New Plugin: Google Service Account (FREE)

Hello Everyone:

After having much trial/error on my part trying to authenticate a Google Service Account, I decided to turn it into a free plugin.

The plugin allows you to return (with a two-step workflow) a bearer token which you can use in your own API calls. The plugin is available here: https://bubble.io/plugin/google-service-account-1605833704975x195806677045870600.

I’ve started building additional plugins that include the API calls themselves. So far, here’s what I’ve been able to do:
Google Directory API: https://bubble.io/plugin/google-directory-api-calls-1607300994496x452726785674051600
*Limited to all group interactions for now. Planning on adding Users and then Org. Units next.

I believe in the MIT Licensing, so everything I build on Bubble is open, and I love helping others who get stuck, so if anyone wants help, feel free to email me: me@nicholasrbarrow.com.

Wow. Does the plugin actually create a JWT token under the hood?

Yes it does! It creates the token in a one-step workflow and then you can authenticate it with an included second step (or authenticate on your own with a custom call).

Hi there and congrats launching this under MIT licence.

What would be the immediate use case for this plugin from a functional point of view ?

Hi @lucas.ar:

So I’m the Technology Director for a nonprofit organization that uses GSuite for our user management.

From a functional point, this plugin is only useful for a person/company that (1) has GSuite and (2) needs to pull data from their GSuite in a workflow in Bubble.

To help picture this, here’s how we use this plugin:

1. Plugin authenticates a service account in our GSuite. This is what the Google Service Account plugin does (https://bubble.io/plugin/google-service-account-1605833704975x195806677045870600). This generates an access_token for use in Google API Calls.
2. We have added additional API calls using the second plugin that uses the returned access_token from step 1 for the Google Directory API (https://bubble.io/plugin/google-directory-api-calls-1607300994496x452726785674051600). Whenever a user logs into our website using an email address issued by us (user@our-domain.com) it pulls their organizational unit and any google groups they are in.
3. Additional workflow actions make decisions based on the groups and org. units that are pulled in (assign administrator status, update custom fields in the user object, etc.).

Hope that makes sense! I’m happy to explain more if it’ll help you out!

This is super valuable plugin. Thank you!
What approach do you usually use to update the access token?

Glad you think so! I was hoping to contribute to the community.

I save the token as its own object:
token: String
The plugin automatically generates the token for the maximum time google allows (1 hour). I use the creation date on the token object to determine if it is expired or not.

We use the same token for every user (since it is all just internal for us with minimal security risks). Thus, every time someone sign’s-in to our website, the workflow performs “Do a search for… {access_token object}.” In the search, it filters our requests that have expired. If the count is 0, it generates one; if the count is more than zero, it uses the first item.

Hope that helps!

Hi!
Thank you for tackling this!

Trying to use it, I’m having this error for now

image866×388 68.4 KB

EDIT:
I found the mistake: I should have kept the “private key starts” comments.

I got a token but could get to initialize a call so far

Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See دمج "تسجيل الدخول بحساب Google" في تطبيق الويب  |  Authentication  |  Google for Developers.

Hi @philippe1
That error is usually thrown when there’s an issue with the key that you obtain for your service account. I have instructions for getting a key here: Prerequisites - Bubble Plugins
There are also instructions for what an API call can look like: Creating An JWT Assertion - Bubble Plugins
This all uses the following bubble app example:

Screen Shot 2021-01-31 at 11.37.28 AM347×674 30.3 KB

Essentially, the no start line error is thrown when the plugin can’t find the -----BEGIN PRIVATE KEY----- lines, so make sure you copy and paste like the example I gave above. Hope this helps!

Exactly, I just updated my post
Thank you very much

I had another error because I forgot to populate the 2nd step of the workflow.
Now I have a token and trying to understand why it wont initialize =B

Hi @philippe1
Did you complete the step listed here:
https://thenicholasrbarrowcompany.gitbook.io/bubble-plugins/google-service-account/google-service-account-plugin/google-api-request-bearer-token

Once you have completed this step, you can use this in your api calls. I’ll attach an example in one minute

Screen Shot 2021-01-31 at 11.45.23 AM745×755 52.9 KB

You’ll need to pass the API token as a result of a step in a workflow, because each key is time-sensitive. You’ll need to initialize your call with bubble, which requires you to send a key. My advice and how I solve this:

1. Create a dummy page in bubble called ‘test’ or whatever you want
2. Create a text element on the page.
3. Create a custom state in the text element called ‘output’ or whatever you want.
4. New workflow: when page is loaded… => create assertion with your fields => also authorize/get access token
5. As the third step in this workflow above, set element state => the text element, set ‘output’ variable to the result of step 2
6. Use this as your access token to initialize your calls.

It’s ok the examples on your doc are clear.

I found my mistake, it’s scope related.
With a Drive scope and a Drive call it’s perfect!

Thank you again for the plugin and quick hand!

Now I have to understand the limitations / available scopes for Service Accounts, and see how I build with mixing the classic oauth and service account.

The main issue with classic oauth is using scopes that require the (very expensive) certification by Google…

EDIT: oops cross posting

@philippe1
If you or anyone reading this needs more help, I made an example: http://nrb-tester.bubbleapps.io/version-test/service_initializer (you can view it in the editor and see that it saves no values to database Nrb-tester | Bubble Editor)

nice! I was working with your previous example

Do you know where to find more info about the scopes availables through Service Account?

I’m not sure about Google Analytics and Webmaster Tools for example.

@philippe1
My only suggestion would be to browse the Google Developer docs. That’s how I built the plugin and all my api calls.

This is really useful! Thanks a lot @nicholasrbarrow

Quick question though: I get an authentication error when i pass the access token as a parameter in the URL. But Bearer Token in header works - any idea why that could be?

Hi there! Not sure to be honest, I’ve had mixed luck passing it as a URL parameter. I believe the key needs to be accessToken, but I’m not entirely sure if it will work. I always use the header.

Got it, thanks! And as said, thanks a lot for this - really useful plugin!