Until a few days ago I could use the log out from google account procedure mentioned (among several others) in this link.
The recommended log out URL is similar to:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://localhost:4200/index.html
But all of a sudden when navigating to the recommended URL, a redirection notice page appears instead of navigating directly to http://localhost:4200/index.html
In this previous question a similar problem was reported, but also that the problem solved itself shortly after
Can anyone confirm that the log out from google account URL is still working?
Thank you very much
Redirection notice page appearance is the intended behavior of the appengine API.
For security reasons it will no longer work, unless URL will be signed.
Please check documentation, how to sign URL with the appengine API.
Example: you can find documentation and test it on the API method page. Expanding try this API window, you will get access to example in curl, http and javascript.
You also need to use ?key=<YOUR_API_KEY> part with the secret key for authentication
curl --request POST \
'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-name>%40<project-name>.iam.gserviceaccount.com:signBlob?key=<YOUR_API_KEY>' \
--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"payload":"<BLOB-TO-SIGN>"}' \
--compressed
Related
I am using IAP to protect a Web API Application. I have enabled a service account to get access to the APIs through an id_token. I am able to obtain an id_token (JWT) by signing a JWT (using the keys of my service account) with the following assertions
{
"iss": "xx.iam.gserviceaccount.com",
"sub": "xx.iam.gserviceaccount.com",
"aud": "https://oauth2.googleapis.com/token",
"target_audience": "my_application_client_id",
"iat": 1598702078,
"exp": 1598705593
}
and then Posting to the token service as follows
curl --location --request POST 'https://oauth2.googleapis.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'assertion=<JWT obtained at the previous step>’
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
--data-urlencode 'scope=openid’
Now I would like to also obtain a refresh_token and has been impossible. I have tried with scope=openid offline_access but no luck. Is offline_access implemented in the Google Auth Server? Any other mechanism to obtain a refresh_token?
According to the documentation here, for the OpenID server flow you would need to use access_type as parameter set to offline for it to work. There are more details here.
I wish to use the Google Cloud Platform (GCP) REST API locally, starting with the apps.services.versions.instances.list method.
The route works when I use "Try this API" here, but how would I use this method locally with curl?
"https://appengine.googleapis.com/v1/apps/$APPSID/services/$SERVICESID/versions/$VERSIONSID/instances?key=$YOUR_API_KEY" \
--compressed \
--header 'Accept: application/json' \
--header "Authorization: Bearer $YOUR_ACCESS_TOKEN"
#=>
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
How do I access $YOUR_API_KEY and $YOUR_ACCESS_TOKEN? I have been unable to find either in the official GCP docs.
The fastest way is use Cloud Shell:
List projects to get project id
gcloud projects list
# save you project id
PROJECT_ID="YOURS_PROJECT_ID"
Get ACCESS_TOKEN
ACCESS_TOKEN=$(gcloud auth print-access-token)
Get API_KEY
API_KEY=$(curl -X POST https://apikeys.googleapis.com/v1/projects/$PROJECT_ID/apiKeys?access_token=$ACCESS_TOKEN | jq -r ".currentKey")
Print API_KEY and ACCESS_TOKEN
echo $ACCESS_TOKEN
echo $API_KEY
To run above commands on local machine first you need authenticate using command gcloud auth login and follow instructions.
Alternatively api key could be readed or created from console go to Navigation Menu -> APIs & Services -> Credentials and next click on CREATE CREDENTIALS -> API Key.
By reading the documentation (clicking on question mark next to Credentials) we can read:
[YOUR_API_KEY] - "Include an API Key to identify your project, used to verify enablement and track request quotas."
[YOUR_ACCESS_TOKEN] - "Include an access (bearer) token to identify the user which completed the OAuth flow with your Client ID."
You no longer need an API key. It's a legacy feature of Google APIs, provide only an access token is enough.
In command line you can do this
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://....
All the Google Cloud APIs are compliant with access token authentication. Few are still compliant with API keys.
About APIKeys API
This API has been published in beta and now closed. At least the documentation part. I don't know if this API is stable or subject to change. You can create an API key per API like this (very similar to Bartosz Pelikan answer)
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-X POST https://apikeys.googleapis.com/v1/projects/PROJECT_ID/apiKeys
As you can see, I reuse the access token authentication mode
The above answers are using an API that isn't publicly available (I reached out to GCP support an confirmed.
I recommend using the CLI tool like so:
gcloud app instances list --service core-api --project my-project-name
docs: https://cloud.google.com/sdk/gcloud/reference/app/instances/list
You'll have to a gcloud auth first and probably set your project.
I am very new to this kind of stuff. This is my setup. enter image description here
Any suggestion is appreciated.
Hi The issue is in Authorization, API key needs to be provided under Authorization tab, I would suggest to cross check API key via IBM console
Here is steps to convert text to speech using IBM watson with postman
I assume you have ApiKey value, If you do not have Go to, IBM watson, create text-to-speech resource, -> Go to Manage -> You will have the API Key
Go to Postman, create new Post request
Now you need to add URL, Authorization using Basic Method, Headers & data refer
Click on Send and you will receive audio under response -> Body tab
If you want to do quick check then you can use curl for the same
curl -X POST \
https://stream.watsonplatform.net/text-to-speech/api/v1/synthesize \
-H 'Accept: audio/wav' \
-H 'Authorization: Basic REPLACE_API_KEY' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: 3c147726-2f1e-4531-abca-0898127e8644' \
-H 'cache-control: no-cache' \
-d '{"text": "hello world"}'
A 401 http error code typically means you are not able to authenticate. That means your token is either not valid or you've misconfigured how the token is given to the API. I believe the later is your problem. Based on these docs, you need to pass the token as the value to the X-Watson-Authorization-Token header not as a query parameter.
Let us assume that there is an app engine standard python app hosted at https://xyz.appspot.com and that its URLs are protected with:
login: admin
secure: always
How can I exercise the APIs using curl? I guess the real question is how can I authenticate to the app using curl. If the app is used from a browser, one is redirected to Google login but I am wondering how I can simulate the same from curl.
Any help is greatly appreciated.
Thanks,
Raghu
One way would be to do the authentication in browser first, and then copy the cookie from there to curl. For example in Chrome, you can open the devtools (F12) and select the Network tab.
When you access your secure resource it will appear there. Then you can right click -> Copy -> Copy as cURL (bash).
This will give you a cURL command that is authorized to call your secure resource.
Based on the suggestion from #Erfa, I visited the site in Chrome while keeping the dev tools open.
The browser takes you through login procedure and the site appears. At this point, right click on the GET request in "Network" tab and select "Save as HAR with Content" which saves the API information in a text file.
In the file, you will find a cookie that is being sent with the GET request. You can now use this same cookie with curl as follows:
$ curl --cookie "NAME=VALUE" <URL>
You can use a combination of Cloud Endpoints and API Key.
In this article https://cloud.google.com/endpoints/docs/frameworks/python/restricting-api-access-with-api-keys-frameworks from Google Cloud Platform you have an example of how to use curl authentication with this combination:
If an API or API method requires an API key, supply the key using a
query parameter named key, as shown in this cURL example:
curl \
-H "Content-Type: application/json" \
-X POST \
-d '{"message": "echo"}' \
"${HOST}/_ah/api/echo/v1/echo_api_key?key=${API_KEY}
where HOST and API_KEY are variables containing your API host name and API key,
respectively. Replace echo with the name of your API, and v1 with the
version of your API.
I'm implementing sending push notifications from my google-app-engine server to client apps.
I'm receiving response 401 when sending post message to Firebase cloud messaging server (https://fcm.googleapis.com/fcm/send). I've followed instructions in https://firebase.google.com/docs/cloud-messaging/server, so I'm sending "Authorization" header with my server key. When I'm checking for validity of the key with curl:
curl --header "Authorization: key=$api_key" \
--header Content-Type:"application/json" \
https://fcm.googleapis.com/fcm/send \
-d "{\"registration_ids\":[\"ABC\"]}"
I'm getting response:
{"multicast_id":6193339963814546500,"success":0,"failure":1,"canonical_ids":0,"results":[{"error":"InvalidRegistration"}]}
Which should mean that my server key is valid.
I followed "Recommended Actions" for 401 described in: https://firebase.google.com/docs/cloud-messaging/http-server-ref
Apart from the last one: "Request originated from a server not whitelisted in the Server key IPs."
Can that be the cause? How to check that?
I solved the issue. It was my mistake. I wasn't truncating json to string properly and my server key wasn't in fact a correct one.
Sorry for bother.