Configuring Google Drive
The Google Drive API is based on the security API OAuth2.
The objective of this security API is that a Third Party application never gets access to the client's credentials. Instead of that, the application is redirected to the owned page where the client's credentials are entered (a Google page in this case).
Then a token with a set active time period which allow us to access resources without knowing the credentials is returned
Google Drive Configuration
As discussed above, our application will be redirected to a Google page where the client's credentials will be introduced. As a security extension not only are user credentials needed but the redirection request must include some parameters that will authenticate the application as valid to interact with Google. These parameters are the client identificator and the client seceret. Where can you get them?
To do this task go to the page for developers at Google.
After signining with a valid account, the following page will be shown:
The next step is to create a new project:
- Click on the button "Create Project"
- Fill in some basic information such as the name of the project.
At the end of the process the name of the proyect will appear in the previous menu:
Select the project to apply changes to it.
The firs step is to configure the Google APIs that the application is allowed to interact with. To do it, in the main page, the APIs related to Google+ and Drive have to be enabled. At least the following are required:
- Google+ API
- Drive API
- Contact API
In you do not find them directly, you can use the text field at the top to search for them.
The next step is to create the OAuth credentials. Now, in the left menu, click on credentials option.
- Then click on “Create credentials” and select "OAuth client ID".
A wizard will begin with the following steps:
- Select Web application. Before this the Authorization page should be configured: this will be the page shown to the client to accept the redirection. The data shown is:
- Name of the application
- Logo of the product
- Email address
- After filling in the required data, it will redirect to the previous page, and after selecting Web application, the following fields will appear:
3. Configure Authorized redirect URLs that are the URLs from which google will accept requests. You can accept several URLs, one per line. In this space fill in the followin URL:
- http://host:port/OpenKM/frontend/googledrive/signin/google replacing "host" and "port" with the corresponding data.
- After filling this data, click on the “Create” button again and a page with the data generated will be shown, as can be seen in the image below. This data will be necessry to configure the OpenKM instance.
Notes regarding Redirect URLs
- Google expects real domain names within the redirect URI or localhost. Neither fake domains nor IPs are accepted.
- A Redirecting URL must match with the one sent by the server. This means that the hostname where OpenKM is accessed must be the same as in this URL (localhost or whatever the real domain name is), because the server builds the Redirect URI based on it.
These are all configuration steps needed from the google developer console. Now, the configuration parameter created (client id and client secret) will be added to the configuration of OpenKM's Configuration parameters.
The Google Drive client id.
The Google Drive client secret.
Finally, to allow the change to be applied, it is necessary to close the OpenKM session.
You may see this error when using this extension:
ERROR org.springframework.social.connect.web.ProviderSignInController - Exception while completing OAuth 2 connection:
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://accounts.google.com/o/oauth2/token": java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty; nested exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
This is related to a problem with the key store of Java cacerts, but we are not sure if it is something related to the Java version (OpenJDK vs Oracle version).
To solve it:
- Install Java certificates from repository: sudo apt-get install ca-certificates-java
- Modify $TOMCAT_HOME/bin/setenv.sh and add this parameter: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts