Programmatically create GCE OAuth2 Web App credentials - google-cloud-platform

My company has a standard format for web apps, and I'm building a tool that programmatically provisions resources for new ones. The apps have federated login via Google, so I need to create a new OAuth2 web app clientId within Google/GCE. It can be done manually from the Credentials page like this, but I'd like to remove all manual steps from app setup.
So far I haven't been able to find any API endpoints or SDK functions that would allow me to create a new app, set its redirect url, etc. I have found the service account credentials API, but as far as I can tell that does not include functionality to provision new OAuth apps.
Is there an API I'm missing that can do CRUD operations on OAuth credentials/clientIds? Is there some other way to do this?

Related

Relation between GCP project and OAuth app

Trying to set up an OAuth flow for my web service so that it is able to access GCP services and I am not.
When going to the Credentials Service, there seems to be the option of having only ONE “OAuth Consent Screen”.
However, one can issue multiple OAuth Client IDs.
Does this just imply a mandatory 1-1 mapping with an OAuth App and a GCP Project?
An OAuth App (Client ID and Client Secret) is created in a project and is tied to that project for the purposes of management and control.
However, the identities that authenticate using that OAuth app are not tied to a single project. IAM within each project controls who/what can access resources.
A precise answer requires more details such as who is the OAuth Identity Provider (Google, Google Workspace, Google Identity Platform, etc.) and what resources and services the app grants access to.

Creating Application for other enterprise to SSO and list directory users?

I am trying to create a web application. This app is a B2B PAS model.
One of the features of the app is, an organization using GSuite, can onboard our system and then all its users can log in to our software using their org's google ids. However, in the application, one user can assign task to another user in org. So our application should be able to list all users of the org too.
How can both these features be achieved?
I have tried the SAML approach, by creating a custom app from Gsuite admin console. However, can SAML be extended to also list users from the organizations which the SAML app belongs to? (Basically trying to use the Google Cloud Directory API)
What other alternative approaches should I look for if pure SAML doesn't work out?
P.S tech stack I'm using is Nest JS for backend and Angular for frontend
If I am understanding properly you are looking for the way to populate all users/ID from organization to your SAML App. Single sign-on (SSO) allows users to sign in to enterprise cloud applications using their managed Google account credentials, more details here in set up your own custom SAML application. It is also possible to Set up SSO using 3rd party IdPs.
However, Google supports several industry standard protocols like OAuth 2.0, OpenID Connect 1.0 and SAML 2.0 for handling authentication, authorization, and single sign-on. You can take a look at authenticating corporate users in a hybrid environment for more details.

How to authenticate users with Aws Cognito and Aws Amplify

We are building an application with mobile authentication and we decided to use Aws. I searched a little and decided to use Aws Cognito. I read the documentation and while reading I noticed that, for the application side I need to use Aws Amplify. I tried some examples but I am not sure I understand the concept right.
Can you give me some insight about this model.
Amazon Cognito is a managed Identity Provider in the cloud, it provides you with a user repository, federation, GUI for signin, signup, lost password and other user flows, it supports OTP, email address verification etc ...
It can be integrated into your app through the provided UI or through its API if you want to control the look and feel of theusre interfaces.
Amplify is a command line tool and client library to make it easy to provision and to use cloud services, including Cognito, from your web or mobile application.
The Amplify CLI will help you to provision Cognito in the cloud, without requiring you to click through all the options in the console. The Amplify client side library will provide high level programming constructs to make it easy to access cloud based services, such as Cognito, from your apps.
You can watch this 45 minute talk that shows Amplify in action : https://www.youtube.com/watch?v=QxOcvOMnAuQ and this github repo with a sample application : https://github.com/sebsto/amplify-react-workshop

Gapps script: using user auth credentials to authorize vs external django app service (which uses google as oauth provider)

The workflow I need:
User authenticated via google to a g-apps spreadsheet with google-apps-script.
The script then calls an external service( a django app) which uses oauth for login with google backend - and authenticates with the user google credentials.
Searched from the G-apps api docs but couldn't find how to utlizlize the use existing google login to authenticate vs an external service also using google oauth login (there are docs to connecting to a google api, but that's a different use case)
Is this even possible? if so - How can I access the user credentials directly or preferably allow UrlFetchApp to use the credentials transparently.
Maybe my google foo is failing me, but I can't find examples/explanations for this scenario.

Options for securing REST based service for iOS/Android app

I am working on a web application implementing online shopping functionality. I am using Struts2 + Spring + Hibernate. I am using Spring security to implement authorization and authentication.
Now my client wants to develop an iOS/Android App for the same where users of my web application can login and use some of the functionality using the app.
Mobile App will access the REST based web services on JSON which will be implemented using Jersey. Here are my questions:
Users are going to have a role from three of the roles. Depending on the role they should be able to access the specific resources. I am thinking about using Spring Security 2.0 with Jersey and authenticate the users using OAuth 2.0. Is OAuth 2.0 right applicable choice?
Also, Jersey doesn't support oAuth 2.0 on server side. Still I guess I should be able to use any other OAuth provider to secure Jersey services right?
If oAuth is not the right choice then what I can use to provide role based authentication and authorization for Mobile App users to my REST web services.
Don't forget you can use simple HTTP BASIC auth (with SSL, of course).
For comparsions of OAuth versions, see this.
After having to deal with the same problem I did some research and currently I can see 3 solutions.
Pivotal actually have a piece of software which they use for their cloudfoundry services, called UAA (User Account and Authentication) Server. You can deploy this to your own server, and it's role is basically to provide OAuth2 access tokens. You will need to create your own Resource Server which will serve different resources if the correct OAuth token is provided in the request. (they have a couple of sample apps in the UAA repo which you can use) https://github.com/cloudfoundry/uaa
Google actually provide services like that. If you host your backend on appengine you can use cloud endpoints to expose your API and they take care of Authentication and Authorization.
https://cloud.google.com/appengine/docs/java/endpoints/
You can create your own architecture. Basic approach would be to have an Authorization server (to generate tokens), an Resource Server (to serve your API) and some sort of storage for users and tokens.
Hope that helps a bit, I'm personally going to go with the UAA to try it out.