My Business
5.2K members online now
5.2K members online now
For developers who are using the Google My Business API to manage locations
Guide Me
star_border
Reply

Designing application for multiple users

[ Edited ]
Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

My application allows each user to authorise access to GMB via OAuth2. I store the token for each user in my database. I then use this token to get back a list of account via accounts.list. However, it seems like a separate user with a different token can access the other user's GMB accounts.

 

Am I misunderstanding something about OAuth2 or GMB API? If so, how do I structure the application such that a user can only access his own list of accounts?

1 Expert replyverified_user

Re: Designing application for multiple users

Google Employee
# 2
Google Employee

Hi @JC L,

 

You should use your whitelisted project with a single set of OAuth 2.0 credentials across multiple Google Accounts. You do not need to create any additional projects or OAuth 2.0 credentials for your client's top-level Google Accounts in Google My Business since we're only whitelisting one project per company. We suggest you read through this Accepted Solution for using a single set of OAuth 2.0 credentials for separate Google Accounts. When you use your whitelisted project’s credentials to obtain an OAuth 2.0 access token for authentication via the Google My Business API, you should be logging in with your specific Google Account. When this token is provided and you are making API calls in your script, you will be able to view and manage all the existing locations within that specific account. You should repeat this process with a single set of OAuth 2.0 credentials for your separate Google Accounts to obtain a token for each Google Account.

 

Thanks,

The Google My Business API team

 

Designing application for multiple users

[ Edited ]
Visitor ✭ ✭ ✭
# 3
Visitor ✭ ✭ ✭

Hi @Shalini S,

 

When you say OAuth2 credentials, are you saying client id and secret? If so, then I am using a single set of credentials.

 

As you said, I am generating a token per application user (my application) and saving it in my database.

 

Using 2 users in my application for example -- let's call them A and B. Each user goes through OAuth2 and gets their own token. However, user B with his own token is able to see user A's account using accounts.list. At this point I am using my own Google accounts to test, and I know only one of the user's Google account has a GMB location. The GMB account that is returned via accounts.list is a personal (not business) account -- I am not sure if management rights has anything to do with it as the documentation says: This includes all accounts that the user owns, as well as any accounts for which the user has manage...

 

I am not sure what I am doing wrong so this is either a bug with GMB or I am not comprehending the logic of the API.

 

Also worth noting, I am using AdWords and Google+ API in the same application. With Google+ I am using it to retrieve the email address of the Google account using the same token above. It works as I expected unlike GMB.

Designing application for multiple users

Visitor ✭ ✭ ✭
# 4
Visitor ✭ ✭ ✭

Hi @Shalini S,

 

Any updates on my question?

Re: Designing application for multiple users

Google Employee
# 5
Google Employee

Hi @JC L,

 

The method accounts.list provides the lists all of the accounts for the authenticated user. This includes all accounts that the user owns, as well as any accounts for which the user has management rights.

 

Yes, I meant client ID and client secret for OAuth 2.0 credentials. Since you are using your  single set of OAuth 2.0 credentials across multiple Google Accounts, we suggest you check out How to use OAuth 2.0 to Access Google APIs for authentication and authorization. Please note, when using the OAuth 2.0 client ID for authorization, you should store the refresh token for future use and use the access token to access the API. Once the access token expires, the application should use the refresh token to obtain a new one. This way, your application will always be able to request a new access token when necessary. This process requires a user to manually authorize the application only once.

 

Thanks,

The Google My Business API team

Designing application for multiple users

Visitor ✭ ✭ ✭
# 6
Visitor ✭ ✭ ✭

Thank you Shalini!