We can't make reseller API calls working using a service account. The steps on the link:
https://developers.google.com/drive/delegation#delegate_domain-wide_authority_to_your_service_account
were followed without any luck.
With regards
When performing service account authentication against the directory or reseller API, you must impersonate a Google Apps user within the instance who has the proper permissions to make the API calls. This is done via the prn parameter as described in the service account documentation. How you specify the prn user will differ by client library.
Yes, this now works. Just in case you use PHP library (from google) - here's how it should look like:
$cred = new Google_Auth_AssertionCredentials(
'e-mail from the API user',
['https://www.googleapis.com/auth/apps.order'],
'Content from your P12 key file',
'notasecret',
'http://oauth.net/grant_type/jwt/1.0/bearer',
'the-email#of-the-real-account.com'
);
Related
I have added these 2 identity providers (refer attached images) to Google Cloud -->Identity Platform
Email/Password
OIDC Connect (oidc provider)
Now if you see there is a User section as well under Identity Platform
So I have added some random users which are non gmail users (refer image), like xyz#abc.com, which I want to authenticate with the help of Google Cloud (it when this user comes to login, I will hit API endpoint /login and in login server side code, I will redirect to Google Cloud to Authenticate this user using OIDC Authorization flow)
I need Java code to :
Using some java code, First choose the provider as OIDC provider (oidc-auth-provider).
Make call to Google Cloud which should use this Provider (oidc-auth-provider)
This oidc-auth-provider should look up the users which I have created under Users section (refer image)
Google Cloud after verifying user exist, should send back with Auth Code
using Auth Code I will call back to Google and get ID token/JWT token
I was referring to this link :
https://cloud.google.com/identity-platform/docs/web/oidc
If you search "Signing in users with OAuth" this section on page, that is what exactly I am looking for, but the problem is it has given a UI code example using Firebase API example, to create OAuthProvider instance (which will choose provider), but I need server side code example instead, I am not sure if I can use this Firebase API on server side java code for a web application? Any suggestion that how can I do similar things from a server side Java code?
added Providers under Identity-platform
Added users manually which I wanted to authenticate
I'm using Zapier and try to create a new User in Google.
The documentation is pretty unclear.
This is the request I'm making:
Now I understand, that I need to add authorization to the request.
How do I authorize the request? I created an API Token in the Google Cloud but this doesn't work as a GET parameter.
Is the Request right? Do I have to change something?
Thank you for your help.
Posting DalmTo's comment for visibility.
This appears to be using the Directory Admin API for Workspace accounts. You can consult the Admin SDK: Directory API docs for this.
As it's creating Google Workspace users, you may want to try using a service account authorization.
For an example of an API request, selecting the necessary endpoint and method, e.g. asps.get, and use the API Explorer to test your requests.
Basically I want the below flow in the application .
I have created one user pool in the cognito and configure it.
I want to integrate cognito authentication and authorization with below flow.
Register new user with by using cognito signUp api via postman (I dont want to use hosted UI) .
once user is successfully registered in cognito.
User will call the cognito login api via postman - On successful login cognito will return access_token.
I will use that access token in all subsequent requests to make sure the user is authenticated and authorized .
The main thing here is I do not want to use that hosted UI given by cognito .I want to achieve this via api calls .
I am not sure for achieving this what I need to . You can tell me if any more steps needed before the first step I wrote like authorize my app or anything like that.
I understood I need to authorize my app before it uses the signup api but I am not sure about exact flow and process or in which manner I need to perform the steps .
Please guide..
There are aws sdks available for different platform. You need to implement one of them according to your backend technology and expose your api and test it out in the post man. Please go through this link docs.aws.amazon.com/cognito-user-identity-pools/latest/… There are sdks links at the bottom.
I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well
My server based application is a java based rest service api .
How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.
can someone explain the best architecture for this in wso2?
if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?
thanks in advance
you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager
[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.
Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.
Token: https://localhost:8243/token
Revoke: https://localhost:8243/revoke
Authorize: https://localhost:8243/authorize
There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.
In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.
Then, as I mentioned here, you can use scopes to secure your APIs by roles.
Does the Google Apps Email Migration API v2 support 2 legged oAuth1?
I've looked at this answer, but I believe it refers to the older version of the Email Migration API: Does Google Apps Email Migration API support 2 legged oAuth?
I have been able to authenticate an Email Migration API request using OAuth1 w/ tokens, but all of my 2 legged OAuth 1 attempts have failed. I have tried including xoauth_requestor_id and it has not had an effect.
There is some hinting in the docs that OAuth1 w/ tokens may be required, but I was hoping to confirm that that is the case.
For example the docs say: "If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key."
It seems clear there that "tokens" are referenced, however the word "token" is also used to describe the Authorization request header, so it is less clear that this means OAuth1 request tokens.
Any help is greatly appreciated. Thanks!
The section you are referring to doesn't seem up to date. You can have domain-wide delegation of authority using OAuth 2.0. It's called Service Account. Once authenticated, you do exactly the same that you used to do with 2-legged OAuth 1.0.
Here are the steps you need to get started:
Go to Google Developer Console
Create a project if you don't already have one
Go to APIs & auth --> APIs and activate the Admin SDK
Go to APIs & auth --> Credentials and click CREATE NEW CLIENT ID
Select Service Account and click Create Client ID
Download the p12 private key file (and keep it safe !)
Go to your Google Apps Admin Panel
Go to Security --> Advanced Settings --> Manage OAuth Client Access (Direct URL: https://admin.google.com/AdminHome?#OGX:ManageOauthClients)
Enter the Client Id you just created along with the scopes you'll need, separated with commas (In your case, https://www.googleapis.com/auth/email.migration)
Go to your favorite language client library documentation and find how to authenticate using the private key file you downloaded earlier and also impersonate your domain users.
Hope that helps.