Accessing REST API with Google OAuth

Beginner here.

My organization’s instance of Metabase uses Google OAuth for signin. I want to figure out how I can send API calls to it and set it up so it automatically grabs a refreshed Google Auth token.

How would I go about this? Would I need my IT department to set up a Google API Service Account? If they do that, what would I do next?

Any documentation would be helpful.

-Michael

Hi @michaelkleban
Unless you’re hard set on using Google Auth, then you could just setup a regular non-Google user in Metabase, which uses email+password and that could be used for the API.
Also have a look at this topic: Metabase API Authentication

Thanks, Flamber. I will ask my security team if that’s possible. In case they require OAuth, do you know of any online resources you could point me to?

@michaelkleban You would need to do the authentication with /api/session/google_auth, which will return a session token that you’ll use in the header X-Metabase-Session. But I don’t know if you can do that programmatically with all the new much stricter cookie restrictions and Google’s protective measures.
If you check your browser developer console, then you can see every request send/received - almost everything you can do in the interface is also available in the API.

Alternatively, you can define an environment variable MB_API_KEY and pass the header X-Metabase-Apikey with the same value (I don’t remember testing this, so just writing from memory):
https://github.com/metabase/metabase/blob/6f271dbe7ec7598b6878dcdede88ffdfc68dcaac/docs/operations-guide/environment-variables.md#mb_api_key

EDIT: For reference: https://github.com/metabase/metabase/issues/13026

@flamber - I seemed to have figured out how to obtain a refreshed Google OAuth token. When observing the Network tab of Chrome Dev Tools upon signing into Metabase, there is a call it makes to Google called “iframerpc?action=IssueToken…”. Simply copy the headers and url endpoint from that and it seems to work each time. The “id_token” element from that JSON response is your refreshed token. That can then be used in the api/session/google_auth call you mentioned.

1 Like

@michaelkleban - I’m new at python and API’s. Could you help me ? (my english is not great)
I took the id_token and put at the token variable. Then, i tried to use the api/session/google_auth and I got an 404 error.
After I took the id_token, i did…

url_auth = ‘https://metabase.kovi.us/api/session/google_auth’

params_auth = {‘token’ : token}

r_auth = requests.post(url_auth, params = params_auth)

print(r_auth.status_code)

Hi @edchlee,

I apologize for the delayed response. Are you still having trouble with this?

Thanks,
Michael

Hi @michaelkleban,

No problem, I’m still having trouble,

Could u help?

Thanks,
eduardo

@edchlee - Try following these steps:

  1. Navigate to Metabase in Chrome
  2. Log out of Metabase if you are not logged out already
  3. Open the Developer window (or right click and select “inspect”)
  4. In the Developer window, go to the Network tab
  5. You will see a red record button in the upper left. Click that twice to reset the request tracking.
  6. Log into Metabase using Google Authentication
  7. Look for a request in the Network tab that starts with “iframerpc?action”. Click on that.
  8. Under “Headers” you will see several sections
    a.) General - Copy the Request URL from this section
    b.) Request Headers - Copy all of the elements from this section
  9. Make an API call to get the Session ID
    a.) URL = Request URL from the General section
    b.) Headers = Elements from the Request Headers section (if using Python , create and use dictionary of these items)
  10. The Response from the API call will include an element called “id_token”. This is your Session ID.
    NOTE: I personally did not have to include a payload in this particular API call

IMPORTANT : Keep in mind, that OAuth is meant to expire after a while (could be minutes, could a one or two days). The elements you copy and paste into your api call will eventually stop working, and you will have to repeat this process. I believe the element that changes is the “cookie” in the Request Headers

1 Like