I have appengine application protected by IAP/GCIP using email as external provider.
Using sample angular project for firebase authentication as provided in iap-gcip-web-toolkit github project, I want to use this authentication UI for the appengine application
When I try to access the firebase authentication UI, getting following error
Client specified an invalid argument
I have ensured that firebase uses the gcp project linked to it and also the API Key associated with firebase/gcp project is used.
Why is this error getting thrown?
Looks like a bad reference of my firebase app associated with gcp project. Uploaded auth ui app to the firebase account associated with gcp project once again and it worked fine
Related
I have added these 2 identity providers (refer attached images) to Google Cloud -->Identity Platform
Email/Password
OIDC Connect (oidc provider)
Now if you see there is a User section as well under Identity Platform
So I have added some random users which are non gmail users (refer image), like xyz#abc.com, which I want to authenticate with the help of Google Cloud (it when this user comes to login, I will hit API endpoint /login and in login server side code, I will redirect to Google Cloud to Authenticate this user using OIDC Authorization flow)
I need Java code to :
Using some java code, First choose the provider as OIDC provider (oidc-auth-provider).
Make call to Google Cloud which should use this Provider (oidc-auth-provider)
This oidc-auth-provider should look up the users which I have created under Users section (refer image)
Google Cloud after verifying user exist, should send back with Auth Code
using Auth Code I will call back to Google and get ID token/JWT token
I was referring to this link :
https://cloud.google.com/identity-platform/docs/web/oidc
If you search "Signing in users with OAuth" this section on page, that is what exactly I am looking for, but the problem is it has given a UI code example using Firebase API example, to create OAuthProvider instance (which will choose provider), but I need server side code example instead, I am not sure if I can use this Firebase API on server side java code for a web application? Any suggestion that how can I do similar things from a server side Java code?
added Providers under Identity-platform
Added users manually which I wanted to authenticate
I'm using Expo to build 2 android app, and using 1 Firebase Project.
For Notification I'm using expo-notifications.
I had uploaded Firebase Server Key to Expo expo push:android:upload --api-key XXX-XXX-XXX.
I had configured android app credential in firebase Project Settings with SHA-1 from Google Play Console, then downloaded the latest google-services.json, then placed in app.json and set path android.googleServicesFile : "./google-services.json".
I had configured package name API Google Cloud Platform same as app.json android.package, same as Android App Firebase Project Setting Package Name.
I had configured SHA-1 Certificate Fingerprint API Google Cloud Platform and Android App Firebase Project Settings same as SHA-1 Certificate Fingerprint from Google Play Console.
I had enabled Firebase Installation API, Firebase Cloud Messaging, FCM Registration API, Cloud Messaging in Google Cloud Platform.
I set single user login within my app, so When user did new login, the past of usertoken will be reset to a new token, and another login will be logout.
The problem is, one of my app works perfectly, and another one came out with error, it said, Fetching the token Failed, message : FIS_AUTH_ERROR.
And Notification is not delivered to broken app.
Help me please...
I'm trying to implement Outlook Oauth2 in our Django backend server which is hosted on an AWS instance.
I carefully followed the instructions in their python tutorial and it works 100% in my local machine. I am able to grab the authorization code which I then convert in my backend server to an access token.
The problem lies in our demo server which is an AWS instance. We have a button that redirects the users to Outlook authentication. The URL has the following format:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<client-ID-here>&redirect_uri=<demo-server-redirect-url>&response_type=code&scope=openid+profile+offline_access+Calendars.ReadWrite&prompt=consent
I am receiving the following error whenever I convert the authorization code into an access token just after the consent screen:
{
'error': 'access_denied',
'error_description': 'Your credentials aren't allowed'
}
The weird thing is that if I use POSTMAN using the demo server Outlook credentials, I am able to retrieve an access token from Outlook.
Basically, it works for both in my local machine and using Postman. I really think that I'm just missing a very small piece of code/configuration here. Are there some extra settings that I need to do in order to make Outlook Oauth2 work in AWS?
We were able to fix the bug by adding User.Read into the scopes. Apparently, that's the only thing missing from all of this.
I have a web app in Google App Engine (with Flask) that needs to ask the user for permissions.
I followed this explanation and it got me working great.
But how do I get the secret_file (or client_config) credentials?
All examples I saw used a local file - but that is not production safe! Is there any way to get it from the application credentials?
I also tried using oauth2client.client.GoogleCredentials.get_application_default() but that seems to be a service account which I can't use.
Creation of web app authorization credentials is discussed here.
Once you are done with the form, client_secret.json file will be generated and is downloadable via the API Console.
There will be a 'Download JSON' button at the right of the OAuth Client credential you created and at the upper part of the page when you click on the Client ID.
From this documentation, it is explained how to construct the authorization request using google-auth-oauthlib.flow module.
In Python, call the from_client_secrets_file method to retrieve the
client ID from a client_secret.json file. (You can also use the
from_client_config method, which passes the client configuration as it
originally appeared in a client secrets file but doesn't access the
file itself.)
I am trying to integrate the single sign on for my application running on Google app engine platform.
I am using SAML 2.0 protocol to get this done. My organization already have the identity provider using LDAP, which configured in such a format (https://sso-companyname/appname). For this configuration, its took following details
XML metadata for their assertion consumer service (ACS) (https://www.google/companyname/a/acs),
a list of the LDAP attributes to be sent (email),
which attribute is to be used as the subject of the assertion (company enterprise id),
the RelayState URL at the relying party site to send the user after the SAML Response assertion has been validated, (application target URL form GAE deployment. like (https://appname-dot-projectid.appspot.com)
a short name (less than 7 characters) of the application to be used in the URL, (given as app name)
According to this configuration, the ACS is not for a particular GAE application, so I am getting 400 error from the google server.
Can some one help me on how to create ACS for a single GAE application and would able to explain the SSO for GAE web application would be grateful.
The web application using Python jinja2 frame-work for the UI, webapp2 for the routing. It will call the google-big-query to populate the data to UI, currently, it is using Python standard environment of GAE, and OAuth 2 method to authenticate and call the big-query API to get data. So some people don't have the GCP/Project access, doesn't able to view the data. to resolve this we trying to implement SSO on top of the application.
I think the easiest way to integrate GAE with SSO/SAML is to use Google Identity Platform (GIP) which uses Firebase under the hood. This lets you use the firebase-admin Python package to easily interact with JWTs, and lets you use the GIP console to set up an SAML server.