In my current engagement, one of the projects required integration between Google Analytics (GA) and IBM Integration Bus (IIB). Google Analytics is built upon a powerful data reporting infrastructure which can be accessed using the Google Analytics Reporting API (V4 is the most current). Google APIs use OAuth 2.0 protocol for authentication and authorization. In this article, I have stated, at a high level, the steps that you need to do to successfully invoke Google API’s from the IIB message flows.
I must also mention one thing before I describe the approach. For server-to-server authentication (like the one we are doing here), the recommended approach is to create a service account. Next, create a JSON Web Token (JWT) using Java utilities on IIB, and use the JWT to request an access token from Google’s OAuth server. We successfully implemented that approach for the project in production, and it was running fine until it started failing one day (“Unauthorized client error”). We tried to resolve the issue using recommendations from multiple forums and blogs, but nothing worked. Even the Google engineers that we got in touch with mentioned that this error is sporadic and there is no guaranteed solution to this problem. It was then that I decided to use a different approach and use web clients instead of a service account.
So, here are the steps:
1. On the Google API console, enable the API’s that you need to access.
2. Create a web application OAuth client ID.
3. Obtain the OAuth 2.0 credentials (client_id and client_secret) from the console.
4. Use the steps mentioned in this link to get a refresh token from Google OAuth 2.0 server. The refresh token has a lifetime validity for the client until the API access to the client gets revoked. This refresh token can thus be used inside IIB to request access tokens as many times as required.
5. Create the message flow in IIB with HTTP Request node to make the call to Google OAuth (https://www.googleapis.com/oauth2/v4/token). As a part of this flow, you need to have the following UDP’s (user-defined properties):
- clientId – value from API console
- clientSecret – value from API console
- grantType – “refresh_token”
- refreshToken – refresh token obtained in Step 4
6. A simple ESQL code can make the call to Google OAuth to get the JSON response that has the access token. The UDP’s mentioned above need to be in the body of the HTTP POST request.
7. The access token that is returned in the response can then be used to make the call to Google Analytics Reporting API.
8. The same framework has been successfully used in other IIB to social media API integrations, like Sprinklr.