I have provided the Manage Alerts and Read Alerts scopes to connectedApp to access platform apis. When trying to create alert using ConnectedApp credentials in platform APIs throwing an 403 error (Access Issue).
If I had given scope OrgAdmin and tested. It works fine
I don't want provide OrgAdmin to connectedApp . What are scopes do I need to add to create alert using platform APIs using connectedApp credentials
Related
I am trying to integrate a Google service account to my reactjs-Firebase project but I seem to not understand how to do it.
What I have tried:
I selected JSON as my KEY type for the service account and downloaded it to my system and tried to set it using Application default credentials. (didn't work)
but nothing seems to work.
and I don't understand how to use the service account to call API in this react-firebase project.
am I supposed to authenticate it using Application default credentials or some other method.
Expected result: Want to integrate service account to my reactjs-firebase project so that I can call API's without an API key
Actual result: not able to do that.
Thank you for your help.
You should never put a service account embedded on your front-end or any other secrets as anyone using developer tools in browser can see them.
The best approach for you should be the end user providing their credentials that need to be authenticated against your backend. In the backend if the user is authorized you can have access the service account information and make the calls you need.
Specifically on your Firebase you should use the Cloud Secret Manager and access if like this:
const functions = require('firebase-functions');
const { defineSecret } = require('firebase-functions/params');
const serviceAccount = defineSecret('SERVICE_ACCOUNT_KEY');
// get other secrets and do whatever you need...
There is a tutorial here on secrets.
Or you can go straight to the documentation here.
Using App Engine (Java) to add custom claims to a user's Firebase token as shown here. I'm using the Application Default Credentials as my project owner account. Running gcloud auth list shows that the correct account is active.
I've configured my Firebase settings in the app as follows:
// Error handling and try/catches omitted
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.getApplicationDefault())
.setProjectId("<my-app>")
.setDatabaseUrl("https://<my-app>.firebaseio.com/")
.build();
FirebaseApp.initializeApp(options);
Once this is set, I use the following code adapted from the example here.
Map<String, Object> claims = new HashMap<>();
claims.put("role", "admin");
fbInstance.setCustomUserClaims(usersFirebaseAccessToken, claims);
This throws the following error:
Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
After seeing this, I reverted to the standard service account approach where instead of GoogleCredentials.getApplicationDefault(), I used ServiceAccountCredentials.fromStream(serviceAccountStream) where serviceAccountStream = new FileInputStream("path-to-service-account-file"). This complained about insufficient privileges despite having the Firebase Admin group in GCP IAM settings. The real issue, though, is that the Identity Toolkit docs here mention that the Identity Toolkit is being replaced by Firebase Authentication, which seemed to be the approach I was originally trying.
I'm interested to know what the error message above means by "end user". This seems to suggest that the GCP SDK is trying to authenticate as the user represented by the Firebase token but I'm almost certain this isn't what it means.
Is there something I'm missing in my Firebase config that's causing the system to think I'm the wrong user?
I would only like my "Supervisor" user to be able to create "Employee" users (unable to create their own) through a custom React App rather than go through the Cognito Console. The AWS Cognito Identity SDK's AdminCreateUser action is offered through AWS.CognitoIdentityServiceProvider, which seems more than available through a Node back-end and the AWS Management Console interface. And there is (teasingly) plenty of documentation on authenticating users that have already been created through the AdminCreateUser API. But, try to
import { CognitoIdentityServiceProvider } from 'amazon-cognito-identity-js';
And AFAIK (as far as I know), the action is not provided in React.
I'm considering using a hacky approach of defining 2 particular Cognito User Pool - User Groups Supervisor and Employee. Only users that belong to the Supervisor group will be able to access a registration screen (using protective React Routing) where the I can use the well-documented CognitoUserPool sub-SDK to create Employee users.
I am building up a login module, and am quite happy with how it is working using $firebaseSimpleLogin.
I have email/password, twitter, and facebook logins working and even able to link them to a single user profile (so a user may have multiple access points for their convenience).
Now that I am building up my Security Rules in the firebase forge, I am needing different data in my auth payload than simpleLogin provides.
I've started reading about custom token generators, but from what I am understanding, I would need to write my own authentication handlers, essentially duplicating the 3rd-party authentications that simpleLogin provides.
Is there an easier way to add custom data to my auth payload after the simpleLogin succeeds?
I have found a solution that uses $firebaseSimpleLogin for the password/facebook/twitter authentication and in its success callback, I use the FirebaseTokenGenerator to create my custom auth payload.
I am using UserService to allow my users to register and login.
We find that users for some reason would like to create a login on our own site without using their existing credentials.
I know UserService supports Google Friend Authentication and we can use Yahoo & other openids. However, I would like to know if we can add our authentication mechanism without becoming implementing as an open-id provider/producer.
If becoming a openid provider is only viable option, are there any recommended libraries for AppEngine.
Thanks.
How you do this depends entirely on how you've built your authorization system. Using the Users API directly, your only options are to use OpenID or Google Accounts (and only one per app, at any one time, not both). If you want more flexibility, you will need to build your own authorization subsystem, or use an existing one, which abstracts away different auth providers. See, for instance, webapp2's auth module.