I've tried to use GCPs Secret Manager in a Winforms C# app I'm creating but I need credentials.json to access the Secret Manager in the first place. This is fine for development but not in production. Perhaps I shouldn't be using a secret manager at all.
Currently I have a local C# winforms app, the user (a customer not admin) using the app locally can select files from the Windows filesystem and upload these files to Google Cloud Storage bucket. I don't have a server at all but if I should I'm not sure what sort of logic should be inside it.
From the comments I think the server should be the middle man that the user logs into, user gets a token and then the user can upload files to gcloud storage bucket via the server using the token. That way I never really give the user a credentials.json file in the first place.
For this architecture I thought I should use a Service Account because the server would be making the gcloud storage bucket upload calls on behalf of an authenticated user but then i see from John Hanley that User Credentials are assumed to start in an insecure environment and I'd want to have the info of "what user did what" in the audit logs.
In my development build I'm storing credentials.json outside of my project directory and pointing to it using environment variables. This works but this answer suggests I encrypt it using Google KMS and decrypt in the application.
In the comments I see that this is not really secure because the Service Account credentials could be exposed.
As per this answer dlls can be decompiled to equivalent C# code, so anybody would be able to see what I've used to decrypt the key.
So now I want to know what architecture should I be using in production and how to make it secure?
I'm thinking of making a GAE instance that stores user information in a database, gives authenticated users a token and uses this token when making calls to upload to gcloud storage bucket. Is this sufficient for a production app?
So I think I'm mainly supposed to use Secret Manager with Service accounts and one of GCPs engines (GAE or GCE) by using the Application Default Credentials instead (please correct me if I'm wrong).
No, you should use a custom service account with the permissions you need when running your workload. You should not store service account credentials in Secret Manager.
I have a url like this to a public Google Drive folder: https://drive.google.com/drive/folders/<fileID>?usp=sharing The permissions are "anyone can edit".
Is it possible to read, write and get information about this folder with the Google Drive API without authentication if the folder in question is public? If not, is there another way to do it without the Google Drive API? If not again, is there another free cloud storage service that offers something like this?
You don't have to provide OAuth2 authentication if the file is public. You only need an API Key. For example you can create a default DriveService
DriveService service = new DriveService();
Then for each request you must set the Key as your API Key.
When making a Web Request providing a scope is not necessary if the file is public.
The big caveat is that you can only read files. To delete, modify or upload files you need to authenticate.
I'm currently working on a Windows service that will check and update Excel files and upload them to selected cloud storage - SharePoint or OneDrive. The whole process should be fully automatic and without any user interaction - all required information (username, password etc.) are part of the config file.
All is going well except the OneDrive part. I'm unable to find a fully automatic solution to login and upload to this cloud storage. I know about Microsoft Live SDK, but 'its support for non-WinPhone and -WinStore apps is reduced and also, to my knowledge, it always requires user to enter username, password (webbrowser component).
The second option is SkyDriveClientAPI (link here), but this API doesn't work anymore (as mentioned in Issues).
Is there way to use Live SDK without user interaction or do you have any other suggestions for a different way?
This is partly achievable
As mentioned in the other answers, one drive requires user authentication , and this makes fully automatic solution impossible.
However an almost automatic solution is possible, meaning an app can be created that will require a single one time login (on first activation) and a following the login, an authorization by the user for the running app, from that point the app will be able to work automatically (
uploading, downloading, folder creation, direct link to uploaded files, etc....), this will continue working, even if application is shutdown, and machine is restarted.
the only way to disengage the application from the one drive connection is to sign out the app (can be achieved automatically).
This can achieved by using the LIVE sdk (desktop) and following the single sign-on guidelines,
you will most likely need access to the following scopes:
wl.basic
wl.signin
wl.skydrive_update
wl.offline_access
check one drive dev center:
window desktop apps
Single sign-on for apps and websites
In order to achieve this behavior i suggest following the next steps:
Download the live desktop source code
Explore the ApiExplorer sample (Live SDK Desktop Code + ApiExplorer code sample) -
this will show you how to login, logout ,download, and upload content.
After using the example to build a basic demo App:
enhance your App to use single sign-on capabilities,
enhance your App to refresh its authentication token (so session wont time out, etc)
You can find information on their API here. Microsoft's One Drive truly aims to be secure and respect the users privacy. Which is why so many permission controls exist in the platform. They truly emphasize the desire to not have orphaned files or applications abusing the automated / upload process without the user expressing permission. To clarify directly from their API, their explicit guidelines are as follows:
Guidelines for apps that interact with OneDrive
Apps that interact with OneDrive must conform to these principles: Upload files to
OneDrive only in response to an explicit user request or choice. Your
apps must always ensure that a user intentionally chooses to save any
new data to OneDrive. Apps must not upload files to OneDrive
automatically without a user making an explicit choice to upload those
files. Here are some examples of conforming apps:
Apps that display an "Upload to OneDrive" or "Share on OneDrive" button that a user must click before each upload of a photo, video, document, or other file.
Document-editing apps that require a user to click an "Upload to
OneDrive" button initially, so that the app can save that document
later without further user interaction.
Here are some examples of nonconforming apps:
Apps that automatically upload to OneDrive any file added to a specific location on a user’s devices.
Apps that automatically back up files or folders to OneDrive.
Use OneDrive for the things that it’s good at. OneDrive includes features both for
high-quality document viewing and editing, and for creating and
sharing beautiful photo albums. If possible, have your apps take
advantage of these features. Don't undermine trust in OneDrive. Over
the years that OneDrive has been available, users have come to trust
it. Preserving that trust is critical and your apps must not undermine
it by doing things that users don’t expect, especially with regard to
data privacy.
Here are some examples of conforming apps:
Apps that upload documents or photos to OneDrive with user-only access as the default.
Apps that warn users that, when the users send a link to their content stored on OneDrive, anyone who receives that link can read the associated files.
Here's an example of a nonconforming app:
An app that makes all shared files in OneDrive publicly accessible by
default, without clearly communicating this behavior to users.
That particular excerpt above, is from here which directly correlates to One Drive's API.
You can circumvent the process of the user, by using the shared One Drive folder. Which will automatically upload / synchronize data. The pitfall though, is if you use the File.Move or File.Copy without explicitly telling the user this file will be stored in your shared file to be uploaded by One Drive. Then you could be violating the terms.
You'll also have to worry about the user related permissions / account to implement that approach.
Two years late for answering, but I think this will be helpful for future use.
Once you registered your application you can get access token without the popup window, see this post Getting Access Token for Microsoft Graph Using OAuth REST API. how to get token (a postman example), I wrote the following code based on this postman example:
A c# exapmle for getting token without the popup window:
public async Task GetTokenAsync(string tenant, string clientId, string clientSecret, string username, string password)
{
HttpResponseMessage resp;
using (var httpClient = new HttpClient())
{
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
var req = new HttpRequestMessage(HttpMethod.Post, $"https://login.microsoftonline.com/{tenant}/oauth2/token/");
req.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"grant_type", "password"},
{"client_id", clientId},
{"client_secret", clientSecret},
{"resource", "https://graph.microsoft.com"},
{"username", username},
{"password", password}
});
resp = await httpClient.SendAsync(req);
string content = await resp.Content.ReadAsStringAsync();
var jsonObj = new JavaScriptSerializer().Deserialize<dynamic>(content);
string token = jsonObj["access_token"];
Console.WriteLine(token);
}
}
Once you have token it's easy to sign in.
OneDrive offers a API for uploading files. But one of the limitations in their guidelines is that all uploads via the API has to be user initiated or used accepted. So you can't upload files to OneDrive as a fully automatic process.
One solution may therfor be as gooly suggested in a comment. Copy the files to the local OneDrive folder and let the OneDrive application take care of the upload.
So I am not sure if it is possible and if it is making sense at all. I am trying to learn and use cloud space in my application. So as a sample I was trying to create an application to upload files in Google Drive. I registered my application and used some references given by Google. And I am able to upload files now.
I registered my app using myname#gmail.com and used Client_Id and Client_Secret given in my account to create the app. When I upload the files, files get uploaded to my myname#gmail.com account. But what I want is, my app should give an option to user to login into there gmail accounts. Whoever logs in (say with email your#gmail.com), my app should be able to upload files to there account. I believe offline Google Drive app for desktop works the same way. Enter your username and password and files will sync to that account. Can anyone point me to a sample code please?
I want to upload files, read them, delete them, share them through my app. I am not giving any code sample, but if its needed let me know. Thanks.
You can do it. You will need to navigate user to a specific URL, where he will input his email and password. After that Google will give you authorization code and refresh token. Refresh token can be used to retrieve authorization code whenever it is expired.
This authorization code is used to work with user drive.
If your application is a web application you may navigate user to google and set callback to your custom URL.
If it is a windows forms application, then you have 2 options
Create custom browser window and parse DocumentTitle property
Navigate user's browser and ask him to copy-paste code from title (or do it automatically)
You may download an example from here
Just fill CLIENT_ID and CLIENT_SECRET constants.
I need to download a file from Google drive. I got the code to do that here. In this code they launch a web browser process with an URL which asks user to authorize the API access. After authorization, it provides authorization key which needs to keyed in to our process to actually continue (This is typical oath-2.0 procedure). I want make the entire procedure automated without any user interaction. Thanks in advance.
You can use a service account to get API access without user interaction, however there seems to be no official .NET implementation for it right now.
Someone created a sample here on how to use a service account with Google Analytics in C#.