IMPORTANT: Picker API change may have broken your application

[Jon Emerson]

Hi everyone,

If you are already using the Picker API with OAuth 2.0, you can skip reading.  However, if the Picker API is no longer working properly in your application, the following may apply to you.

Effective this past week, we now require OAuth tokens for everyone requesting Views that deal with user data. We had to bring this change forward from the planned date of April 15th in order to help mitigate a security exposure.

What to do?

• Obtain the OAuth token by following the instructions here. Make sure you pass the appropriate scopes while obtaining the token depending on the Picker Views you are creating.

• You can see the list of scopes for different Picker Views here.

• Pass the obtained OAuth token to the instance of google.picker.PickerBuilder using its setOAuthToken method. This method should be called before PickerBuilder.build() is called.

See example.

We apologize for the inconvenience. If you have any problems in your migration to OAuth authentication, please post to the forum and we'll help you through it.

Thanks,

Google Picker API Team

[Kuntal Loya]

Hi everyone,

Please note, even if the Picker API is working for you now, although you are not passing the OAuth tokens needed for requesting Views dealing with user data - it would stop working after March 15, 2014.

Please let us know if you face any issues in migrating to OAuth authentication.

Thanks,

Google Picker API Team

--
You received this message because you are subscribed to the Google Groups "Google Picker API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-picker-...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Geoff McQueen]

Hi Kuntal/Jon,

This change has caused us a lot of grief; I'm trying to set up our new OAuth credentials BUT the wizard for the JavaScript origins is now allowing a wildcard. Since our clients come from addresses like https://client1.affinitylive.com and https://client2.affinitylive.com I'm worried that this forced use of OAuth combined with a restriction forbidding wildcards means we'll have to remove Google Drive Picker functionality from our application.

Geoff

[Tiyab Konlambigue]

Thanks to post this information... but it's hard to know this change without having trouble with our app online. As Geoff  said this change has caused us a lot of grief... because we don't had prior notice about this change.

[Geoff McQueen]

We've just published a blog post for our users (feel free to reuse or refer to it if your users are frustrated too): http://www.affinitylive.com/company/blog/google-drive-files-in-attachments/

[Kuntal Loya]

Hi all,

We really apologize for the inconvenience.

Regarding wildcards in Javascript origins - you should be able to add multiple origins, one per line which should probably help.

[Geoff McQueen | AffinityLive]

Yeah, nah. Not a chance. We've got thousands of them - every client gets their own subdomain. We sign up dozens of new ones a day. Isn't. Going. To. Fly. 

--

Geoff McQueen
Founder & CEO
__________________________________________________________________________________________________________________________________________________________________________________________________

Office: +1 800.425.7315
Cell: +1 650.450.4384

Skype: geoffmcqueen

[Geoff McQueen | AffinityLive]

If we put in the value as a specific domain, can you change it to be a wildcard on your back end, or do your systems ignore the wildcard value at processing time? This is a massive shortcoming... many many many business SaaS product use custom subdomains for their clients.

[Kuntal Loya]

Hi Geoff,

There another approach that some of the Picker API users have used in an exact same scenario like yours -

instead of hosting the picker directly in the client domain, host it in some other domain (say my-fixed-domain.com) which can be iframed inside your client's domains. Something like this -

client domain -> my-fixed-domain.com in an iframe -> my-fixed-domain.com loads the picker

Your Javascript origins would then contain my-fixed-domain.com

Hope this helps.

[Kuntal Loya]

In case you use this approach, make sure you pass the right 'origin' to the picker using pickerBuilder.setOrigin(<client domain>)

[Geoff McQueen]

Thanks Kuntal; is the JS file fairly stable (don't want to be playing whack a mole chasing updates if you guys are still making changes to it)?

[Kuntal Loya]

The picker API is fairly stable, but let us know if you see any breaking changes.

Also, any important and potentially breaking changes will always be announced on this group.

Thanks for working on this.

[Roman Steiner]

Hello,

I'm getting a "Invalid credentials (missing or invalid oAuth token)" error even when I'm not trying to access user data. 

Specifically this is my code:

google.load('picker', '1', {callback: pickerReady});

// ... 

var picker = new google.picker.PickerBuilder()

.addView(google.picker.ViewId.MAPS)

.setCallback(function(data) {

            if(data.action == 'picked') {

            // ...

              }

             })

        .build()

        .setVisible(true);

The only View I'm adding is google.picker.ViewId.MAPS which shouldn't need an oAuth token ( https://developers.google.com/picker/docs/#otherviews ).

Is this the expected behavior? 

thanks, 

Roman 

[Roman Steiner]

PS: also adding .setDeveloperKey("...") doesn't change anything.

[Kuntal Loya]

Hey Roman,

Thanks for pointing it out, this is not expected - we'll get it fixed.

[Kuntal Loya]

Hey Roman, the issue should be fixed now.

[Roman Steiner]

Hey! 

Thank you! It's working now :)

[Damiano Venturin]

Hello Kuntal

I've exactly the same problem as Geoff and this change is really annoying.  

The solution with the iframe doesn't look appealing to me and it's a lot of (unplanned) work.

Questions:

• Do you plan to solve this issue with subdomains somehow in the future versions?
  
• If yes, when?
• Is there a way to update the Javascript Origins set in the control panel via API? 
• Are there limits in the number of Javascript Origin entries?

Thank you

[Geoff McQueen | AffinityLive]

yeah, its all pretty ghetto - we've worked around it now but is frustrating to require all the extra steps when a user just wants to get a file as an alternative to the "browse" dialog. Google Drive/Docs had a great advantage here that helped us push our users in that direction, but now it has taken a number of steps back. The lack of wildcards just makes it even more miserable and sticky taped together; so different to other experiences with Google that might launch early/rough but get better, this one is a regressive step from a usability standpoint at least.

For more options, visit https://groups.google.com/d/optout.

[Damiano Venturin]

On Fri, Mar 28, 2014 at 5:57 PM, Geoff McQueen | AffinityLive <geoff....@affinitylive.com> wrote:

yeah, its all pretty ghetto - we've worked around it now but is frustrating to require all the extra steps when a user just wants to get a file as an alternative to the "browse" dialog. Google Drive/Docs had a great advantage here that helped us push our users in that direction, but now it has taken a number of steps back. The lack of wildcards just makes it even more miserable and sticky taped together; so different to other experiences with Google that might launch early/rough but get better, this one is a regressive step from a usability standpoint at least.

I agree but let's see if Google can surprise us with some good news :-)

[Northern Gwinnett]

Hi Jon,

For those of us who are not programmers and have simple plugged Google code into sites hosted by other services (I use Weebly), is there any way to fix this problem? I'm not computer illiterate (well, by Google standards I am), but I don't understand how I can fix this on my end. Is this something the hosting service would have to address or is there a way I can do it?

[Northern Gwinnett]

I should've specified - the issue I am having is with an embedded Google Group. I'd like to be able to insert images in posts, but can't because of this issue.

[Kuntal Loya]

There's nothing that you can do for that right now. We are working on getting that fixed soon.

Sorry for the trouble.

[Northern Gwinnett]

Thanks for the response Kuntal. I appreciate it.

[Alex Yumas]

We also a SaaS app (this one - http://www.jitbit.com/hosted-helpdesk/ ) and we also use subdomains for our accounts. BUT we also offer our customers to use a CUSTOM DOMAIN for their app (like many many other saases do).

So thanks for screwing this up, Google. We've removed the google-drive feature from our app completely for now.:(

[Sweaney]

Invalid credentials (missing or invalid oAuth token)

I have this problem with Google Picker API in my local project while trying to attach a file on GDrive.
But I don´t understand that changed?
Can you help me please? What is the specific change and how to fix it in my code?

It is not clear to me the other responses in this group.

[Andy Gee]

Hi, I've set up a picker from the dev docs last week. How can I tell if I'm already complying with this change?