Sorry for the poorly worded title.

I am working on a terminal client for a CMS app that my school uses -- for logging into the app, they use the school's google account (i.e. the google window for login pops up and you have to login using your school's google account).

So my question is that, would I have to use OAuth for this simple login? As far as I know, Oauth is the only way to get access to a user's google apps data and work with that, but in this case, I do not have to do that and simply want to bypass a single login.

I will be coding the app up in python, and I found the following library to be fairly directly relevant to this work, but this again follows the standard cycle of getting auth --> getting access to google apps --> using respective API for working with relevant data -- I wanted to know if there would be a way to avoid the same if I had the user's ID and password, and simply wanted to use the google account login as a means to get access to some other webpage (the CMS in this case)

Thank you!

CodePudding user response：

What you need to understand first is the diffrence bettwen Authencation and authorization.

Login and password are authencateion, you are verifying that the person behind the computer is in fact the owner of the account, they know the login and password.

Oauth2 is something diffrent this is authorization, the user who has authencated, is authorizing your application to access their data. This is the consent screen you often see where the user must consent to the application accessing their data.

The next thing you need to understand is the difference between private and public data. Public data is just that its public its not owned by anyone. Google calendar has some public calendars that store holiday data for each country. YouTube videos that have been uploaded publicly also allow you to select them with out being authenticated or authorized to access them.

Private data is on the other hand data that is owned by someone. To access my profile data you need my permission or my consent to access it. To access the files on my google drive account you again need my consent to access it.

answer

so the simple answer is no if its private user data and the user is running your application then they need to authencation (login) and authorize (consent) to your application accessing their data.

There is however a gray area called service accounts which is why i asked which api you are trying to access (in a comment) and what you are trying to access.

Now you mentioned that this is your schools account this implies to me that you may have a google workspace account. If you do then the admin of the workspace account could pre authorize a service account to access data on behalf of all of the users on the workspace domain (not normal gmail account). You could do things like control everyone's Gmail signatures on the domain.

The reason this is possible is because the domain admin can delegate permissions or grant the permissions though google workspace. If its a normal user gmail account then each user would still need to grant the service account access to their data. (service accounts are not available for normal gmail accounts actually this may be a bad example.)

You mentioned though that you are after profile data, if you dont have a workspace account then unfortunately you are going to have to have the users run your application and consent to your accessing their data. They only need it once becouse you could store the refresh token which will give you access to their data when they are offline.

So if they are logging into their google account though your CMS if you ask for consent when they login, then you could store the refresh token as part of the users login and then access their google profile info when ever you need.