Identity-Aware Proxy Authorization Error 403 org_internal - google-app-engine

I have a Python Streamlit app hosted in GCP via App Engine. Following this tutorial, I added an Idenity-Aware Proxy to secure the app.
The IAP is activated and the OAuth consent screen it set to internal.
In the IAP settings, I added myself and a fellow both with the "IAP-secured Web App User"-role.
While I can access the app after login with my associated google account, he gets and "Error 403: org_internal" error when login within his associated google account.
What I already tried:
Setting the OAuth consent screen to external (test mode) and added both of us
Adding him to our GCP organization
None of both approached worked. He just can't access the app after all.
Any ideas what I am doing wrong?

Related

How to unactive IAP in google cloud project?

I have a problem on a GCP Project
I Added IAP on the app. I allowed every user on the professional google domain.
I found that IAP was not a good solution. I finally removed IAP from the project. I un-toggled the functionality. And I removed the roles/members.
Now all the project crashes :
Cloud Build return that error when I Tried to deploy my services by triggers
"ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as 'ID#appspot.gserviceaccount.com'"
When I launch an http request to a service, the service doesn't create an instance.
I have that error "Waiting for network connection open. Subject:"app/invalid" Address:127.0.0.1:8080"
The account "ID#appspot.gserviceaccount.com" has an owner role.
I already checked the IAM roles it not seems to have one missing, I've checked with other projects, it seems good.
It's not the code of the app cause I tried in my laptop in local and the services works perfectly.
I've deployed my services with gcloud command, but the services are unreachable I have errors 500 cause my apps doesn't deploy.
I don't know which role I have to change in IAM to fix all the app.
This error means that Cloud Build service account can't act on behalf of App Engine service account. You can add this permission in Console-> Cloud Build-> settings enabling service account user role. There should have been some change recently that enabled this requirement for App Engine deployments.

firebase auth domain not authorized even after whitelisting domain

I am using Firebase Auth (firebase 4.1.3) in my Angular4 project with Google sign in enabled. While working on localhost everything works as expected. However, when deploying my app hosted on Google App Engine, authentication popup fails with the "auth/unauthorized-domain" error.
How can I whitelist my custom domain in Firebase?
Checks already done:
My firebase project has billing enabled and active
Google sign-in with pop-up works on localhost
Google app engine domain is already whitelisted in "Authorized Domains" under Sign-In method, in Authenticacion module of Firebase console.
Double checked the javascript firebase config in my angular app (I copy-pasted the snippet given by the firebase console).
In the Google Cloud Console, the default web API key has no access restrictions and the OAuth client id already contains my App Engine domain in the list of "Authorized JavaScript origins" and also in the "Authorized redirect URIs" (https://console.developers.google.com/apis/credentials?project=MYPROJECT).
Some other similar SO questions refer to checking the previous things and even waiting up to 20 mins after whitelisting a new domain to allow change propagation. But none of these advices worked for me.
NOTE: Full error code
{
code: "auth/unauthorized-domain"
message: "This domain (PROJECT.appspot.com) is not authorized to run this operation. Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab."
}
Any help would be appreciated.
Ok, Answering my own question. I finally found the problem: I was deploying an old version of the web app. So it will never work this way...
In case it could be useful to others, the above steps for configuring firebase Auth are correct and enough!
I was taking over an existing project, and I got this error while deploying with the wrong environment. (the domain was correctly setup in Firebase)
ng build --prod && firebase deploy
While was deploying on my Dev Environment.
I've scripted the deployment to avoid this kind of mistake.
ng build --configuration "${ENV}" && firebase deploy
where env var is set as an argument of the script
I have faced the same problem. Then I find Out the solution.
First goto your firebase project then click Authentication goto sign-in method then scroll down you will find Authorized domains add your live site link there. Hurrey Problem Solved.
Authentication > sign-in medhod > Authorized domains
firebase solution image

Firebase authentication timeout with Google account login

Please can anyone help with config/troubleshooting for Firebase authentication with GAE Python apps.
I've tried to get the Firenotes app working (https://cloud.google.com/appengine/docs/python/authenticating-users-firebase-appengine) but when the app loads there's a popup with the error: The operation has timed out. Dismiss.
The email authentication works fine, all OK: can login, save notes, logout.
The problem is with the Google OAuth login.
Clicking on the Google sign button gives an error:
This site can’t provide a secure connection.
firebaseapp.com didn’t accept your login certificate, or your login certificate may have expired.
ERR_BAD_SSL_CLIENT_AUTH_CERT
The project was imported into the firebase project and as far as I can tell the config of main.js and app.yaml is correct.
The GAE .appspot.com has been added to the OAuth authorized doamins
The same error is if running local or deployed to GAE.
If you go to the 'Overview' section of your firebase console. You can select to "add firebase to your web app". A screen pops up with the config information for the frontend main.js file.
Mind you, the apiKey in the client config needs to be set to the google cloud platform api key for the app engine project your using.
This will enable the login.

Can't assign SSL certificate to Google App Engine app

I've gone through all the steps of setting up an SSL certificate on a Google App Engine app with custom domain. It worked for our test app (URL: test.mycompany.com). Now I'm went through the exact same process with our demo site (URL: demo.mycompany.com). Google is not letting me assign the URL to the certificate.
Figured this out. This posting was most helpful: How do I enable SSL for custom domains on appengine?.
In short, first add the custom domain in the Google Apps admin. Don't add it to the Google App Engine Console. Then in the Google Apps Security settings upload the certificate and assign the URL to the certificate. Adding the custom domain to Google Apps Console after doing this.
Having the custom domain defined in GAE admin console first, produces the error, "We are unable to process your request at this time. Please try again later. (Error #1000)".

Google App Engine authorization with Google Apps Domain

I have successfully followed the examples to gain an AuthSub token to authorize my GAE application to have access to the user's Google Calendar.
I have added the domain parameter to the method gdata.auth.generate_auth_sub_url so that the application is authenticated against a Google Apps Domain user. The app is then installed in one of our test domains.
This is working fine, however, each user in the domain has to go through the process of authorizing the app to use the calendar. In other Marketplace Apps that I have tried, this authorization is done once for the whole domain when the app is installed.
How is this achieved?
This page describes how Marketplace apps can access the gdata APIs on a user's behalf.

Resources