Access google calendars of multiple google accounts (with user permission)

dan

Hiya,

We have a situation where we have users. Each user has 1 or more Google accounts. We want to be able to read events from a calendar using Google APIs.

Is this something that FusionAuth can help with?

dan

Sure!

This is a case of Third-Party Service Authorization where your application is trying to access data on behalf of users held by another party (Google in this case).

This will require some integration work on your part, but the basic steps are:

• Integrate your application with FusionAuth (our quickstarts are a good place to start). Make sure you check the 'keep me signed in' value set, using a hidden field.
• Set up an Identity Provider. You don't want to use the Google Identity Provider because it doesn't support the prompt URL parameter.
  • Use the OIDC Identity Provider with the prompt parameter set to select_account to let the users pick different accounts, and make sure you set access_type to offline to get a refresh token. More here.
  • Set the Linking strategy to Pending.
  • You'll also need to set up your Google scopes correctly. Based on your question, you'll want to use https://www.googleapis.com/auth/calendar.events.readonly as an additional scope.
  • You'll want to follow the Google Identity Provider instructions insofar as they pertain to navigating the Google Cloud Console.
• Create an 'connect your account with google' button in your application. This should point to the OIDC Identity Provider. You can use an idp_hint to send the user directly to Google when they click it.
• After they return from google, having selected their account, they should be logged in to your application. (It's possible with Pending they'll be prompted to login to your application again, but I don't think so. Would have to test.) They'll also have a link that is accessible via the Link API. That link will contain the refresh token in the token field.
  • You can also iterate all the links in your application using one of our client libraries to display to the user which google accounts they have connected.

Now you have connected 1 or more Google accounts to a FusionAuth account.

Next, when you want to retrieve calendar events for your application to process, take these steps:

• Call the Links API for the user to retrieve all the links
• Retrieve the Google refresh token from the token field
• Get a fresh access token using the Refresh grant
• Use the access token to retrieve the event data using either the API or a Google SDK.
• ... profit!

If the refresh token has expired (you don't get back a valid access token), inform the user and have them go through the authorization process again.

Hope this helps.

alex 3

@dan Hi @dan . Thanks for your detailed guide. I have almost the same situation to solve.
But I have related question - is it possible to not select a user to create a panding link? I don't want to have 'keep me signed in' checkbox. Instead, I would like to ask my backend to bind a link to the current user using the FusionAuth API.

dan

@alex-3 I'm a bit unclear on what you are trying to do.

Can you outline the exact steps you want to take?