[Google Authentication Core] Changes needed for Gmail and YouTube Integration components
Forge component by Miguel Amado
Application Type
Reactive, Service

Hey all, nice job on the trusted component!


I am working on the following new components, and I want to leverage Google Authentication Core's OAuth2 Actions:

  • YouTube Integration Service
    • Features: video upload, get video statistics, get/set video metadata, get/set video thumbnail, etc.
  • Gmail Integration Service (spiritual successor of Google Gmail Connector)
    • Features: list emails, send emails, mark emails as read, manage tags, etc.


However, because we intend to use these components on automated scripts (e.g. Timers), we need to be able to run the various Token Actions from Google Authentication Core on behalf of another user (instead of relying on GetUserId()).


For that, I've made the following changes (pictures below), basically adding an optional UserId field to the Token Actions -- if UserId is null, it defaults to GetUserId(), otherwise it uses the provided user identifier (similarly to the native Check<RoleName>Role() functions).



This will not introduce any breaking changes to consumers, since the new UserId field is optional.


I would love it if you guys consider merging this new version into Google Authentication Core (or accepting me into the team so that I can publish it myself, either way works), since this will be a requirement for us to use these two new Gmail and YouTube components.


I realize that uploading a new version will do away with the Trusted badge for a moment, but considering it's a minor change, and that all new fields have descriptions, OutSystems should be able to mark this as trusted again pretty soon.


Awaiting your response, thanks!

GoogleAuthenticationCoreOptionalUserId.oml

Hello Caio,

Sorry for the delayed response. 

How are you impersonating users in services ? The user needs to log in on the browser in order to have the token right ? If we add in the UserId input, aren't we raising a security issue since I can get tokens from other users that logged in the browser by using other UserIds ? 


Best Regards,
Miguel Amado

Hi Miguel, no problem.


Currently, we are using a SiteProperty that has been set to a specific User Identifier of a user who got authenticated using the GoogleAuth login block (and then accepted the scopes that we had set for that module in Google Authentication Management).

Within a Service-only context, I don't see any security concerns since Site Properties are only available server-side.

With that said, I do realize that it introduces the risk of having a developer incorrectly including the GetToken Server Action directly inside a Client Action, which would in turn open a security hole that allows the end-user to manipulate the provided UserId parameter (which is obviously very bad!).

However, I don't think GetToken should be used in any client context in the first place. Thoughs on mitigating it by, instead of adding the optional UserId input to GetToken, we created a separate Server Action called GetTokenByUserId with a note about the security implications of using it incorrectly in the description?

Hello ,

I think that what you should be using google service account for what you are trying to do. In terms of the concept of doing server side computations in scripts, makes more sense to me.
You can check this extension to get tokens for service accounts: https://www.outsystems.com/forge/component-overview/1363/googleapitoken

Regarding the GetTokenByUserId, I feel it shouldn't be a method offered by this google core component in terms of OAuth authentication using the front end to login. Although it works for your specific case, I think in the general cases we want to promote the use of it for users that are logged into a session.

On the future, this component could also have an entity to store service account configurations for sure.

Cheers,
Miguel Amado

Hi Miguel, thanks for your response.

YouTube does not support service accounts. Please refer to the following snippet from the docs:

https://developers.google.com/youtube/v3/docs/errors#youtube.api.RequestContextError-unauthorized-youtubeSignupRequired

This makes sense since you need a real account to upload a video to YouTube (i.e. a service account cannot 'own' videos on YouTube, only real users authenticated through OAuth2 can).

I consider that the main value of a YouTube OutSystems component comes from the possibility of allowing the developer to automatize monotonous tasks, such as uploading multiple YouTube videos in bulk, setting custom thumbnails automatically, etc. Otherwise, I don't see an advantage in forcing them to log into an OS front-end only to do the same manual tasks that they could do directly in YouTube Studio.

I understand your concern regarding security and potential developer misuse/misimplementation, but unfortunately I don't see a way around that (other than having a mechanism for grabbing an OAuth2 token from users other than the one that is currently logged-in). Do you have any other thoughts?

Haven't tested it in Gmail yet but I imagine that it probably shares that same problem (i.e. can't read mailbox from a service account).

Thanks.

Here's a follow-up idea. Users generated by Google Authentication Core receive an External_Id value. What about having a new function for generating the OAuth2 Token, but this one receives the user's External_Id parameter instead of UserId? At least it's a bit safer than using a sequential identifier.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.