I have created a new project in Google cloud console to experiment with Google OAuth flows. I have therefore set up OAuth web app client credentials using
APIs & Services -> Credentials -> Create Credentials -> OAuth Client ID -> Web Application
I want to be able to experiment with postman to request authorisation codes, access/refresh tokens etc. Once in the Create OAuth client ID I therefore add a postman callback URI (https://oauth.pstmn.io/v1/callback) to the credentials' Authorised Redirect URIs as described here. However when I click CREATE at the bottom of the Create OAuth client ID screen, the screen does not update and just keeps spinning. I have waited for over 20 mins but to no avail. Is this a callback URI validation problem such that Google won't allow me to add this redirect URI to the credentials? I have tried to add the domain oauth.pstmn.io to the authorised domains in the project settings but to no avail. When I don't include the redirect URI, the credentials are created with no problem and I am returned to the main APIs & Services -> Credentials screen.
The user that I am using to make these changes owns the project and therefore I do not suspect it is a Google user permissions issue. I have also added the minimum number of fields (project name and support email) to the OAuth consent screen settings. I have also tried this whole process logged in on a different machine.
It seems that at least one api scope needs to be added to OAuth consent screen->Scopes before you set a redirect URI. This video explains the entire setup.
https://documenter.getpostman.com/view/8296678/TzXtGzS2
you can use this public collection to learn more about how to set up auth token for google APIs
Related
I am having a hard time making a Cloud Run app that would serve as an internal API for employees (no frontend).
This would have endpoints like: POST api.mydomain.com/post-some-data where i want to pass some body parameters.
After IAP is setup and applied through a Load Balancer, I can enter the url in a browser and a consent screen appears. I log in with an account that has permissions and the relevant code runs as expected.
BUT
When trying with Postman, having the OAuth2 set as Authentication, setting all the token configurations etc - I get a consent screen in the browser as expected. After authentication I get a Access Token back to Postman in the format ya28.a0 ... w0123. When clicking "SEND" it returns
Invalid IAP credentials: Unable to parse JWT
My question
What is required to reach the endpoint (code/app) with the given OAuth header after consent? It works from the browser directly but not through Postman after getting the Access Token from browser consent. The endpoint/app is not reached at all from my understanding. So I cant break down the header in the endpoint-code as far as I know.
The goal is to be able to pass body parameters and having a nice shared API collection in postman. And that cant be done in the same way directly through a browser.
Thanks,
I've set up all the necessary steps in GCP for a Cloud Run app secured by IAP.
I've made sure a simple endpoint works as expected directly through a browser + consent screen.
I've successfully made Postman OAuth2 go through my consent in GCP and ask for auth.
I've got an Access Token back to Postman before sending the request.
I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user. In their documentation I can find:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
but how do I debug it? I do not see a logs from neither AWS and Google sides :/
I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.
What I did:
In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
I downloaded metadata file
In AWS Cognito console I created User Pool
I created IdP provider and uploaded metadata file there
I created application client
Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
I also selected Name ID format to be Persisted
In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.
And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.
I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.
Anyone tried to integrate it?
How to troubleshoot the 403 app_not_configured_for_user error related to SAML apps from the Google Workspace Admin console
The first thing you need to do is to grab a HAR file recording the whole login process and find the SAML request. Steps can be found here.
Once you get the file you can open it using that tool and search for SAMLreq at the top right (see image).
After that you will get a list of values containing information. You will have to check one by one until you find the one that has the SAML request in the request tab (see example below).
Once you get the value from the SAML request, copy it and you can use this tool to do a SAML decode and find the entity ID. You can use Ctrl + F and search for saml:Issuer to find the value faster. If the value does not match, then you know you have an error and you will need to contact the support team from the app to see which value is the correct one.
In case the value matches I would recommend opening a ticket to check with Google.
I have a BlazeMeter Pro account and I am stuck on the step I try to record in Jmeter and also try with BlazeMeter recording but not able to do it.
Now flow is I have to login into the system and perform the operation, we implement oAuh2.0 from the development side to authenticate the user from the Gmail and we face issue while record script that user is not able to authenticate to login when you hit with single or multiple users.
to authenticate I need all the below parameters and I have all details but now in Jmeter or BlazeMeter, I do not understand where I add all details.
client_id=
client_secret=
refresh_token=
grant_type=refresh_token
we are implementing a following steps at record time
Load a respective URL and open Gmail Login page
After Enter email and password page is redirect and particular website will be display
After enter user name and password on the website UI is display.
Please guide me on how I implement this and process my flow for load testing.
As per Google documentation in OAuth 2.0 for Client-side Web Applications you need to
Send a request to https://accounts.google.com/o/oauth2/v2/auth with:
client_id
redirect_uri
response_type
scope
parameters.
This request you should be able to record using your favourite recording option.
In your case you need to change this redirect_uri to some web server which you control as you will receive the token there in form of https://your_redirect_url_here/callback#access_token=your_token_will_be_here&token_type=Bearer&expires_in=3600
It's a good idea to use HTTP Mirror Server for this purpose.
Once you get the token you will be able to add HTTP Header Manager and configure it to send Authorization header with the value of Bearer ${your_token}
More information:
OAuth 2.0 Documentation
OAuth 2.0 Playground (if your application uses different flow you can replicate it there and see relevant requests/responses which can be later on implemented in JMeter)
I am trying to authenticate and add a user to the user pool using google sign in by following the video tutorial given here . This does almost exactly what I want to achieve with my application , i.e, provide a login page with an option to authenticate through google (using hosted UI), the user then gets added to the user pool in cognito if not already present and gets redirected along with access token in the redirected url. I wanted to add the sign in with google button on the already existing login page I have currently and authenticate user from there.
Is there a way through which I can receive access and ID tokens for an end user without using Hosted UI ? Can someone explain(or point me out to documentation) explaining flow along with the APIs hit from the moment a user clicks on the sign in with google button that redirects to a google sign in page to the point cognito returns access and ID tokens for the user ?
Behind the scene the Hosted UI is a set of HTTPS endpoints that you can call yourself with specific parameters. What you are interested in is the AUTHORIZATION endpoint (https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html).
There you must submit the identity_provider parameter (in your case the one for Google) and the callback that is https://HOSTED_UI_DOMAIN/oauth2/idpresponse.
This will hit the Hosted UI with a specific client ID (so that it can create a new user in User Pool). In your client configuration you need to specify the callback URL being your application. This endpoint will then receive an authorization code from Cognito that can be exchanged for a set of JWT by calling another endpoint in Hosted UI: https://HOSTED_UI_DOMAIN/oauth2/token.
I'm trying to use Federation from a User Pool. Note, I am not talking about Federated Identity Pool a different concept.
Is there a SignIn API for federated users or is just a hosted UI
Does the app "have to" open a browser on a Sign In URL that looks like https://XXXXXX.au=th.XXXXX.amazoncognito.com/login?response_type=code&client_id=XXXXXXXXX&redirect_uri=XXXXXXX? Can the end-user can stay inside the app, similar to how Google SignIn API on Android works (it pops up a small Google sign in UI, user clicks on their name, you're immediately back inside the app with a token.
How do I launch a browser on that Sign In URL?
How can my app be called back when the user has finished signing in?
Specifically how does my mobile app receive the token from the browser?
Is there a SignIn API for federated users or is just a hosted UI?
As far as I can tell you have to use the hosted UI when you federate a user pool to social IdPs.
How do I launch a browser on that Sign In URL?
This depends on the language and platform obviously, on Android with Xamarin you can use Xamarin.Auth.Presenters.OAuthLoginPresenter.Login() to launch a native browser Chrome at a URL specified by the OAuth2Authenticator you pass in. That OAuth2Authenticator does more than just craft the URL it gives Chrome, its stateful so when you get an answer back in the form of a code or token, you can then call methods on that object to proceed.
How can my app be called back when the user has finished signing in?
Specifically how can the browser redirecting a URL actually redirect you back inside the app. That's done via something called, Deep Links & App Links, here's that concept explained on Android.