auth.txt

[Terell Avery]

I have been messing with GAM for a project at work and can't seem to get the automated log in to work. I have the Provisioning API enabled and get results when I run things from the command line and log into the web site manually. However, its crucial that I automate this process. Currently my auth.txt files has the following 3 lines in it. 

domain

user

pasword 

Did I overlook something? I have tried both version 2.3.1 and the 2.5 version of GAM. The computer I am running it on is a iMac with Snow Leopard installed.

-T

[Jay Lee]

Hi terelida,

  auth.txt is deprecated and no longer used by GAM. GAM now uses OAuth authentication exclusively so it does not need to know your admin password. You should delete auth.txt and then run through the instructions in the Getting Started Guide. The resulting oauth.txt file that is created will not expire so you'll be able to use it with automated cron jobs and scheduled jobs.

Regards,

Jay Lee
LCS Deployment Lead  | Dito
(267) 712-9533
j...@ditoweb.com

-T

--
You received this message because you are subscribed to the "Google Apps Manager" group.
To post to this group, send email to
google-ap...@googlegroups.com
To unsubscribe from this group, send email to
google-apps-man...@googlegroups.com
For more options, visit this group at
https://groups.google.com/forum/#!forum/google-apps-manager

[Terell Avery]

Is there any way to automate the first log in or will someone with admin rights be forced to log in the first time? We are hoping to run this on a server with no desktop applications running on it.
Also with OAuth authentication I thought your access token expired at some point. Am I wrong about that?

[Jay Lee]

Hi Terell,

  You should generate the oauth.txt file using a copy of GAM installed on your computer and then copy the file to the server. Recent versions of GAM create an oauth.txt file that is compatible with Windows, Linux and OS X. Put oauth.txt in the same folder as gam.py or gam.exe on the server (depending on which version you downloaded).

  The OAuth token will not expire unless it is manually revoked either by GAM (gam oauth revoke) or in the admin's account who authorized GAM at:

https://accounts.google.com/b/0/IssuedAuthSubTokens

Regards,

Jay Lee
LCS Deployment Lead  | Dito
(267) 712-9533
j...@ditoweb.com

[Terell Avery]

Jay thanks for all the help. This is clearing up a lot of misunderstanding for me. Just a few more questions and I will be out of your hair.

1 Does GAM use Google OAuth 2 APIs?

2 Would you happen to know if I can run GAM on a Solaris box with a oauth.txt file generated on a Mac?

3 I set up a test account with only access to the reporting API and ran GAM with only the reporting scope selected. When I typed "gam report account" the app appears to return a 400 error reason: Bad Request. Any ideas what I might be doing wrong? If I use my full access admin account I get the output I expect.

Thanks Again,
-T

On Jun 6, 2012 7:42 AM, "Jay Lee" <j...@ditoweb.com> wrote:

[Jay Lee]

1) No, GAM uses Oauth 1.0a 3-legged OAuth. Any particular reason you'd need OAuth 2.0?

2) I see no reason why it shouldn't (give it a shot)

3) While the account may have delegated admin access to the reports in the control panel, it will not be able to access the reports via API calls (which is what GAM uses). Google has added a few limited delegated admin API roles for users, groups and organizations but has not further "granularized" the delegations yet.

My suggestion is that you use a super admin account to authorize GAM but you only authorize GAM for the Reporting API scope. The oauth.txt file will not contain the super admin's password so should the oauth.txt file be compromised, the attacker would only be able to access your GA reports as the super admin, he would not for instance, be able to log in to the super admin account or delete users as the super admin.

Regards,

Jay Lee
LCS Deployment Lead  | Dito
(267) 712-9533
j...@ditoweb.com