I'm working on a website and there is existing auth using Google cloud Datastore. I can't seem to find any documentation showing how I can generate a JSON web token compatible with cloud Endpoints for the end users.
Any links you can scavenge are greatly appreciated.
I'm working on a website and there is existing auth using Google cloud
Datastore.
If your current auth system is generating your own OAuth tokens, you cannot use those tokens with Google Cloud Endpoints. You must generate your tokens via Google mechanisms (Google Accounts). Otherwise, Google services cannot validate your tokens. Check to see if your backend is creating tokens or using Google OAuth to create tokens. However, there are three types of tokens: Access Token, Refresh Token, and Client ID Token. You backend may need to be modified to generate Client ID (OIDC) Tokens. Some systems just generate the first two.
The following assumes Google issued OAuth tokens.
Yes, it is possible and very easy. I will show you an example.
Note: I wrote an article on how to generate OAuth 2.0 Tokens with CURL including the Client ID token. Google OAuth 2.0 – Testing with Curl – Refresh Access Token My article shows you the steps so that you can code in any language.
Using the CLI, generate an OAuth 2.0 Client ID Token:
gcloud config config-helper --format "value(credential.id_token)" --force-auth-refresh
Save the generated token. Call it TOKEN for this example.
URL is the endpoint URL.
Now make a request to your endpoint:
curl -H "Authorization: Bearer TOKEN" URL
If you are curious to see what is inside the TOKEN JWT:
curl https://oauth2.googleapis.com/tokeninfo?id_token=TOKEN
The returned JSON will look like this:
{
"aud": "https://cloudtask-abcdefabcdef-uc.a.run.app",
"azp": "0123456789077420983142",
"email": "cloudtask#development.iam.gserviceaccount.com",
"email_verified": "true",
"exp": "1559029789",
"iat": "1559026189",
"iss": "https://accounts.google.com",
"sub": "012345678901234567892",
"alg": "RS256",
"kid": "0123456789012345678901234567890123456789c3",
"typ": "JWT"
}
I can't seem to find any documentation showing how I can generate a
JSON web token compatible with cloud Endpoints for the end users.
Here is a link with details on Google Cloud Endpoints Authentication:
Google ID token authentication
You may wonder why you cannot use your own tokens. The reason is that Google cannot verify the signature on the token.
OAuth tokens (Signed-JWT) are signed using a Private Key. They are validated using the Public Key. Google publishes the Public Keys at https://www.googleapis.com/oauth2/v1/certs
This allows Google and others to validate Google signed data. When you generate a token, Google cannot access your Public Key to validate the signature. Therefore, you must use Google generated tokens so that Google can validate them.
You can check out this. You still need a Google service account, but only uses its private key to generate JWT. ESP will validate it.
Related
I have a scenario where I have an on-premise GUI application which has a "Web Service Invoke" component which I use to call a GAE API.
In the GUI application, it is possible to:
store credentials
create a chain of web services/http(s) calls that can integrate an output of preceding https(s) call as a query parameter or header value into the next http(s) call
retrieve a value from JSON response of the http(s) call
But it is not possible to programmatically do anything. The Web Service widget has fields for passing API URL, query parameters and headers only.
I'm looking to do a service-to-service authentication for the API call and the API should be protected using IAP as well.
I'm aware of the recommended approach is to create a service account and provide the service account JSON key file to the client and the client signs a JWT token and pass it as a bearer token. But as I only have widgets, no programming possible, therefore signing JWT token is not an option.
I was looking at Google OAuth or IAM APIs which can support "client_credentials" grant type wherein I can get an access token using just clientId and clientSecret - something possible in Apigee. But it seems this grant type is not supported by Google OAuth APIs.
I also looked at Cloud Endpoints using API KEY - so the current thought is to the client passes API KEY in header/parameter for authentication to Cloud Endpoints, then Cloud Endpoints uses its service account to get access through IAP, and finally, I'm thinking that the client can also send in "Basic Auth" credentials through Authorization header which the GAE API backend service validates. The additional "Basic Auth" is because Google recommends using another auth method in addition to API KEY.
I would like a simpler solution if possible using GAE and IAP only. Any other suggestions, especially using time-limited tokens, that can work over only http(s) calls (non-programmatic or client library), is much appreciated.
Any alternatives or things to try is also appreciated.
Look into this server-to-server authentication using JWT Google API Authentication
Our application is an Angular SPA with ASP.Net Core Web API. The identity is provided by Microsoft Identity Platform (Azure AD) and authentication is provided by the same. The authorization is done in Web API basis "Application Roles". These "Application Roles" are held in the Azure AD directory (defined in the Application's manifest and assigned on the tenant domain to users).
The Angular SPA receives the tokens from Azure, as per these instructions. The relevant tokens that are issued are: an AccessToken for my Web API (following these instructions), an AccessToken for calling Graph API (following the same instructions) and an IdToken that includes the "Application Roles" as roles claim (this id token seems to be included automatically once roles have been assigned).
The problem I face is that I need to pass concurrent tokens to my Web API, but with the HTTP interceptor I can only include 1 token in the header request. For example, I need the first AccessToken to proof authentication to the Web API and I need to include the IdToken such that the Web API can perform authorization.
Q: How can I call my Web API with multiple tokens, when these tokens are all issued to the SPA and need to be included in the HTTP call to my Web API?
No matter whether you want to get Microsoft Graph data, the way you used to get Application role is incorrect.
An id token cannot be used to perform authorization for your Web API application. You have to use access token. See this answer to learn about the usage of id token and access token.
So you have to use an access token rather than id token.
In this case, you configure the app roles in the Azure AD app which represents Angular SPA (the front).
In fact, you should configure the app roles in the Azure AD app which represents ASP.Net Core Web API (the backend). Then you can get the "Application Roles" as roles claim in the AccessToken for your Web API.
My application has 2 modules
Spring boot back-end API
Angular front-end (SPA application)
Both were deployed in Google app engine (GAE).
I used Google IAP for authentication. After enabling the IAP is there any way to generate the IAP JWT token for the different users within the organization to authenticate the APIs from the web client.
I tried token generating mechanism using the Service account. But for my scenario, I just want to authenticate and authorize users not service account. I found this reference to enable the web resource access for users, but it is using cookie based authorization. And it is not the recommended way for the application such as angular.
If you're using IAP to protect your backend api, it means your users have a Google Account or an account managed in Cloud Identity.
In your Angular front-end app, you can retrieve JWT token of your user, with Google Sign-In for Websites.
To easily integrate Google Sign-in with Angular, I recommend you to use ng-gapi from Ruben.
Main lines of the workflow :
Angular uses ng-gapi with Google Sign-in behind the scene
Users are authenticated with their Google Account
You're able to retrieve GoogleUser idToken which is a JWT token.
Each HttpRequest could be executed with Authorization: Bearer JWT
IAP will accept request.
To better understand how to use ng-gapi, check this stackblitz Demo made by creator of lib.
I also suggest you theses resources :
My answer on Stackoverflow about Angular stateless authentication workflow. Just skip the Spring Boot JWT part if you're using IAP.
Google Sign-In for Websites official docs.
Note that you need to use the OAuth 2.0 Client ID configured by Identity-Aware Proxy for your app, and add the correct Authorized JavaScript origins.
Yes, You can generate a JWT token using angular-oauth2-oidc.
Get the default IAP Web App client ID and client secret. Use AuthConfig and redirect to your link after credentials are entered; you can capture the token after they are redirected.
This link has all the details:
https://medium.com/#ishmeetsingh/google-auth-integration-with-angular-5-and-angular-oauth2-oidc-ed01b997e1df
You have told that you tried authenticating from service account. Were you able to generate JWT for service account? I am able to capture the JWT token for individual accounts and use it.
Please give more information on how you authenticated from service account.
Thanks,
Bharath
Does IBM Single Sign On service allows to use JWT tokens, not cookie based session approach?
I have web project with backend in Node.js and frontend in Angular.js as separate applications. So I would need a SSO that works with JWT tokens.
There are two parts to your question: (1) Does IBM SSO use JWT tokens and (2) Can we use the JWTs as session tokens for an Angular app.
(1)
IBM SSO service has been deprecated in favor of IBM Cloud App ID which manages identity for different types of identities (including anonymous and directory based) as well as profile management. The service is OAuth2/OIDC compliant and so the access and identity tokens that clients obtain are all JWT.
(2) Check out this blog on how to secure an Angular+Nodejs app with App ID. An important point here is whether you want to use the JWT you get from App ID as your session token. Remember that your App ID access token gives the bearer capability beyond that of the session identity (it give the bearer access to /userinfo and /attribute endpoints as well) so that unless you are ok with exposing this info to your frontend, create and manage your own JWT for session or use Express sessions.
You want to use the IBM Cloud App ID service which provides the single sign on capabilities (IBM SSO service has been deprecated). It provides openID Connect- and OAuth2-compliant authentication. The access and identity are JWTs (JSON Web Token).
I would recommend that you check out the related App ID Node.js SDK. There are samples that show integration with the passport framework. I have seen it in use with Angular.js apps.
I am trying to setup cloud IAP for an application hosted in the Google cloud.
Logging in to the application works well via the web, and you are redirected to the Google authentication page, and redirected back to the website, with a session token set as a cookie.
Authenticating via a non-web interface, following the guide on programmatic authentication, trying both the command line way described there, and using the iOS SDK. In both cases, login works as it should, and I receive an id_token from the login process. BUT when I make an request like follows:
curl --verbose --header 'Authorization: Bearer ID_TOKEN' https://an-app.appspot.com/api/user
I ALWAYS receive the following response:
There was a problem with your request. Error code 13
It does not matter what the ID_TOKEN in the request is, the response is always Error code 13. If I do not specify the Authorization header, I am redirected to Google's login page.
Is there any setting or configuration I am missing?
TLDR;
The problem was a misconfiguration of the auth payload, in my case, it was the target audience that wasn't correct. Here's the appropriate format:
// this is the IAP client ID that can be obtained by clicking 3 dots -> Edit OAuth Client in IAP configuration page
const target_audience = "12345.apps.googleusercontent.com";
Details
I had the same problem, that I resolved using a mix between this post: How to authenticate google cloud functions for access to secure app engine endpoints And this Gist: https://gist.github.com/plmrry/f78136bba68f810622bc2840497ef7e1