I am using gcloud auth login + container clusters get-credentials to e.g. fetch credentials for a kubernetes installation. This works great ;).
But whenever gcloud auth login is called a oauth browser is shown, which presents:
That's ok! I was wondering if it's possible to change the oauth app used in this screen from "google cloud sdk" to a company wide application? E.g. we have a OAuth Enabled Google Project and I would like my co workers to „allow“ this app and not the generic „google cloud sdk“.
PS: I am aware of the fact that there are service accounts for headless login -> but I want the user to authenticate personally
This screen doesn't belong to "google cloud sdk" app, it's part of OAuth2 flow. Here it's the explicit permissions flow: It ask the user to consent the permissions to the app (name "client" in the OAuth doc).
So, here it's the Google identity provider which present this page. And you can't customize it.
Related
Trying to set up an OAuth flow for my web service so that it is able to access GCP services and I am not.
When going to the Credentials Service, there seems to be the option of having only ONE “OAuth Consent Screen”.
However, one can issue multiple OAuth Client IDs.
Does this just imply a mandatory 1-1 mapping with an OAuth App and a GCP Project?
An OAuth App (Client ID and Client Secret) is created in a project and is tied to that project for the purposes of management and control.
However, the identities that authenticate using that OAuth app are not tied to a single project. IAM within each project controls who/what can access resources.
A precise answer requires more details such as who is the OAuth Identity Provider (Google, Google Workspace, Google Identity Platform, etc.) and what resources and services the app grants access to.
My company has a standard format for web apps, and I'm building a tool that programmatically provisions resources for new ones. The apps have federated login via Google, so I need to create a new OAuth2 web app clientId within Google/GCE. It can be done manually from the Credentials page like this, but I'd like to remove all manual steps from app setup.
So far I haven't been able to find any API endpoints or SDK functions that would allow me to create a new app, set its redirect url, etc. I have found the service account credentials API, but as far as I can tell that does not include functionality to provision new OAuth apps.
Is there an API I'm missing that can do CRUD operations on OAuth credentials/clientIds? Is there some other way to do this?
As google documented, developers can use gcloud auth print-identity-token to generate a development-only id_token to authenticate to Cloud Run. If I base64 decode the resulting id_token, I can see the aud claim is set to 32555940559.apps.googleusercontent.com, which is the client_id of the google cloud sdk:
Is this an exception to the rule outlined in service-to-service authentication, which says target_audience needs to be set to the url of the receiving service (e.g., https://xxxxx.run.app).Is aud and target_audience the same thing?
Lastly, is there an alternative way to authenticated with user account instead of service account, other than using googlecloudsdk (i.e. imaging gcloud auth print-identity-token doesn't exist)?
Yes, it's a real problem. I wrote 2 articles on IAM limitation and Service Account Credentials API, and I submitted 2 pull requests for the Google Auth Java library (I can share the link if you are interested).
Directly and easily, you can't. I provide workarounds in my article but not great enough to stop my discussions with Google now.
You could use the following command:
gcloud auth application-default login
According to the documentation:
This command is useful when you are developing code that would
normally use a service account but need to run the code in a local
development environment where it's easier to provide user credentials.
The workflow I need:
User authenticated via google to a g-apps spreadsheet with google-apps-script.
The script then calls an external service( a django app) which uses oauth for login with google backend - and authenticates with the user google credentials.
Searched from the G-apps api docs but couldn't find how to utlizlize the use existing google login to authenticate vs an external service also using google oauth login (there are docs to connecting to a google api, but that's a different use case)
Is this even possible? if so - How can I access the user credentials directly or preferably allow UrlFetchApp to use the credentials transparently.
Maybe my google foo is failing me, but I can't find examples/explanations for this scenario.
I am learning about AWS concepts, and want to deploy a complete serverless application.
Using the awsmobile tutorial, I have been able to deploy a very crude react app with user signup and signin (available here).
I see that by adding Google as a federated entity I can also enable Google Signin in the app.
My app, however, will only be relevant for Google user. As such, I want to only allow Google Sign-up (creating users) and Sign-In (logging existing users in).
When signing in using Google in the application, I see that no user is created in the Cognito database, nor in the dynamodb. Is that expected?
I would expect the user to be available.
Thanks