My company has a standard format for web apps, and I'm building a tool that programmatically provisions resources for new ones. The apps have federated login via Google, so I need to create a new OAuth2 web app clientId within Google/GCE. It can be done manually from the Credentials page like this, but I'd like to remove all manual steps from app setup.
So far I haven't been able to find any API endpoints or SDK functions that would allow me to create a new app, set its redirect url, etc. I have found the service account credentials API, but as far as I can tell that does not include functionality to provision new OAuth apps.
Is there an API I'm missing that can do CRUD operations on OAuth credentials/clientIds? Is there some other way to do this?
I have an existing suite of postman tests that previously ran against REST services hosted in Azure using Azure AD for Auth. Using the token endpoint (https://login.microsoftonline.com/{{tenantId}}/oauth2/token), I was able to obtain an Oauth token for an enterprise app (test app) that had deligate permissions for the application under test.
The apps have been moved to AWS and are now secured with Cognito. I have been unable to find an equivalent workflow that allows me to obtain a token without manual data being entered by the user.
The login endpoint requires me to manually enter the user name and password:
How do i integrate amazon cognito login in postman
and
I can setup an app and get an acceess token it does not give me permissions to the APIs, as I can not add the app to the user group with permissions.
https://lobster1234.github.io/2018/05/31/server-to-server-auth-with-amazon-cognito/
I have created a service account on Google Cloud Platform. I am using a standalone Java program which uses GCP Java Client API to get the Authentication Token ID by taking service account JSON file. By using the Token ID, I can create a compute instance.
I don't want to use Java API or gcloud tool, is there a REST API exists which takes required details and return Token ID?
I went through the GCP documentation and could not find any details for the authentication and authorization through REST using Service Account.
I have created a service account on Google Cloud Platform. I am using
a standalone Java program which uses GCP Java Client API to get the
Authentication Token ID by taking service account JSON file. By using
the Token ID, I can create a compute instance.
Using a service account is the correct and recommended method to authenticate and authorize software applications.
Note. The assumption here is that the software application is running on your systems under your control. If instead you are installing software on a user's desktop or system not under your control, then you would use Google OAuth 2.0 (Google Accounts) to obtain User Credentials to authorize your application.
Another method is to issue short-lived temporary credentials from a service account credential that are time limited. These short-lived credentials are created on your server and then handed to the client.
I don't want to use Java API or gcloud tool, is there a REST API
exists which takes required details and return Token ID?
You have the classic "Chicken or Egg" situation. You need credentials to authenticate and authorize otherwise anyone could create credentials. Google Service Account credentials provides this. To create service account credentials, use the Google Cloud Console or gcloud CLI to download the service account Json file.
I went through the GCP documentation and could not find any details
for the authentication and authorization through REST using Service
Account.
This question is confusing. Do you want to use Service Account credentials to authorize your Google API calls OR do you want to call a Google API to obtain credentials?
In the first case, once you create service account credentials, they are used to authorize your API calls. You add the Access Token to the HTTP header when making API calls.
For the second case, use Google OAuth 2.0 to obtain credentials. Google OAuth 2.0 uses Google Accounts for authentication. This method provides you with an Access Token (just like a service account) and a Refresh Token and Client ID token. You will need to add the Google Accounts user identity to your Google Cloud IAM which provides for authorization (privileges).
I am learning about AWS concepts, and want to deploy a complete serverless application.
Using the awsmobile tutorial, I have been able to deploy a very crude react app with user signup and signin (available here).
I see that by adding Google as a federated entity I can also enable Google Signin in the app.
My app, however, will only be relevant for Google user. As such, I want to only allow Google Sign-up (creating users) and Sign-In (logging existing users in).
When signing in using Google in the application, I see that no user is created in the Cognito database, nor in the dynamodb. Is that expected?
I would expect the user to be available.
Thanks
I have a backend that is serving android clients, authenticating them with IdToken sent from the android app.
Now, I need to authenticate a service running on aws that is using my apis. So I figured a service account would do the trick, using the private pem file to create a IdToken and send it along just as the android clients do. But I find no way of obtaining an IdToken with these credentials. Is this possible (preferrably in nodejs).
Or am I on the wrong path here?
I know this is older, but I found this question and it didn't lead me to the answer I ended up with.
I followed the guide in https://cloud.google.com/endpoints/docs/openapi/service-account-authentication#using_a_google_id_token with some mix of https://cloud.google.com/iap/docs/authentication-howto, which mentioned that the key to this was to include a target_audience claim in the generated JWT.
So, essentially I made a JWT that looked like:
{
"exp": 1547576771,
"iat": 1547575906,
"aud":"https://www.googleapis.com/oauth2/v4/token",
"target_audience": "https://example.com/",
"iss": EMAIL OF SERVICE ACCOUNT
}
and posted that to https://www.googleapis.com/oauth2/v4/token with params grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer and assertion=<THE JWT>
Without target_audience the endpoint gave me an access token, but with it I got an id_token instead.
Grettings since 2020
I had problems in Java for take ID_TOKEN of a Google Service Account. My project had two years and i were using GoogleCredentials, fromStream method and a JSON credential, but this class didn't gave me ID_TOKEN, only access_token on a not JWT format.
I solved because on this years Google updated here java code for authentication, for take ID_TOKEN you must use this library https://github.com/googleapis/google-auth-library-java
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-credentials</artifactId>
<version>0.20.0</version>
</dependency>
And then use ServiceAccountCredential
String credPath = "/path/to/svc_account.json";
ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials
.fromStream(new FileInputStream(credPath));
When you create this class, itself will authenticate with google and have a access_token,refreshToken...
For extract ID_TOKEN you must use this function:
String audience = "http://localhost"; //Your server domain
IdToken idToken = credential.idTokenWithAudience(audience, new ArrayList<IdTokenProvider.Option>());
String id_token = idToken.getTokenValue();
And with this you have a JWT token.
I hope this help people like me,that are trying get ID_TOKEN.
You cannot use service accounts generated for Google Cloud APIs to directly authenticate against your own APIs. How will you know which service account private keys are valid and which have been revoked? Google does not expose this information.
Service accounts are rather meant for delegation of credentials. When you access Google Cloud platform service, you will be authenticating with your google account credentials. You will not want to provision the very same credentials everywhere your running code needs to access any of the Google cloud services (i.e. Cloud APIs). Instead you create service accounts whose scope can be reduced to a subset of the scope of your google account credentials. This way a particular piece of code can be limited to only a few set of APIs.
Service Accounts
A service account is a special account that can be used by services
and applications running on your Google Compute Engine instance to
interact with other Google Cloud Platform APIs. Applications can use
service account credentials to authorize themselves to a set of APIs
and perform actions within the permissions granted to the service
account and virtual machine instance.
What are service accounts?
Service accounts authenticate applications running on your virtual
machine instances to other Google Cloud Platform services. For
example, if you write an application that reads and writes files on
Google Cloud Storage, it must first authenticate to the Google Cloud
Storage API. You can create a service account and grant the service
account access to the Cloud Storage API. Then, you would update your
application code to pass the service account credentials to the Cloud
Storage API. In this way, your application authenticates seamlessly to
the API without embedding any secret keys or user credentials in your
instance, image, or application code.
I know where your confusion stems, it is because service account also have the same OAuth model you are used to.
You can use service accounts to get access tokens and refresh them as needed, but the scope of authentication is at the very maximum limited to the surface of the Google Cloud APIs. You will not be able to mix and match your APIs with that.
Alternative is to either build your own authentication model (which is not so clear from your question when you say authenticating them with IdToken sent from the android app) or rely on something like Cloud endpoints which you create and manage APIs along with API keys for authentication.
As you already mentioned in one of your comments, you can follow the Service-to-Service authentication guide which describes how you can use Google Cloud Service accounts to authenticate with your APIs running on Google Cloud Endpoint.
It supports using Google ID JWT tokens. The caller will have to send the JWT to Google Token endpoints to obtain a Google ID token and then use this Google ID token in all of your requests. This approach also has the advantage that you only have to whitelist the Google ID token server in your API configuration.