-
Notifications
You must be signed in to change notification settings - Fork 53
/
Copy pathgs4_auth.Rd
171 lines (152 loc) · 7.69 KB
/
gs4_auth.Rd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/gs4_auth.R
\name{gs4_auth}
\alias{gs4_auth}
\title{Authorize googlesheets4}
\usage{
gs4_auth(
email = gargle::gargle_oauth_email(),
path = NULL,
subject = NULL,
scopes = "spreadsheets",
cache = gargle::gargle_oauth_cache(),
use_oob = gargle::gargle_oob_default(),
token = NULL
)
}
\arguments{
\item{email}{Optional. If specified, \code{email} can take several different
forms:
\itemize{
\item \code{"[email protected]"}, i.e. an actual email address. This allows the user to
target a specific Google identity. If specified, this is used for token
lookup, i.e. to determine if a suitable token is already available in the
cache. If no such token is found, \code{email} is used to pre-select the targeted
Google identity in the OAuth chooser. (Note, however, that the email
associated with a token when it's cached is always determined from the token
itself, never from this argument).
\item \code{"*@example.com"}, i.e. a domain-only glob pattern. This can be helpful if
you need code that "just works" for both \code{[email protected]} and
\code{[email protected]}.
\item \code{TRUE} means that you are approving email auto-discovery. If exactly one
matching token is found in the cache, it will be used.
\item \code{FALSE} or \code{NA} mean that you want to ignore the token cache and force a
new OAuth dance in the browser.
}
Defaults to the option named \code{"gargle_oauth_email"}, retrieved by
\code{\link[gargle:gargle_oauth_email]{gargle_oauth_email()}} (unless a wrapper package implements different
default behavior).}
\item{path}{JSON identifying the service account, in one of the forms
supported for the \code{txt} argument of \code{\link[jsonlite:fromJSON]{jsonlite::fromJSON()}} (typically, a
file path or JSON string).}
\item{subject}{An optional subject claim. Specify this if you wish to use the
service account represented by \code{path} to impersonate the \code{subject}, who is
a normal user. Before this can work, an administrator must grant the service
account domain-wide authority. Identify the user to impersonate via their
email, e.g. \code{subject = "[email protected]"}. Note that gargle automatically
adds the non-sensitive \code{"https://www.googleapis.com/auth/userinfo.email"}
scope, so this scope must be enabled for the service account, along with
any other \code{scopes} being requested.}
\item{scopes}{One or more API scopes. Each scope can be specified in full or,
for Sheets API-specific scopes, in an abbreviated form that is recognized by
\code{\link[=gs4_scopes]{gs4_scopes()}}:
\itemize{
\item "spreadsheets" = "https://www.googleapis.com/auth/spreadsheets"
(the default)
\item "spreadsheets.readonly" =
"https://www.googleapis.com/auth/spreadsheets.readonly"
\item "drive" = "https://www.googleapis.com/auth/drive"
\item "drive.readonly" = "https://www.googleapis.com/auth/drive.readonly"
\item "drive.file" = "https://www.googleapis.com/auth/drive.file"
}
See
\url{https://developers.google.com/identity/protocols/oauth2/scopes#sheets} for
details on the permissions for each scope.}
\item{cache}{Specifies the OAuth token cache. Defaults to the option named
\code{"gargle_oauth_cache"}, retrieved via \code{\link[gargle:gargle_oauth_cache]{gargle_oauth_cache()}}.}
\item{use_oob}{Whether to use out-of-band authentication (or, perhaps, a
variant implemented by gargle and known as "pseudo-OOB") when first
acquiring the token. Defaults to the value returned by
\code{\link[gargle:gargle_oob_default]{gargle_oob_default()}}. Note that (pseudo-)OOB auth only affects
the initial OAuth dance. If we retrieve (and possibly refresh) a
cached token, \code{use_oob} has no effect.
If the OAuth client is provided implicitly by a wrapper package, its type
probably defaults to the value returned by
\code{\link[gargle:gargle_oauth_client_type]{gargle_oauth_client_type()}}. You can take control of the client
type by setting \code{options(gargle_oauth_client_type = "web")} or
\code{options(gargle_oauth_client_type = "installed")}.}
\item{token}{A token with class \link[httr:Token-class]{Token2.0} or an object of
httr's class \code{request}, i.e. a token that has been prepared with
\code{\link[httr:config]{httr::config()}} and has a \link[httr:Token-class]{Token2.0} in the
\code{auth_token} component.}
}
\description{
Authorize googlesheets4 to view and manage your Google Sheets. This function is a
wrapper around \code{\link[gargle:token_fetch]{gargle::token_fetch()}}.
By default, you are directed to a web browser, asked to sign in to your
Google account, and to grant googlesheets4 permission to operate on your
behalf with Google Sheets. By default, with your permission, these user
credentials are cached in a folder below your home directory, from where
they can be automatically refreshed, as necessary. Storage at the user
level means the same token can be used across multiple projects and
tokens are less likely to be synced to the cloud by accident.
}
\details{
Most users, most of the time, do not need to call \code{gs4_auth()}
explicitly -- it is triggered by the first action that requires
authorization. Even when called, the default arguments often suffice.
However, when necessary, \code{gs4_auth()} allows the user to explicitly:
\itemize{
\item Declare which Google identity to use, via an \code{email} specification.
\item Use a service account token or workload identity federation via
\code{path}.
\item Bring your own \code{token}.
\item Customize \code{scopes}.
\item Use a non-default \code{cache} folder or turn caching off.
\item Explicitly request out-of-band (OOB) auth via \code{use_oob}.
}
If you are interacting with R within a browser (applies to RStudio
Server, Posit Workbench, Posit Cloud, and Google Colaboratory), you need
OOB auth or the pseudo-OOB variant. If this does not happen
automatically, you can request it explicitly with \code{use_oob = TRUE} or,
more persistently, by setting an option via
\code{options(gargle_oob_default = TRUE)}.
The choice between conventional OOB or pseudo-OOB auth is determined
by the type of OAuth client. If the client is of the "installed" type,
\code{use_oob = TRUE} results in conventional OOB auth. If the client is of
the "web" type, \code{use_oob = TRUE} results in pseudo-OOB auth. Packages
that provide a built-in OAuth client can usually detect which type of
client to use. But if you need to set this explicitly, use the
\code{"gargle_oauth_client_type"} option:
\if{html}{\out{<div class="sourceCode r">}}\preformatted{options(gargle_oauth_client_type = "web") # pseudo-OOB
# or, alternatively
options(gargle_oauth_client_type = "installed") # conventional OOB
}\if{html}{\out{</div>}}
For details on the many ways to find a token, see
\code{\link[gargle:token_fetch]{gargle::token_fetch()}}. For deeper control over auth, use
\code{\link[=gs4_auth_configure]{gs4_auth_configure()}} to bring your own OAuth client or API key.
To learn more about gargle options, see \link[gargle:gargle_options]{gargle::gargle_options}.
}
\examples{
\dontshow{if (rlang::is_interactive()) (if (getRversion() >= "3.4") withAutoprint else force)(\{ # examplesIf}
# load/refresh existing credentials, if available
# otherwise, go to browser for authentication and authorization
gs4_auth()
# indicate the specific identity you want to auth as
gs4_auth(email = "[email protected]")
# force a new browser dance, i.e. don't even try to use existing user
# credentials
gs4_auth(email = NA)
# use a 'read only' scope, so it's impossible to edit or delete Sheets
gs4_auth(scopes = "spreadsheets.readonly")
# use a service account token
gs4_auth(path = "foofy-83ee9e7c9c48.json")
\dontshow{\}) # examplesIf}
}
\seealso{
Other auth functions:
\code{\link{gs4_auth_configure}()},
\code{\link{gs4_deauth}()},
\code{\link{gs4_scopes}()}
}
\concept{auth functions}