Google authentication types for R

Mark Edmondson

2019-09-08

Quick user based authentication

Once setup, then you should go through the Google login flow in your browser when you run this command:

library(googleAuthR)
# starts auth process with defaults
gar_auth()
#>The googleAuthR package is requesting access to your Google account. Select a 
#> pre-authorised account or enter '0' to obtain a new token. Press Esc/Ctrl + C to abort.

#> 1: mark@work.com
#> 2: home@home.com

The authentication cache token is kept at a global level as per the gargle library documentation - see there for more details.

You can also specify your email to avoid the interactive menu:

gar_auth(email = "your@email.com")

These functions are usually wrapped in package specific functions when used in other packages, such as googleAnalyticsR::ga_auth()

Client options

Most libraries will set the appropriate options for you, otherwise you will need to supply them from the Google Cloud console, in its APIs & services > Credentials section ( https://console.cloud.google.com/apis/credentials ).

You will need as a minimum:

If creating your own library you can choose to supply some or all of the above to the end-user, as an end-user you may need to set some of the above (most usually your own user authentication).

Multiple authentication tokens

googleAuthR > 1.0.0

Authentication cache tokens are kept at a global level on your computer. When you authenticate the first time with a new client.id, scope or email then you will go through the authentication process in the browser, however the next time it wil be cached and be a lot quicker.

Legacy flows

Applicable before googleAuthR < 1.0.0

If you supply a filename to googleAuthR::gar_auth(token = "filename") then it will save the token there. If it doesn’t exist, it will make a new one, if it does exist it will attempt to read the token from that file. Relative and absolute filenames work.

You can use different token names to save different authentication settings such as with different scopes and client Ids.

An example switching between googleAnalyticsR and searchConsoleR authentication, assuming you have previously authenticated with two tokens, one name ga.httr-oauth and one named sc.httr-oauth

Alternatively, you can authenticate with both API services in the same token by specifying the scopes for the request - this determines what permission screen you get the first time you go through the OAuth2 flow.

You can access the scopes you required via the googleAuthR RStudio plugin.

Setting the client via Google Cloud client JSON

To avoid keeping track of which client_id/secret to use, Google offers a client ID JSON file you can download from the Google Cloud console here - https://console.cloud.google.com/apis/credentials. Make sure the client ID type is Other for desktop applications.

You can use this to set the client details before your first authentication. The above example would then be:

library(googleAuthR)
library(googleAnalyticsR)
library(searchConsoleR)

# set the scopes required
scopes = c("https://www.googleapis.com/auth/analytics", 
          "https://www.googleapis.com/auth/webmasters")
                                        
# set the client
gar_set_client("client-id.json", scopes = scopes)

# authenticate and go through the OAuth2 flow first time
gar_auth()
                                        
# can run Google Analytics API calls:
ga_account_list()

# and run Search Console API calls:
list_websites()

You can also place the file location of your client ID JSON in the GAR_CLIENT_JSON environment argument, where it will look for it by default:

# .Renviron
GAR_CLIENT_JSON="~/path/to/clientjson.json"

Then you just need to supply the scopes:

gar_set_client(scopes = "https://www.googleapis.com/auth/webmasters")

Authentication with no browser

Refer to this gargle article on how to authenticate in a non-interactive manner

Authentication with a JSON file via Service Accounts

You can also authenticate single users via a server side JSON file rather than going through the online OAuth2 flow. The end user could supply this JSON file, or you can upload your own JSON file to your applications. This is generally more secure if you know its only one user on the service, such as for Cloud services.

This involves downloading a secret JSON key with the authentication details. More details are available from Google here: Using OAuth2.0 for Server to Server Applications[https://developers.google.com/identity/protocols/OAuth2ServiceAccount]

To use, go to your Project in the Google Developement Console and select JSON Key type. Save the JSON file to your computer and supply the file location to the function gar_auth_service()

Navigate to the JSON file from the Google Developer Console via: Credentials > New credentials > Service account Key > Select service account > Key type = JSON

If you are using the JSON file, you must ensure:

An example using a service account JSON file for authentication is shown below:

library(googleAuthR)
options(googleAuthR.scopes.selected = "https://www.googleapis.com/auth/urlshortner")
service_token <- gar_auth_service(json_file="~/location/of/the/json/secret.json")
analytics_url <- function(shortUrl, 
                          timespan = c("allTime", "month", "week","day","twoHours")){
  
  timespan <- match.arg(timespan)
  
  f <- gar_api_generator("https://www.googleapis.com/urlshortener/v1/url",
                         "GET",
                         pars_args = list(shortUrl = "shortUrl",
                                          projection = "FULL"),
                         data_parse_function = function(x) { 
                           a <- x$analytics 
                           return(a[timespan][[1]])
                         })
  
  f(pars_arguments = list(shortUrl = shortUrl))
}
analytics_url("https://goo.gl/2FcFVQbk")

Another example is from the searchConsoleR library - in this case we avoid using scr_auth() to authenticate via the JSON, which has had the service email added to the Search Console web property as a user.

library(googleAuthR)
library(searchConsoleR)
options(googleAuthR.scopes.selected = "https://www.googleapis.com/auth/webmasters") 

gar_auth_service("auth.json")

list_websites()

Authentication within Shiny

If you want to create a Shiny app just using your data, refer to the non-interactive authentication article on gargle

If you want to make a multi-user Shiny app, where users login to their own Google account and the app works with their data, googleAuthR provides the below functions to help make the Google login process as easy as possible.

Types of Shiny Authentication

There are now these types of logins available, which suit different needs:

Shiny Modules

googleAuthR uses Shiny Modules. This means less code and the ability to have multiple login buttons on the same app.

To use modules, you need to use the functions ending with _UI in your ui.R, then call the id you set there server side with the callModule(moduleName, "id") syntax. See the examples below.

Shiny Authentication Examples

Remember that client IDs and secrets will need to be created for the examples below. You need to pick a clientID for web applications, not “Other” as is used for offline googleAuthR functions.

URL redirects

In some platforms the URL you are authenticating from will not match the Docker container the script is running in (e.g. shinyapps.io or a kubernetes cluster) - in that case you can manually set it via options(googleAuthR.redirect = http://your-shiny-url.com). In other circumstances the Shiny app should be able to detect this itself.

gar_shiny_* functions example

This uses the most modern gar_shiny_* family of functions to create authentication. The app lists the files you have stored in Google Drive.

googleAuth module example

This is the example deployed to shinyapps.io here

The Google Cloud project needs to be setup to accept the URL and port of your app (see setup pages). You can fix the port via options(shiny.port=1221), and then make sure if you launch your app locally to change the ip address from 127.0.0.1 to localhost in your browser (Google doesn’t accept ip addresses).

By default the logout button causes a disconnect form the server, but you can use shinyjs to improve the user experience via this bit of code:

See this post on creating a Shiny App with a Google login for details.

googleAuth_js module example

The Google Cloud project needs to be setup to accept JavaScript origin of the URL and port of your app ((see setup pages))note this is different from server-side configurations above). Make sure if you launch your app locally to change the ip address from 127.0.0.1 to localhost in your browser (Google doesn’t accept ip addresses).

googleSignIn module example

This module is suitable if you don’t need to authenticate APIs in your app, you just would like a login. You can then reach the user email, id, name or avatar to decide which content you want to show with durther logic within your Shiny app.

You only need to set the client.id for this login, as no secrets are being created.

Authentication via RStudio Addin

An RStudio Addin is available via the RStudio Addin menu once you load the package.

It lets you set the scopes and then saves you some typing by calling the Google authentication flow for you.

Authentication in RMarkdown via JavaScript

There are two functions that can be called from within RMarkdown for authentication. They use JavaScript, rather than R/Shiny to authenticate, as an RMarkdown document can not read the URL tokens.

A demo and example are available here: https://mark.shinyapps.io/googleAuthRMarkdown/

RMarkdown authentication - Setup

The RMarkdown document YAML needs runtime shiny and to be a HTML document:

output: html_document
runtime: shiny

Locally, you have to run the RMarkdown document on the specified port configured in Google console (1221 for the default shared project of googleAuthR), configured via options(shiny.port = 1221)

This means you shouldn’t launch the RMarkdown via the Run button in RStudio as that starts a new R session without your set options.

Instead set the options and run via rmarkdown::run("myfile.Rmd")

When publishing, you also need to add the domain to the Javascript origins in the Google API console. Use 127.0.0.1:XXX where XXX is your chosen Shiny port for local testing.

Example of RMarkdown authentication

Below creates a button that when clicked makes a popup for Google authentication:

The authentication token is available via the server side module command:

auth <- callModule(googleAuth_js, "auth_demo")

Pass the auth token to API functions. Below example using googleID to return G+ user info.

# devtools::install_github("MarkEdmondson1234/googleID")
library(googleID)

user_info <- reactive({
  
  req(auth())
  
  with_shiny(get_user_info,
             shiny_access_token = auth())
  
})

You can now output the user data taken from the G+ API:

## creates an output
renderUI({
  
  req(user_info())
  
  h1("Hello ", user_info()$displayName)
  
})

Auto-authentication

Auto-authentication can be performed upon a package load.

This requires the setup of environment variables either in your .Renviron file or via Sys.setenv() to point to a previously created authentication file. This file can be either a .httr-oauth file created via gar_auth() or a Google service account JSON downloaded from the Google API console.

This file will then be used for authentication via gar_auth_auto. You can call this function yourself in scripts or R sessions, but its main intention is to be called in the .onAttach function via gar_attach_auth_auto, so that you will authenticate right after you load the library via library(yourlibrary)

An example from googleCloudStorageR is shown below:

.onAttach <- function(libname, pkgname){

  googleAuthR::gar_attach_auto_auth("https://www.googleapis.com/auth/devstorage.full_control",
                                    environment_var = "GCS_AUTH_FILE")
}

..which calls an environment variable set in ~/.Renvion:

GCS_AUTH_FILE="/Users/mark/auth/my_auth_file.json"

Revoking Authentication

For local use, call gar_deauth() to unauthentiucate a session. To avoid cache tokens being reused delete them from the gargle cache folder, usually ~/.R/gargle/gargle-oauth/

For service level accounts delete the JSON file.

For a Shiny app, a cookie is left by Google that will mean a faster login next time a user uses the app with no Authorization screen that they get the first time through. To force this every time, activate the parameter revoke=TRUE within the googleAuth function.