Feature Request: Enable 2-legged Google Oauth v2 as authentication scheme for creating a new custom Provider

515 views

ConnectorGoogleaccountauthenticationcalendarcryptographyproviderscheme

Skip to first unread message

Ingo

unread,

Oct 2, 2015, 9:35:02 AM10/2/15

to Fujitsu RunMyProcess Developer Community

Hi everybody,

I recently tried to use a Google Service Account to use OAuth v2 for server-2-server communication as described here:
[1] https://developers.google.com/identity/protocols/OAuth2ServiceAccount

The idea is to allow an RMP application to access the Google API without the behalf of a specific user. For example, this might be useful if an application needs to modify multiple google calendars of different users without requesting permission from each one.

I asked for support right here explaining my problem:

[2] https://groups.google.com/a/runmyprocess.com/forum/?hl=en&fromgroups#!topic/supportforum/hC5dcEWKpv4

The result is that it is not possible to use an existing RMP Provider/Connector for this purpose.

In the meantime I found a thread discussing the exact same problem which resulted in two different workarounds:

1. create an google admin account with a hardcoded refresh token that accesses the Google API on the behalf of the admin account

2. build an independent web app that handles the generation of the initial JSON Web Token (JWT) as it is described at Link [1]

The whole discussion can be found here:
[3] https://groups.google.com/a/runmyprocess.com/forum/#!msg/supportforum/DfE9yuJtQpc/QqMB526yvdQJ

From my point of view the problem is that for generating the JWT cryptographic operations (hash and sign with secret key) are necessary. But unfortunately RMP is not able to perform these.

My idea is to add something like "2-legged Google OAuth v2" to the "Authentication Scheme" drop-down at the "create new Provider" mask in RMP. If you chose this scheme, there should be at least one textfield where you can enter the private key you get from Google used to sign the JWT.
Additional textfields are needed for the e-mail address of the Google service account, the scope, etc. (for further information regarding the data necessary to create the JWT see Link [1] in the section "Forming the JWT claim set").
RMP would then use the provided data to perform the generation and signature of the token, send it to Google Authentication Server and receive the access token... (something like that)

Please keep in mind that this is just a suggestion as I have no in-depth knowledge regarding the structure and complexity of RMP.

Please let me know if this is a realistic Idea. Due to the fact that the drop down already contains an authentication scheme called "Google 2L Oauth" (for OAuth v1), I think that at least something similar to my suggestion might be possible.

Kind regards,

Ingo

Reply all

Reply to author

Forward

0 new messages