Search code examples
google-apigoogle-oauthgoogle-search-console

If a user grants access via a website, how to use that access on a different server?

I'm trying to get some data from a user (searchconsole):

  • the user first grants permission on a website.
  • Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.

What is the easiest/safest way to achieve that?

  • Should I use the same token for both servers?
  • or is there a solution using the service account impersonation? (I'm stuck on that one)
  • use the permission on the web server to add the service account as a searchconsole user?

I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers. I also read the doc and all examples I could find, but didn't find my case even though it seems basic.

Solution

  • Should I use the same token for both servers?

    Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.

    or is there a solution using the service account impersonation? (I'm stuck on that one)

    Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.

    In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts

    use the permission on the web server to add the service account as a searchconsole user?

    I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.

    enter image description here

    For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.