a p12 key, which is the service account style authentication. The service account style authentication makes sense for backend systems running e.g. Python.