using two different styles of Google authentication

[btbonval]

It appears we configure for client_secrets.json, which is a web application style authentication primarily meant for web browsers to access Drive using Javascript and HTML. The creation of this style of account is poorly documented and in fact not noted besides the expectation of having client_secrets.json.

We also configure for a p12 key, which is the service account style authentication. The service account style authentication makes sense for backend systems running e.g. Python.

1. Do we use web application style authentication at all?
2. If we use it, can we remove it and consolidate into strictly service account auth?

[btbonval]

Google Client Secrets use in code:

• https://github.com/FinalsClub/karmaworld/blob/9c3e0a8e831a1e5f83f50e2c56228d2d65e5e7f6/karmaworld/apps/notes/gdrive.py#L36 (loading from environment)
• https://github.com/FinalsClub/karmaworld/blob/9c3e0a8e831a1e5f83f50e2c56228d2d65e5e7f6/karmaworld/apps/notes/gdrive.py#L53 (extract email address)
• https://github.com/FinalsClub/karmaworld/blob/9c3e0a8e831a1e5f83f50e2c56228d2d65e5e7f6/karmaworld/apps/notes/gdrive.py#L57-L59 (submit extracted email address for auth)

Google p12 Key use in code:

• https://github.com/FinalsClub/karmaworld/blob/9c3e0a8e831a1e5f83f50e2c56228d2d65e5e7f6/karmaworld/apps/notes/gdrive.py#L37 (loading from environment)
• https://github.com/FinalsClub/karmaworld/blob/9c3e0a8e831a1e5f83f50e2c56228d2d65e5e7f6/karmaworld/apps/notes/gdrive.py#L56 (decoding p12 key)
• https://github.com/FinalsClub/karmaworld/blob/9c3e0a8e831a1e5f83f50e2c56228d2d65e5e7f6/karmaworld/apps/notes/gdrive.py#L57-L59 (using p12 key for auth)

[btbonval]

It looks like we only use client_secrets.json for extracting the service account email address. How is that different from GOOGLE_USER environment variable?

In the signed credentials, we're using extracted email as a positional parameter and GOOGLE_USER and a keyword parameter for sub. Looking at production, GOOGLE_USER refers to the user whose Drive is being accessed, while the service account email address is a uniquely generated account for API access. So these are distinct.

When downloading the p12 key, no auxiliary information is given in that file. However, looking at the Credentials page where the p12 key is downloaded, they do have a "email address" which looks like the same sort of unique email address for the service account. We could probably code this into environment directly and skip the client_secrets.json part, but documentation would need to note that.

[btbonval]

Commit in 1b3d2eb88eba7a2a7b9d6de44a6fc467d7d7ee70

Untested, but should suffice. These changes need to be submit to beta and tested there before this ticket can officially be closed.

[btbonval]

Peeking at Drive config for our production Drive user, it looks like we have two different email addresses for the web app and service account, but they only differ slightly.

Looking at the console (numbers changed but consistent across these two examples):

• web app: 12341234-hrn555@developer.gserviceaccount.com
• service account: 12341234@developer.gserviceaccount.com

Interestingly, in the json for client_secrets.json used in production and staging, the client_email field is 12341234@developer.gserviceaccount.com, matching the service account, even though client_secrets.json was downloaded for the web app.

That means we should be able to completely drop the web app config in favor of the google service account config for our running Heroku apps following the same instructions as in the updated README.

[btbonval]

Applied these changes to the staging system. Uploaded a .doc file and it got converted properly. It seems Google upload/download continues to work with much less work to get it running.

Hooray.