This guide describes how an application authorizes requests to the Management API.
- Advantages Of Private Key Encryption
- Google Authenticator Private Key View Generate Account
- Google Authenticator Key Code
- Google Authenticator App Key
- Google Authenticator Private Key View Generate Download
Authorizing Requests
I read and think for a long while, and there should be two answers to your question: to set up Google Authentication and to find Google Authenticator lost key. I’ll detail the first answer and the article Where Do I Find My Lost Google Authenticat. Google Authenticator generates 2-Step Verification codes on your phone. 2-Step Verification provides stronger security for your Google account by requiring a second step of verification when you sign in. Mar 20, 2019 This PHP class can be used to interact with the Google Authenticator mobile app for 2-factor-authentication. This class can generate secrets, generate codes, validate codes and present a QR-Code for scanning the secret. It implements TOTP according to RFC6238.
Before users can view their account information on the Google Analytics web site, they must first log in to their Google Accounts. Similarly, when users first access your application, they need to authorize your application to access their data.
- Generate QR Codes for Google Authenticator. When you switch to a new phone it can be a pain to add your accounts to Google Authenticator. The secret key, without.
- You have successfully configured your YubiKey for authenticator codes! To view the credential, tap and hold your YubiKey on the back of your phone where the NFC antenna is located. Yubico Authenticator displays the six digit code associated with this credential. This is the code you need to enter to authenticate when using two-factor.
Every request your application sends to the Analytics API must include an authorization token. The token also identifies your application to Google.
About authorization protocols
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
Authorizing requests with OAuth 2.0
All requests to the Analytics API must be authorized by an authenticated user.
The details of the authorization process, or 'flow,' for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:
- When you create your application, you register it using the Google API Console. Google then provides information you'll need later, such as a client ID and a client secret.
- Activate the Analytics API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)
- When your application needs access to user data, it asks Google for a particular scope of access.
- Google displays a consent screen to the user, asking them to authorize your application to request some of their data.
- If the user approves, then Google gives your application a short-lived access token.
- Your application requests user data, attaching the access token to the request.
- If Google determines that your request and the token are valid, it returns the requested data.
Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.
Here's the OAuth 2.0 scope information for the Analytics API:
Scope | Meaning |
---|---|
https://www.googleapis.com/auth/analytics.readonly | Read-only access to the Analytics API. |
https://www.googleapis.com/auth/analytics.edit | Edit Google Analytics management entities. |
https://www.googleapis.com/auth/analytics.manage.users | View and manage user permissions for Analytics accounts. |
https://www.googleapis.com/auth/analytics.manage.users.readonly | View Google Analytics user permissions. |
To request access using OAuth 2.0, your application needs the scope information, as well asinformation that Google supplies when you register your application (such as the client ID and theclient secret).
Tip: The Google APIs client libraries can handle some of the authorization process for you. They are available for a variety of programming languages; check the page with libraries and samples for more details.
Common OAuth 2.0 Flows
The following lists common use cases for specific OAuth 2.0 flows:
Web Server
This flow is good for automated, offline, or scheduled access of a user's Google Analytics data.
Example:
- Automatically updating user dashboards with the latest Google Analytics data.
Client-side
This flow is ideal for applications when users interact directly with the application to access their Google Analytics data within a browser. It eliminates the need for server-side capabilities, but it makes automated, offline, or scheduled reporting impractical.
Example:
- A browser based reporting tool such as the Analytics Query Explorer.
Installed Applications
This flow is for applications that are distributed as a package and installed by the user. This flow requires that the application or user have access to a browser to complete the authentication flow.
Examples:
- A desktop widget on a PC or Mac.
- A plugin for a content management system — The benefit of this flow compared to web server or client-side is that a single API Console project can be used for your application. This allows for consolidated reporting and a simpler installation for users.
Service Accounts
Service accounts are useful for automated, offline, or scheduled access to Google Analytics data for your own account. For example, to build a live dashboard of your own Google Analytics data and share it with other users.
To get started using Analytics API, you need to firstusethe setup tool, which guides you through creating a project in theGoogle API Console, enabling the API, and creating credentials.
To set up a new service account, do the following:
- Click Create credentials > Service account key.
- Choose whether to download the service account's public/private key as a standard P12 file, or as a JSON file that can be loaded by a Google API client library.
Your new public/private key pair is generated and downloaded to your machine;it serves as the only copy of this key. You are responsible for storing itsecurely.
Note: You need to add the service account email address as an authorized user of the view (profile) you want to access.Advantages Of Private Key Encryption
Troubleshooting
Your authorization fails in these situations:
You will get a
401
status code if youraccess_token
has expired or if you are using the wrong scope for the API.You will get a
403
status code if the authorized user does not have access to the view (profile). Make sure you are authorized with the correct user and that they indeed have the view (profile) you have selected.
OAuth 2.0 playground
This tool allows you to go through the entire authorization flow through a web interface. The tool also displays all the HTTP request headers required for making an authorized query. If you can't get authorization to work in your own application, you should try to get it working through the OAuth 2.0 playground. Then you can compare the HTTP headers and request from the playground to what your application is sending to Google Analytics. This check is a simple way to ensure you format your requests properly.
Invalid grant
When you try to use a refresh token, the following returns you an invalid_grant
error:
- Your server's clock is not in sync with network time protocol - NTP.
- The refresh token limit has been exceeded.
Applications can request multiple refresh tokens to access a single Google Analytics account.
Google Authenticator Private Key View Generate Account
For example, if a user wants to install an application on multiple machines and access the same Google Analytics account, then a separate token would be required for each machine. When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant
error response is returned.
The limit for each unique pair of OAuth 2.0 client and Google Analytics account is 25 refresh tokens. If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid. The 27th requested refresh token would invalidate the 2nd previously issued token and so on.
Note: The limit of 25 refresh tokens is subject to change.- Copyright (c) 2012-2016, http://www.phpgangsta.de
- Author: Michael Kliewe, @PHPGangsta and contributors
- Licensed under the BSD License.
This PHP class can be used to interact with the Google Authenticator mobile app for 2-factor-authentication. This classcan generate secrets, generate codes, validate codes and present a QR-Code for scanning the secret. It implements TOTPaccording to RFC6238
For a secure installation you have to make sure that used codes cannot be reused (replay-attack). You also need tolimit the number of verifications, to fight against brute-force attacks. For example you could limit the amount ofverifications to 10 tries within 10 minutes for one IP address (or IPv6 block). It depends on your environment.
Usage:
See following example:
Running the script provides the following output:
Installation:
Use Composer toinstall the package
From project root directory execute following
composer install
Composer will take care of autoloadingthe library. Just include the following at the top of your file
require_once __DIR__ . '/../vendor/autoload.php';
Run Tests:
Google Authenticator Key Code
- All tests are inside
tests
folder. - Execute
composer install
and then run the tests from project rootdirectory - Run as
phpunit tests
from the project root directory
ToDo:
- ??? What do you need?
Google Authenticator App Key
Notes:
Google Authenticator Private Key View Generate Download
If you like this script or have some features to add: contact me, visit my blog, fork this project, send pull requests, you know how it works.