I want to use Reports API - ADMIN SDK to get content_aware_access list, but i can't find any api to return this.
First I set the security level at https://admin.google.com/u/1/ac/security/context-aware and then check it at https://admin.google.com/u/1/ac/reporting/audit/context_aware_access , but now I need to search through api sdk.
Please tell me where to find this sdk? Thank you
The information you are looking for is contained in Reports API: Admin Activity – Security Event Names.
Before you implement the request in the language of your choice, I recommend you to test it with OAuth Playground
Instructions:
Chose the scope https://www.googleapis.com/auth/admin.reports.audit.readonly (Step 1)
Exchange authorization code for token (Step 2)
Insert a Request URI and Send the request (Step 3)
Chose the URI according to your requirements based on the documentation for Admin Activity Report.
Sample URI:
https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin
This will retrieve all your security settings.
If you look for something more specific, for example events with the name CREATE_ACCESS_LEVEL_V2 - request the URI
https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CREATE_ACCESS_LEVEL_V2
Related
I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user. In their documentation I can find:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
but how do I debug it? I do not see a logs from neither AWS and Google sides :/
I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.
What I did:
In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
I downloaded metadata file
In AWS Cognito console I created User Pool
I created IdP provider and uploaded metadata file there
I created application client
Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
I also selected Name ID format to be Persisted
In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.
And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.
I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.
Anyone tried to integrate it?
How to troubleshoot the 403 app_not_configured_for_user error related to SAML apps from the Google Workspace Admin console
The first thing you need to do is to grab a HAR file recording the whole login process and find the SAML request. Steps can be found here.
Once you get the file you can open it using that tool and search for SAMLreq at the top right (see image).
After that you will get a list of values containing information. You will have to check one by one until you find the one that has the SAML request in the request tab (see example below).
Once you get the value from the SAML request, copy it and you can use this tool to do a SAML decode and find the entity ID. You can use Ctrl + F and search for saml:Issuer to find the value faster. If the value does not match, then you know you have an error and you will need to contact the support team from the app to see which value is the correct one.
In case the value matches I would recommend opening a ticket to check with Google.
I can not get response from skyscanner api. Did I write something wrong?
https://skyscanner-skyscanner-flight-search-v1.p.rapidapi.com/apiservices/referral/v1.0/UK/GBP/en-GB/EDI/LHR/2021-05-26/2021-05-26?shortapikey=ra66933236979928&apiKey={shortapikey}
The endpoint you're trying to access doesn't exist. That's why it's returning 404.
Visit the homepage of Skyscanner API on RapidAPI Hub and take a look at the different endpoints it supports.
I believe you want an endpoint that return fligh information. Check out the endpoints available in the Browse Flight Prices category and pick a best one for you according to your needs.
I have api_key for my project on google cloud and I am able to generate authorization code via client_id and subsequently auth token using authorization code.
What is the rest api code to retrieve tenant information ? Can anyone please put a curl command for that.
Have a look at the documentation about how to get tenants list using API; even more - yoo can test it yourself using the pane on the right.
Another piece of documentation you might be interested in to help you understand how this particular API works and what kind of reply you might expect.
More genral explanation of how to construct API's requests you can find here.
I am trying to use Microsoft Outlook mail API in our web application.
Followed this tutorial https://learn.microsoft.com/en-us/outlook/rest/javascript-tutorial first, but some important thing is skipped in it.
[Skipped part]
https://learn.microsoft.com/en-us/outlook/rest/javascript-tutorial#using-the-id-token
This sample won't do all of the required validations listed in the
OpenID spec. Most notably, it won't validate the signature on the
token. Currently requesting the signing keys from Azure would require
a server-side component, so we'll skip that step for the sake of
simplicity. However, production apps should not skip this important
step!
In the example code:
// Per Azure docs (and OpenID spec), we MUST validate
// the ID token before using it. However, full validation
// of the signature currently requires a server-side component
// to fetch the public signing keys from Azure. This sample will
// skip that part (technically violating the OpenID spec) and do
// minimal validation
I have a server-side component created with Django, but I'm not sure how to fetch the public signing keys from Azure.
The actual feature I am implementing is sending email via HTML form. I chose to implement this feature on client-side due to several reasons. It's working and I'd like to make authentication secure before deployment.
Just clarify, I followed the tutorial above and use code from this repo to access Outlook API instead of Microsoft graph. The repo is introduced in the beginning of this tutorial.
Thank you in advance.
You have to find the jwks or cert endpoint in Azure by checking the well-known configuration for Azure (something like this). You'll be able to find all the active and enabled keys in the jwks endpoint in JSON format. You can parse those values inside your application and select the required key.
Does the Google Apps Email Migration API v2 support 2 legged oAuth1?
I've looked at this answer, but I believe it refers to the older version of the Email Migration API: Does Google Apps Email Migration API support 2 legged oAuth?
I have been able to authenticate an Email Migration API request using OAuth1 w/ tokens, but all of my 2 legged OAuth 1 attempts have failed. I have tried including xoauth_requestor_id and it has not had an effect.
There is some hinting in the docs that OAuth1 w/ tokens may be required, but I was hoping to confirm that that is the case.
For example the docs say: "If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key."
It seems clear there that "tokens" are referenced, however the word "token" is also used to describe the Authorization request header, so it is less clear that this means OAuth1 request tokens.
Any help is greatly appreciated. Thanks!
The section you are referring to doesn't seem up to date. You can have domain-wide delegation of authority using OAuth 2.0. It's called Service Account. Once authenticated, you do exactly the same that you used to do with 2-legged OAuth 1.0.
Here are the steps you need to get started:
Go to Google Developer Console
Create a project if you don't already have one
Go to APIs & auth --> APIs and activate the Admin SDK
Go to APIs & auth --> Credentials and click CREATE NEW CLIENT ID
Select Service Account and click Create Client ID
Download the p12 private key file (and keep it safe !)
Go to your Google Apps Admin Panel
Go to Security --> Advanced Settings --> Manage OAuth Client Access (Direct URL: https://admin.google.com/AdminHome?#OGX:ManageOauthClients)
Enter the Client Id you just created along with the scopes you'll need, separated with commas (In your case, https://www.googleapis.com/auth/email.migration)
Go to your favorite language client library documentation and find how to authenticate using the private key file you downloaded earlier and also impersonate your domain users.
Hope that helps.