![\"Google](\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/Google-Cloud-Storage-logo-authentication.png\"){kind=logo}
<\/p>\nToday we are going to talk about authentication and authorization with OAuth 2.0 protocol that is used by Google and many other services. By means of it, services and applications like MSP360 Explorer can get access to third-party systems with no need to disclose user logins and passwords.
\nThe information described in this post will prove useful when using any modern web-services. But we will consider the specifics of Google Cloud Storage authentication.
\n<\/p>\n
<\/p>\n
To get access to files in Google Cloud Storage a user shall confirm its identity (authenticate) and access rights (authorize). And here are a few mechanisms implemented for this purpose:<\/p>\n
<ligsutil\u00a0\u2014 authentication by means of the utility having the same name. It provides an algorithm similar to OAuth (the password is entered on a special external site, the authorization code is received and then it is exchanged for an access token) but here all actions are manual.<\/p>\n
<\/p>\n
Most mechanisms have their drawbacks that limit their application area or make their implementation complicated. That\u2019s why it is recommended to use OAuth 2.0 whenever possible.<\/p>\n
Generally, OAuth was developed for those who are tired of registering on innumerable websites and forums and who is not ready to risk security for the sake of convenience. This standard provides a service or application with a possibility to verify your identity and check credentials without an access to the user password.<\/p>\n
![\"Google](\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/Google-Account-Sign-In-Screen-Authentication.png\")
<\/p>\n
It means that you can be authenticated by any website after entering your password on a Google special protected webpage. In addition, in a similar way you can provide the application with access to your own information in a cloud. To get access to resources, the authorized application uses an access token that is transferred as an HTTPS request via an SSL encrypted channel.<\/p>\n
Let\u2019s consider the operation of OAuth through the example of Google Cloud Storage.<\/p>\n
Several authorization scenarios for web-servers, applications, and devices having no physical keyboard are supported in OAuth. All of them are united by the following algorithm:<\/p>\n
The list of requested access rights is created in the Scope parameter on the second step. Look at the picture below \u2014 Google depicted the whole process.<\/p>\n
![\"List-of-requested-access-rights-Google-Cloud-Storage\"](\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/List-of-requested-access-rights-Google-Cloud-Storage.png\")
<\/p>\n
There are also niceties with access token expiration but their solution is transparent for users and it extends beyond this article.<\/p>\n
Google cloud systems can authenticate both users and applications. The second option can be applied in cases when the service must run regardless of the user password and activity. If you ever customized separate accounts for applications on a Windows server \u2013 it\u2019s just about the same.<\/p>\n
To delegate cloud access to the application, it is required to create an account on Google Developers Console. Similarly to a user, the server account will get an e-mail having quite a long prefix and a pair of a public key and a privacy key. These are the data that shall be provided to the application for its operation under Google account.<\/p>\n
Look at the picture below \u2014 service account mode just replaces user authorization code with JSON Web Tokens<\/b> (JWT). Also, you have to create a service account and generate JWT on your own.<\/p>\n
![\"Service-account-mode-JSON-web-tokens-scheme\"](\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/Service-account-mode-JSON-web-tokens-scheme.png\")
<\/p>\n
Note:<\/b> There is a peculiarity with the Service Account and Google Apps admins shall keep it in mind \u2013 domain administrative policies are not applied to these accounts. It means the following: if you prohibit files sharing with the outside world by means of domain policy, this prohibition will not be applied to Service Accounts.<\/p>\nConclusion<\/h2>\n
With the emergence of OAuth 2.0<\/b> Internet services integration became much easier as the same account can be used to get various resources access without the security losses. The standard is under development now, that\u2019s why it may be required to readjust settings of services running with OAuth in future. But still it\u2019s a good compromise to the equilibrium of versatility, convenience and security.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today we are going to talk about authentication and authorization with OAuth 2.0 protocol that is used by Google and many other services. By means of it, services and applications like MSP360 Explorer can get access to third-party systems with no need to disclose user logins and passwords. The information described in this post will […]<\/p>\n","protected":false},"author":2,"featured_media":35016,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,885],"tags":[],"class_list":["post-13446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-other"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/13446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=13446"}],"version-history":[{"count":2,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/13446\/revisions"}],"predecessor-version":[{"id":54258,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/13446\/revisions\/54258"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/35016"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=13446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=13446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=13446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}