search

SCRT-HQ / PSGSuite

Powershell module for Google / G Suite API calls wrapped in handy functions. Authentication is established using a service account via P12 key to negate the consent popup and allow for greater handsoff automation capabilities
https://psgsuite.io/
Apache License 2.0
234 stars 66 forks source link

Service Account JSON authentication #273

Closed FISHMANPET closed 4 years ago

FISHMANPET commented 4 years ago

This is a continuation of the work I started in #255. You had some questions about the JSONServiceAccountKey, and at the time I was too busy to reply. Well suddenly for some reason I find myself with plenty of time on my hands 😄 and I'm coming back around to this.

The JSONServiceAccountKey that I implemented is different from the ClientSecretsPath that was already there. ClientSecretsPath is a JSON file backing an Oauth profile that authenticates as a user, whereas the JSONServiceAccountKey represents a service account.

Here's a sample client secret (which I know you know what it looks like but for completeness):

{
    "web": {
        "client_id": "stuff.apps.googleusercontent.com",
        "project_id": "project",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_secret": "secrey",
        "redirect_uris": [
            "http://localhost:8080/oauth2callback",
            "http://localhost:8080"
        ]
    }
}

Compared to a JSON representing a service account:

{
  "type": "service_account",
  "project_id": "projectid",
  "private_key_id": "keyid",
  "private_key": "the text of the p12 cert goes here",
  "client_email": "email@email",
  "client_id": "clientid",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/email%40email"
}

So, anyway, quite different. It's created when you create a key for a service account, instead of creating a p12 you can get a JSON file (which actually contains the P12 plus all the other stuff about the account) image

When you took out the JSONServiceAccountKey stuff you actually left the parts in New-GoogleService that used it. I'm looking back at what I wrote as well, particularly for Get-PSGsuiteConfig, my intent was that if you specified JSONServiceAccountKey that it would attempt to read as much data as possible from it (AppEmail and ServiceAccountClientID) though looking at my code again I didn't actually succeed at that. Ultimately it may seem a little bit silly to import a JSON file into the PSGsuitSuite config file when P12 is perfectly functional, but as the screenshot above shows, JSON is the recommended key type for a service account, over the P12. For example, the code to create a credential with a JSON file vs P12 is much simpler.

While I'm at it, probably gonna figure out a way to import a full config without saving it as a JSON file.

scrthq commented 4 years ago

Hey @FISHMANPET - Thanks for revisiting and clarifying the intent! This makes a bit more sense now. I really like the value add here and with you involved in general, so I've shot you an invite to join the repo as a contributor. Let's sync up on this some time, looking forward to seeing the completed code!! 🙂