I've gone through all the prereqs on Google's site.
Got and installed a SSL cert (from Let's Encrypt) on server.
Registered and verified the domain (yes, the https url) on Google Search Console (like https://example.org).
Added to the domain to my API Credential's Domain Verification.
topic='projects/myproject/subscriptions/mytopic'
sub='projecs/myproject/subscription/mysub'
client.projects().topics().create(topic=topic, body={}).execute()
client.projects().subscriptions().create(name=sub, body={'topic': topic, 'pushConfig': {'pushEndpoint': 'https://example.org/push-handler'}})
And I get back:
googleapiclient.errors.HttpError: https://pubsub.googleapis.com/v1/projects/myproject/subscriptions/mysub?alt=json returned "Invalid push endpoint given (endpoint=https://example.org/push-handler). Refer to https://cloud.google.com/pubsub/subscriber#create for more information.">
Also, I'm unable to create subscriptions from Google's Pub/Sub developer console. When I try, I get back a "Subscription cannot be added" notification. I am the full owner of this topic and project, with read and write permissions. I'm able to add pull subscriptions with no problem.
Any ideas on why? It seems like I'm not the only one hitting this.
Figured it out. I included the protocol (https://example.org) in the domain verification, instead of just example.org. It would have been nice of the domain verification tool provided some validation preventing this.
https://console.developers.google.com/apis/credentials/domainverification
Related
I'm trying to setup a VPN connection using a federated login with Google IdP following these instructions.
Previously, I had configured a saml-provider with Google and it worked fine to authenticate users to the AWS console through Google using ARN roles
WHen I setup the VPN connection, it successfully opens the browser and asks me to select my google account, but after selecting the account I'm getting an error message from Google
According to this help section
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
So this is a problem coming from AWS and not from me ? Is Google IdP compatible at all with VPN authentication ? (I found this doc that mentions compatibility with okta)
Edit
Thanks to some of the answers below, I managed to make it work with Google IdP. Here is a screenshot of relevant SAML Google app screens (note that for groups I ended up adding the employees department, but I guess anything else would have worked)
To be able to save an ACS URL starting with http:// in the G Suite interface, use the trick given by teknowlogist: open the inspector > network tab, perform the request to save an URL with https, then right-click copy it as cURL, replace https by http, paste in regular console, and you're good.
I found a workaround to not being able to input http://127.0.0.1:35001 as the ACS URL on the GSuite SAML app page. The Google admin console only does client-side validation for the https requirement, so you can use the Chrome console to monitor the network call made when modifying the ACS URL.
Then, you can copy this as a curl command and change https to http
#Ted Schroeder —
Previous approach (or, plain Google doesn't work)
I just used a reverse proxy:
mitmproxy \
--listen-port 35000 \
--mode 'reverse:http://127.0.0.1:35001' \
--set keep_host_header=true
If you change Google SAML's ACS URL to be https://127.0.0.1:35000 and click "Test SAML Login", Google will take you to https://127.0.0.1:35000, whose traffic will be redirected to http://127.0.0.1:35001. In the browser I get:
Authentication details received, processing details. You may close this window at any time.
However, using the SAML-tracer extension, I found that there was a URL mismatch (https://127.0.0.1:35000 vs. http://127.0.0.1:35001). Seems like the AWS VPN Client is broadcasting its expected URL as being http://127.0.0.1:35001. So this doesn't seem viable.
Current approach (or, Auth0+Google works)
I tried using Auth0 instead, and got it to work! There's a few hoops — for instance, create a new Auth0 application, go to Addons and enable SAML2 Web App, set Application Callback URL to http://127.0.0.1:35001, and then in Settings use the following:
{
"audience": "urn:amazon:webservices:clientvpn",
"mappings": {
"user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email": "NameID",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "FirstName",
"family_name": "LastName",
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"groups": "memberOf"
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"signResponse": true
}
Then users, if they download the VPN config from AWS and use the AWS VPN Client app, will be taken to an Auth0 login screen where they can login via Google. Voila! (And then for security, you need to add Auth0 Rules to grant only certain users/groups authorization.)
I don't have a full answer yet, but I have the beginnings of one and I actually got past the 403 error above. The key to all this can be found in the AWS Client VPN information here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
Look for the section entitled "Service provider information for creating an app".
The key is that these are the ACS URL and the Entity ID that need to be used. Unfortunately, G Suite won't let you set the ACS URL to a non-https URL and apparently the AWS Client VPN app won't provide a secure URL for the ACS URL (where the SAML Authenticate response goes).
So, if you set the Entity ID to "urn:amazon:webservices:clientvpn" and have the G Suite SAML app in place according to the instructions, you'll get past the 403. However, since the ACS URL can't be specified you get whatever error message you're likely to get from the ACS URL that the authentication response goes to.
Example scenario
If you set it to https://signon.aws.amazon.com/saml" like you would for AWS Console SSO, you get an error from the AWS sign in that the SAML response was invalid.
And if you set it to https://127.0.0.1:35001 then you get a message from the browser that the "site can't provide a secure connection".
If anybody gets any further with this, I'd love to hear about it. In the meanwhile, I'm going to be looking into non-AWS OpenVPN clients that might actually support G Suite as a SAML IdP.
#alexandergunnarson
Since I don't have the ability to comment (thanks so much for making this easy stackOverflow) I had to edit my answer to get it past the censors.
Unfortunately, we don't have, and probably won't have for some time, G Suite Enterprise because it's too expensive for our startup environment. So OIDP is not a viable option for us now. I figured this would work. Good to know that it does.
I was too having the same issue. In my case, I needed to turn on the two-factor authentication for the account that I was trying to log in with.
I am attempting to connect to the Google Analytics API using Matillion ETL on an AWS EC2 instance in an effort to load a data lake.
When I try to add the callback URL into the Google Developer Console http://ec2-99-99-99-99.compute-1.amazonaws.com/oauth_redirect.html, I get the error:
"Invalid Redirect: domain must be added to the authorized domains list before submitting."
I do have amazonaws.com added to the Authorized Domains on the OAuth Consent screen. If I add, compute-1.amazonaws.com/oauth_redirect.html, it accepts it. So I know it's recognizing amazonaws.com, but not for my specific EC2 instance
I was thinking it was because it's a sub-sub-domain, but I'm not sure if that matters. Based on other posts such as this other people have been able to connect.
I've also tried adding a new record set in Route 53 instead of the AWS provided URL, but I don't know how to change the default callback URL in Matillion. I've sent their support team a separate question about that, and will let you know if that resolves it.
I do think this is a problem on the Google side that should resolve it though. Could there be some setting in the Google console that I'm missing to allow this?
Edit: Using the Route 53 URL instead when signing into Matillion will force the OAuth config to use that instead when getting the callback URL. I'm able to connect to Google Analytics now. I will leave this post up in case anyone else runs into the subdomain.subdomain.domain.com issue with Google
As suggested in https://stackoverflow.com/a/36112649:
You can use free DNS by http://xip.io/. So for IP 99.99.99.99 use
http://99.99.99.99.xip.io/callback. And it would be resolved to
http://99.99.99.99/callback.
Further, make sure the redirect URI in the .env file or other similar configuration in AWS is set to http://99.99.99.99.xip.io/callback.
Is it possible to setup a pubsub topic/subscriber in one project that does a http PUSH to a cloud function in the same OR in another google project? I know there are PubSub triggers but these do not work when the pubsub topic is in another google project. Curious if this even doable with a subscriber PUSH.
Error I get thiis pubsub error INVALID_ARGUMENT if I try to create it. I wasn't sure if this was because I needed to register the endpoint (https://cloud.google.com/pubsub/docs/push#other-endpoints). However that didn't feel right because when I create a function, the URL is given to me automatically and I can hit it via Postman.
I did find this link (GCP - Verify ownership of a cloud function https endpoint for a PubSub push) and think it is url-verification related.. just want a confirmation :)
Thoughts? Did I miss some documentation somewhere?
EDIT: I think it's related to URL verification as well as using the ../_ah/push-handlers/.. path. When I register a PubSub trigger, the delivery type to the function is still a PUSH but it's to a encoded url with more of a path: https://{hash}-dot-{hash}.appspot.com/_ah/push-handlers/pubsub/projects/{project-id}/topics/prototype-contact-created?pubsub_trigger=true
This was a solution I was given here: https://github.com/googleapis/nodejs-pubsub/issues/118
You need to verify this URL by going on your Google Cloud Console, API
& Services, Credentials, then the Domain Verification tab. Add the url
of your Cloud Functions. You will need to do that for each and every
one.
Then, make sure that in the Search Console, you select the META TAG
verification method, and response with that on GET requests.
if (req.method === 'GET') {
// mine is in a settings file but you can hardcode yours for testing purposes
return res.send(`<html><head><meta name="google-site-verification" content="${settings.google.siteVerificationCode}" /></head><body></body></html>`)
}
I'm doing PoC of some GSuite custom solution which needs to listen to changes on users resource. I've created a GSuite account, linked it (and verified) with mytestdomain.com. It's also verified in API console. Basically followed instructions from https://developers.google.com/admin-sdk/directory/v1/guides/push
and fulfilled all requirements from there.
Unfortunately when I try to register my web hook I'm getting following error:
Watch request denied by backend [403]
Errors [
Message[Watch request denied by backend] Location[ - ] Reason[watchDenied] Domain[push]
]
I stuck with it and don't know where too look for more details about that error.
I'm using a certificate generated by Let's encrypt, but tested it with https://www.ssllabs.com/ssltest/ and got rank A. How to check if Google API treats Let's Encrypt as trusted CA?
Problem wasn't anyhow related to Let's Encrypt certificates. They're working just fine with Google's push notifications. I've contacted with Google support and with their help I've established that sending a request with showDeleted parameter set to true was a root cause of above problem.
Support guy claimed that documentation was copied from list method and that parameter cannot be used with watch method and they're going to update docs of watch method in API reference. (However it's still there).
I'm trying to use WSO2 API Manager 1.10.0 on an existent micro-services project with REST APIs following WSO2 tutorial.
I have installed it on my computer as well as a copy of my application and configured AM to manage requests (GET, POST and DELETE) to my resource but I always obtain a "Response code 0" with Response Header
{
"error": "no response from server"
}
Trying to contact my application using Advanced REST Client I obtain 200 with the correct result.
My APIs use a token inside the header to authenticate the user passed so I have implemented a dummy API without authentication but I still have the same issue.
I have tried also the Cloud version with our test server but still obtaining the same result.
I found this guide http://wso2.com/blogs/cloud/video-setting-up-custom-url-for-api-store-and-gateway/ but I don't know if this can be a solution for the problem in localhost.
Setting up the custom url in WSO2 API Cloud wont help. Thats there for a different purpose. There are two things you can do.
If you are interested in going ahead with the cloud version, you can get help from them. You can send a support request and the cloud team will help.
You can troubleshoot your local instance. When doing so, first, try to invoke your api via curl and see whether it gets a response. Sometime, your api can work fine, but due to some reasons, the result might not reach the api console.
If the curl works fine or not, you can check the logs to see whether there are any errors printed. Some more questions:
Is your backend service exposed via http or https?
If it is https, then if its certificate is not a CA signed one, API Manager will fail during the handshake. If so, you will have to add the cert to api managers client-truststore.jks
In the cloud scenario, your backend should be accessible from internet and the certificate story is valid for cloud too.
Are you trying to access the api using swagger console (or any web application). There are couple of reasons you could encounter this issue. one could be certificate not installed in the browser.
If this happens you should see some error log in the api manager console (something related to CA not found). for that first you can copy the backend url (swagger console shows the url it used to send the request) and paste it on a new browser window and install the certificate to the browser.
also you can get an idea about the issue by using a tool like firebug and check the request. (it will show the error for not connecting the AM)
Finally I have found the issue: the API Manager does not accept plain text response, responding using a JSON solves the problem.
Using other mediatype such as XML or TEXT/HTML it reports 406, with text plain it returns Error 0.