Understanding Google API

UnderstandingGoogle APIsBuilding application that uses Google APIs

Fethi DILMI

Active Member at Scientific Club of ESI – CSE

Technical Manager at GDG Algiers

Microsoft Student Partner

What's Google APIs?

What's Google APIsWhat's Google APIs

● Google offers a variety of APIs, mostly web APIs for web developers and mobile developers.

● The APIs are based on popular Google consumer products, including Google Maps, Google Earth, AdSense, Adwords, Google Apps and YouTube.

Example:● YOU use Google+ from your web browser.● Your Android application uses Google+ through

Google+ API.● i.e: Google APIs are the tools we need to build

applications that can use Google Products.

What's Google APIsWhat's Google APIs

How Google APIs work behind the scenes?

How Google APIs work behind the scenes ?How Google APIs work behind the scenes ?

● Most of Google APIs are web-based APIs.● This kind of APIs are called RESTFUL APIs (because they

are based on REST architecture).● REST is a style of software architecture that is based on

HTTP protocol to retrieve data.


● Most of Google APIs are web-based APIs.● This kind of APIs are called RESTFUL APIs (because they

are based on REST architecture).● REST is a style of software architecture that is based on

HTTP protocol to retrieve data.

Simply, in order to use Google APIs , you only need to make HTTP requests to get

data ☺


Example: “Google Places API”

https://maps.googleapis.com/maps/api/place/nearbysearch/xml?

location=36.825,2.3257&radius=50000&sensor=false&key=AddYourOwnKey

Here

Global Structure of an API HTTPrequest:

Global Structure of an API HTTP requestGlobal Structure of an API HTTP request

Each HTTP request is composed of 4 parts:– API Scope– Action– Output format– Parameters

To understand these parts, we'll take the previous example:

https://maps.googleapis.com/maps/api/place/nearbysearch/xml?

location=36.825,2.3257&radius=50000&sensor=false&key=AddYourOwnKeyHere


1- API Scope:● A scope is the main part of the HTTP request.● In our case it's: https://maps.googleapis.com/maps/api/place

● A scope defines the web address of the API.● For example, the scope of Google Latitude API is:

https://www.googleapis.com/latitude/

NB: Some API Scopes defines an API version, just like the Latitude API

https://maps.googleapis.com/maps/api/place


2- Output formats:● There are 2 possible output formats for an API request.

– JSON – XML

● In the previous example, we could get the same results in JSON format:

https://maps.googleapis.com/maps/api/place/nearbysearch/jsonjson ?

location=36.825,2.3257&radius=50000&sensor=false&key=AddYourOwnKeyHere


3- ACTION:● Each Google web API gives you a set of possibilities

called ACTIONS.● In our example, we specified for the Google Places API

the action “nearbysearch” to search places in a radius of 50Km.

● We could also search a place's detail.


4- Parameters:● Each action has a set of parameters.● Action Parameters let you customize the results you

want to get.● In our example, we could add the parameter

“type=food” to search only for restaurants.

Types of Google web APIs

Types of Google web APIsTypes of Google web APIs

● There are 2 kinds of Google web APIs:– Public APIs.– Private APIs.


1- Public APIs● Interact with public content: Google Maps API, Google

Places API ..● Need an authentication key to be able to retrieve data.


2- Private APIs● Interact with user private date: Google+ API, Google

Latitude API, Google Drive SDK ..● Need an authorization process before accessing to user

data.

Public APIs and Authentication:What's THAT !!

AuthenticationAuthentication

● Public APIs use authentication key to identify your application.● This means, in our previous example we would not be able to

make a search using Google Places API without specifying an authentication key.

● Each device type has a different kind of key:– Android application authentication key.– Web application authentication key.– Web Service authentication key – ..


But Why ?


● Identify from which device your application is making API request: i.e: You can't make an API request from a web browser using an Android application authentication key.

● Limit the quota of requests per day: Each API has a limited number of requests per day. Since your application makes request using an authentication key, Google Servers will be able to stop your application when it exceeds its daily quota.

● Limit the number of requests per second for a single user: Your application may be used by millions of people at the same time, and since we're talking about a daily quota, we have to limit the number of requests/second for a single user.









Private APIs and Authorization:What's THAT !!

Authorization:Authorization:

● Private APIs try to fetch user data.● This cannot be done without the permission of the user.● So we need a tool to demand permissions from the user

in order to perform action on his/her private data.

Authorization:Authorization:

● Private APIs try to fetch user data.● This cannot be done without the permission of the user.● So we need a tool to demand permissions from the user

in order to perform action on his/her private data.

THIS TOOL IS CALLED “OAuth2.0”

It is trying to solve a tricky problem.

What is OAuth2.0 ?What is OAuth2.0 ?

If you, the developer, are building an application.


And your users


have data in another service that your application needs to function


such as their tasks list, or their photos


HOW DO YOU GO ABOUT GETTING IT?

???


You could ask the user for their name and password.

NO !!NO !!

But then the user has given your application access to all their data on that service. That's not safe. Don't do that.

NO !!NO !!

The user's name and password are like keys to their digital kingdom, you should never ask for them.

NO !!NO !!

What we really want is a special key, one that only allows access to a limited set of data in the API.

Better ☺Better ☺

A special key that the User can let the App acquire and use without the use of their name and password.

Better ☺Better ☺

But for that to work, everyone has to confirm that everyone else is who they say they are.

That's OAuth2.0 ☺That's OAuth2.0 ☺

That looks simple after all this


But actually, it's a little more complicated than even that, because that special key (Code)


can change over time to keep things secure.


How to create Authentication andAuthorization keys ?

How to create Authentication and Authorization keys ?


● To get authentication/authorization keys, you have to register your application.

● Registering your application is signing its name, type, package, and extra info.



● To get authentication/authorization keys, you have to register your application.

● Registering your application is signing its name, type, package, and extra info.

Please focus on the following steps ☺



● Connect to your Google account.● Go to: https://code.google.com/apis/console/ ● Click on “Create Project”

https://code.google.com/apis/console/

● Now there is a list of all Google APIs, choose for example the "Google Places API", and check it up:

● Register your organization like shown in the image and click submit:



● Agree & Accept



● You can now notice that the Google Places API is activated:

● Click on "Overview", then click on "Register" in order to register your project:





● Type a unique project ID



● You've created automatically an authentication key for browser applications



● You can click on:– Create New Server Key: To create an authentication key for

a server application– Create New Server Key: To create an authentication key for

an Android application.● You can create many authentication keys for the same

application type (example: 3 authentication keys for Android Applications)



● And Now ..

How To Create Authorization Keys ?



● Click on “Create an OAuth 2.0 Client ID”. This dialog will show up:



● Click on “Create an OAuth 2.0 Client ID”. This dialog will show up:



Now please focus with me, it's so important ! In the following dialog, you'll be asked to specify your

application type !!



1- Web Applications: ● If you choose this type of application, you'll be asked to

specify your application URL. Than Google will generate a redirect URI according to what you've entered.



2- Server Applications: ● Applications of this type run on server. ● They're a little bit different, so I invite you to read this

article to understand more: https://developers.google.com/accounts/docs/OAuth2#serviceaccount

https://developers.google.com/accounts/docs/OAuth2#serviceaccount

https://developers.google.com/accounts/docs/OAuth2#serviceaccount



3- Installed Applications:● This could be:

– Android application: You'll have to specify you're application package (it must be unique)

– iOS application.– Chrome extension. – A Desktop application .– etc...



● I'll take the example of a Desktop Application



● When you click “Create Client ID”, this dialog will show up:



● You can create many authorization keys for many projects.

● We'll see how to use the “Client ID” and the “Client Secret” to make authorized API calls.

Some demonstration:Step By Step ☺

Google APIs Client LibrariesGoogle APIs Client Libraries

● It's not easy to construct manually authorized HTTP requests.

● It's much harder to parse the XML/JSON results in order to extract information.

Google APIs Client LibrariesGoogle APIs Client Libraries

● Google created some libraries to do those tasks for you: It's Google API Client Libraries.

● Google API Client Libraries are available in many languages (e.g: PHP, Python, C# and .NET, Java ..)

● In this Demo, we'll be using the Google API Client for Python.

Now that we know what OAuth 2.0 looks like. How does it work in the Google API Client for Python?

Let's Start !!Let's Start !!

The key is held in a Credentials object.

CredentialsCredentials

All the steps needed to go through getting Credentials is in a Flow object.

FlowFlow

Storage

And finally, because keys can change over time there is a Storage object for storing and retrieving keys.

StorageStorage

Flow Credentials Storage

You set up and run a Flow, which in the end produces Credentials, which you store in a Storage.

The ModelThe Model

Later, when you need the key, you take it out of Storage and use it.

From PythonFrom Python

So let's look at actual code.

Step By StepStep By Step

First, create a Flow.

FLOW = OAuth2WebServerFlow( client_id='<CLIENT ID HERE>', client_secret='<CLIENT SECRET HERE>', redirect_uri='https://.../oauth2callback', scope='https://.../tasks', user_agent='my-sample/1.0')


Fill your Client ID, Client Secret and redirect URI

FLOW = OAuth2WebServerFlow( client_id='<CLIENT ID HERE>', client_secret='<CLIENT SECRET HERE>', redirect_uri='https://.../oauth2callback', scope='https://.../tasks', user_agent='my-sample/1.0')


We request and authorization URL

authorize_url = FLOW.step1_get_authorize_url()self.redirect(authorize_url)


We get redirected to the generate URL

authorize_url = FLOW.step1_get_authorize_url()self.redirect(authorize_url)


We get Credentials when the Flow finishes, which we save in a Storage.

credentials = flow.step2_exchange(self.request.params)storage = StorageByKeyName( Credentials, user.user_id(), 'credentials' )storage.put(credentials)


To use Credentials we retrieve them from the Storage and apply them to an httplib2.Http() object.

user = users.get_current_user()storage = StorageByKeyName( Credentials, user.user_id(), 'credentials' )credentials = storage.get()

http = httplib2.Http()http = credentials.authorize(http)


user = users.get_current_user()storage = StorageByKeyName( Credentials, user.user_id(), 'credentials' )credentials = storage.get()

http = httplib2.Http()http = credentials.authorize(http)

Now any HTTP requests made with http will be authorized with those Credentials.


Thanks everyone ☺

ReferencesReferences

● “OAuth 2.0 and the Google API Client for Python”.● “Understanding Google APIs” :

http://fethidilmi.blogspot.com ● Google Developers portal:

http://developers.google.com

http://fethidilmi.blogspot.com/

http://developers.google.com/

Technology

Understanding Google API