I deploy a node project to APP Engine, and I can use it normally, but when I try to turn on the IAP, some issues arise:
Error: deleted_client
The OAuth client was deleted.
Request Details
client_id=252592340030-jcass7dq1dnc1ia8is9aic1m7g1bnemq.apps.googleusercontent.com
response_type=code
scope=openid email
redirect_uri=https://iap.googleapis.com/v1/oauth/clientIds/252592340030-jcass7dq1dnc1ia8is9aic1m7g1bnemq.apps.googleusercontent.com:handleRedirect
code_challenge=DPS4im9C-3zJSkHAg7zhvht9WfvIbrrPJ3eUh6dqKAw
code_challenge_method=S256
cred_ref=true
state=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InpRSk45dyJ9.eyJyZnAiOiJ1SFB2NU45NjE3SHFTSnoySFdBQ1FaSWhuclJJT3dVaWJzNEdSMm9oZmZFIiwiaXNzIjoiaHR0cHM6Ly9jbG91ZC5nb29nbGUuY29tL2lhcCIsImF1ZCI6IjI1MjU5MjM0MDAzMC1qY2FzczdkcTFkbmMxaWE4aXM5YWljMW03ZzFibmVtcS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsInRhcmdldF91cmkiOiJodHRwczovL2ludGVybmF0aW9uYWwtZ3JhbWVyY3ktZGV2LmFwcHNwb3QuY29tL2FkbWluL2N1c3RvbWVyL19nY3BfaWFwL2F1dGhlbnRpY2F0ZSIsIm9yaWdpbl91cmkiOiJodHRwczovL2ludGVybmF0aW9uYWwtZ3JhbWVyY3ktZGV2LmFwcHNwb3QuY29tL2FkbWluL2N1c3RvbWVyIiwiaWF0IjoxNTY3MDQ4MzczLCJleHAiOjE1NjcwNDg5NzMsImVuY3J5cHRlZF9jb2RlX3ZlcmlmaWVyIjoiXHUwMDAwXHUwMDNlauVCjH1qcvWQXHUwMDFkWytcYl_OaFx1MDAxY1Jl-Db2pGBcdTAwMTMyXHUwMDI2U5GoXHUwMDFlcJdcdTAwMDa6-1x1MDAwMMWVcd06hTso-WLFXHUwMDAwuFx1MDAxYot9tYBt-SzbXCJcdTAwMTX5XHUwMDE0vElcdTAwMGK2iZ3qXHUwMDFmxO_KnbgsxiJ9.xH30mwUXqnoLxlVfmzw_BYHEB13gbMcY18O6A_fHxH29uTl9d9C-RgW1RpSNRjXJ3ak4gDQ7r00BJSaqf7F06Q
Someone can take a look? Thanks
I found another thread that seems to handle the The OAuth client was deleted error.
Error:invalid_client - The OAuth client was deleted even after having undeleted the API project
Related
I currently have App Engine up and running, protected by IAP, and my eventual aim is to have this be triggered by an Apps Script project. I've tested the code without IAP and it works fine. However, I'm running into difficulties successfully authorizing access to it when IAP is enabled.
I've added myself as an IAP-secured Web App User (as well as Policy Admin) to the App Engine, but whenever I try triggering it from a GSheets Apps Script where I'm the owner and it's associated with the correct GCP project (using this great explanation as a guide) I get the following:
"Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (1084708005908-bk66leo0dnkrjsh276f0rgeoq8ns87qu.apps.googleusercontent.com) doesn't match expected value (1084708005908-oqkn6pcj03c2pmdufkh0l7mh37f79po2.apps.googleusercontent.com))"
I've tried adding/removing various permissions to my account, as well creating a new Apps Script and re-adding to the project, but to no avail. I run into the same issue when triggering from CLI, so I'm fairly sure it's an issue with authentication, however this is my Apps Script code in case it helps:
function test() {
const options = {
headers: {'Authorization': 'Bearer ' + ScriptApp.getIdentityToken()},
muteHttpExceptions: true
}
var result = UrlFetchApp.fetch('https://APP-ENGINE-URL.appspot.com', options);
Logger.log(result);
}
And the manifest file:
{
"timeZone": "Europe/London",
"dependencies": {
},
"exceptionLogging": "STACKDRIVER",
"runtimeVersion": "V8",
"oauthScopes": ["openid", "https://www.googleapis.com/auth/script.external_request"]
}
Any help on this is super appreciated! Never posted here before, but pretty desperate and couldn't find anyone with this exact problem on SO.
Consideration
The problem with your solution is that you are using the identity of an auto-generated OAuth Client for Apps Script. This clients are not suitable for this kind of authentication, here a complete list of supported OAuth clients.
Solution
In order to complete your authentication you will need an extra step. You will have to create another OAuth Client and build an identity token with its credentials.
To make things easier I would recommend to use this Apps Script library: https://github.com/gsuitedevs/apps-script-oauth2
The inital Set-up is covered in the linked documentation.
Important: When creating the OAuth Client take note of the ClientID and the Client-secret. Plus, you will need to add an Authorized Redirect URI. This is standard when using the OAuth2 GAS library and it has this form: https://script.google.com/macros/d/{Your Apps Script ID}/usercallback
Now you have all the necessary information to build your identity token. In the Github repository there is a boilerplate sample that will cover the first coding steps with the OAuth2 GAS library.
Here is the link.
Copy this code to your Apps Script project and follow the instructions in the comments. You will need to add an extra OAuth scope: "https://www.googleapis.com/auth/userinfo.email".
Once you set all the constants with your OAuth clients information you should run the run() function from your Apps Script editor. This will log a URL you have to open in your browser to authorize your App. Once you authorized the App run again the run() function and you will successfully access your IAP protected application.
References
OAuth2 GAS library
IAP programmatic authentication
I've been using Azure Active Directory and adal.js to authorize web apps client side and it's worked great. Recently had a request to have user photo instead of a generic user icon.
I added Microsoft Graph permissions to the app registration. And tried to get a token for the user photo request like...
authContext.acquireToken('https://graph.microsoft.com', callback);
Which resulted in the response_type 'token' is not supported for the application error. So I found ADAL JS - response_type="token" is not supported suggesting setting "oauth2AllowImplicitFlow": true in the app manifest, which I did. Now I get Token renewal operation failed due to timeout error.
I've also added 'https://graph.microsoft.com': 'https://graph.microsoft.com' to the endpoints prop of the context config.
What do I have to do get this working? Way too much time spent just trying to get users' photos. Thanks.
I have developed a simple chat application using AngularJs and Firebase. I have hosted this application on the Google app engine platform. Now, I want to delete the Firebase database containing chat messages on a schedule (every night).
Is there any way to achieve this using a servlet, so that it can be invoked as a cron job? Thanks.
PS: The firebase documentation has been given only for Android and I am new to this. SO, specifically looking for servlet code.
It's not entirely clear from your question or description what you need assistance with. This answer assumes you'd like a daily cron job to send a request to an App Engine handler which then deletes data from a Firebase database.
From the documentation, Firebase has a REST API. Therefore, data can be added, removed and updated using standard HTTP requests (GET, PUT, POST, PATCH, DELETE). Any application capable of issuing HTTP requests can make changes to the data when properly authenticated and authorized.
Given your request to use a cron job and Java servlet on App Engine, I'd advise the following:
Define a cron job that issues requests to a specific URL in your cron.xml
<cron>
<url>/firebase_cleanup</url>
<description>Delete all chat messages of the day</description>
<schedule>every day 23:00</schedule>
</cron>
Deploy a servlet that will handle such requests and issue the appropriate HTTP request to Firebase. In your case, it should issue a DELETE request. This can be done using HttpURLConnection.
URL url = new URL("firebase-url-formatted-for-delete-request");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setDoOutput(true);
connection.setRequestMethod("DELETE");
int responseCode = connection.getResponseCode();
// Act upon responseCode accordingly
Note that the above servlet code does not include the authentication you'll need to issue the DELETE request. That will require your Firebase secret or a generated token. As I do not have a Firebase account, I cannot test the above so it will likely require some modifications.
We're having trouble publishing messages to a Google Cloud PubSub topic on Google AppEngine. Using the Application Default credentials works perfect locally. But once it's deployed on Google AppEngine it gives the following error:
<HttpError 403 when requesting https://pubsub.googleapis.com/v1/projects/our-project-id/topics/our-topic:publish?alt=json returned "The request cannot be identified with a project. Please pass a valid API key with the request.">
I would assume that it's will use the service account of app engine to access the PubSub API. Here is the code we used to create the credentials.
credentials = GoogleCredentials.get_application_default()
if credentials.create_scoped_required():
credentials = credentials.create_scoped(['https://www.googleapis.com/auth/pubsub'])
http = httplib2.Http()
credentials.authorize(http)
pubsub_service = build('pubsub', 'v1', http=http)
The error is thrown when publishing the actual message to PubSub.
pubsub_service.projects().topics().publish(topic="projects/out-project-id/topics/out-topic", body = { 'messages' : [ { 'data': base64.b64encode(request.get_data()) }]}).execute()
Not that the same flow works doing API call's to "BigQuery", so it's not a general Google API problem. It seems to be specific to PubSub...
It's a rare case of the service account without project id embedded in it. We fixed your service account and you should be good to go now. Sorry for the trouble.
I started using google API recently . I am using simpleauth https://github.com/crhym3/simpleauth for authentication to google app engine . Now I am using google blogger API for publishing my blog and fetching data .
This API requires access_token value to use the API https://developers.google.com/blogger/docs/3.0/using#RetrievingPostsForABlog for Authorization . I cant find a way to get value of access token .
Is there a way to get the value of acces token or am I doing something wrong ?
You need to register your webapp with Google to get a client ID and client secret. Then, you can configure your OAuth2 library with these details to allow you to send fully authenticated requests from your webapp to Blogger.
For the specific scenario you listed, retrieving a blog post, I think you can follow step 1 of this page and then follow these steps. You should be able to copy+paste the key from there into the query params of the GET request.
To issue fully authenticated requests, for publishing new posts, for example, you'll have to get your OAuth2 library with the client ID and client secret and have it issue the requests for you.