I am trying to migrate from Channel API in GAE to firebase. To do this, first, I am trying to setup a local development environment. I cloned the sample app from GAE samples. (Link to sample)
When I ran this, I get the following error, when the web client is trying to authenticate with the firebase DB.The error is in the console.
Screenshot of the error
i.e token authentication failed.Clearly, this points to the fact that generated JWT is not correct.
To be sure, I have done the following:
Created a service account in Google cloud console.
Downloaded the JSON and pointed to this JSON in the environment variable "GOOGLE_APPLICATION_CREDENTIALS"
Put the code snipped from the firebase into WEB-INF/view/firebase_config.jspf file
The code to generate the token is as follows ( from FirebaseChannel.java )
public String createFirebaseToken(Game game, String userId) {
final AppIdentityService appIdentity = AppIdentityServiceFactory.getAppIdentityService();
final BaseEncoding base64 = BaseEncoding.base64();
String header = base64.encode("{\"typ\":\"JWT\",\"alg\":\"RS256\"}".getBytes());
// Construct the claim
String channelKey = game.getChannelKey(userId);
String clientEmail = appIdentity.getServiceAccountName();
System.out.println(clientEmail);
long epochTime = System.currentTimeMillis() / 1000;
long expire = epochTime + 60 * 60; // an hour from now
Map<String, Object> claims = new HashMap<String, Object>();
claims.put("iss", clientEmail);
claims.put("sub", clientEmail);
claims.put("aud", IDENTITY_ENDPOINT);
claims.put("uid", channelKey);
claims.put("iat", epochTime);
claims.put("exp", expire);
System.out.println(claims);
String payload = base64.encode(new Gson().toJson(claims).getBytes());
String toSign = String.format("%s.%s", header, payload);
AppIdentityService.SigningResult result =
appIdentity.signForApp(toSign.getBytes());
return String.format("%s.%s", toSign,
base64.encode(result.getSignature()));
}
Instead of Step #2, have also tried 'gcloud auth application-default login' and then running after unsetting the environment variable - resulting in the same issue
Appreciate any help in this regard.
After further research, I found out additional info which may help others facing the same issue. I did the following to be able to run the sample locally.
Its important to ensure that the service account in appengine has the permissions to access resources. Chose "Editor" as the role for permissions (other levels may also work, but I chose this) for the default appengine service account. This will ensure that you do not run into "Unauthorized" error.
My application was enabled for domain authentication and did not use Google authentication. The sample however has been created for Google authentication. I had to make changes to the sample code to send the userId as part of the URL and removed the code that referred to UserServiceFactory.
The console error did show up even now, but the application worked fine. This error probably can be ignored. In the deployed environment, however, this error does not show up.
I would appreciate if Google/Firebase engineers update this answer with official responses, or update the sample documentation appropriately as currently this information does not seem to be mentioned anywhere.
Related
My goal is to test out google's orchestrator and the compute engine api by first retrieving a list of active instances. The orchestrator project including the servlet file is stored in a jar.
I'm trying to test out the java google compute engine client api. I have a cron job which calls on the orchestrator servlet. The target for the cron is a backend. From which I try to get the list of instances:
...
AppIdentityCredential credential = getCredential(computeScope);
String appName = ConfigProperties.getInstance().getGceConfigProperties().get("projectId");
try {
httpTransport = GoogleNetHttpTransport.newTrustedTransport();
final Compute compute = new Compute.Builder(
httpTransport, JSON_FACTORY, credential).setApplicationName(appName)
.build();
logger.info("================== Listing Compute Engine Instances ==================");
Compute.Instances.List instances = compute.instances().list(projectId, zone);
InstanceList list = instances.execute();
if (list.getItems() == null) {
logger.info("No instances found. Sign in to the Google APIs Console and create "
+ "an instance at: code.google.com/apis/console");
} else {
for (Instance instance : list.getItems()) {
logger.info(instance.toPrettyString());
}
}
...
There error response I get is(I omitted my project name from the response, I confirmed that I'm using the correct project id in my code):
com.google.cloud.solutions.sampleapps.orchestration.orchestrator.server.GceClientApiUtils
getInstances: com.google.api.client.googleapis.json.GoogleJsonResponseException: 404 OK
{
"code" : 404,
"errors" : [ {
"domain" : "global",
"message" : "The resource 'projects/<project-name-here>' was not found",
"reason" : "notFound"
} ],
"message" : "The resource 'projects/<project-name_here>' was not found"
}
I've also attempted this by retrieving an access token and making a RESTful call to get the list of instances and i received the exact same response. I confirmed the Url constructed was correct by comparing it against a successful query of the instances using the api explorer.
EDIT: I determined the solution to the issue with help of another post:
I was finally able to find the solution in the post Compute Engine API call fails with http 404
I needed to add my app engine service account as a team member with edit capabilities, which it does not have by default. Once I did this, the code worked as expected. I had to do this through cloud.google.com/console, as if done through appengine.google.com, a pending status will be given to the service account and will not have access.
For me i had to make sure i had authorization. Try this in the terminal gcloud auth login
Make sure you are in the right project, you can run this command on your vm to see if you are in the right project:
gcloud config list
Take a look at this post in Google Groups
Do you have access to the developers console https://console.developers.google.com?
It seems that the user account #appspot.gserviceaccount.com has not access to compute engine. In my case I see #developer.gserviceaccount.com.
If you don't have one, visit https://developers.google.com/console/help/new/#generatingoauth2 to create a new Client ID
I have an appengine app that needs to access a single, hard-coded spreadsheet on Google Drive.
Up until now I have been achieving this as follows:
SpreadsheetService service = new SpreadsheetService("myapp");
service.setUserCredentials("myusername#gmail.com", "myhardcodedpassword");
When I tried this today with a new user, I got InvalidCredentialsException even though the username and password were definitely correct. I got an email in my inbox saying suspicions sign-ins had been prevented, and there seems to be no way to enable them again.
I am also aware that hardcoding passwords in source is bad practice.
However, I have read very widely online for how to enable OAuth/OAuth2 for this, and have ended up wasting hours and hours piecing fragments of information from blogs, stackoverflow answers etc, to no avail.
Ideally the solution would involve an initial process to generate a long-lived access token, which could then be hard-coded in to the app.
I want a definitive list of steps for how to achieve this?
EDIT: As Google have redesigned the API Console, the details of the steps below have changed - see comments
OK here goes, step by step
Go to Google Cloud Console and register your project (aka application)
You need to note the Client ID, and Client Secret
Go to the OAuth Playground, click the gear icon and choose and enter your own credentials
You will be reminded that you need to go back to the Cloud COnsole and add the Oauth Playground as a valid callback url. So do that.
Do Step 1, choosing the spreadsheet scope and click authorize
Choose your Google account if prompted and grant auth when prompted
Do Step 2, Click 'Exchange auth code for tokens'
You will see an input box containing a refresh token
The refresh token is the equivalent of your long lived username/password, so this is what you'll hard code (or store someplace secure your app can retrieve it).
When you need to access Google Spreadsheets, you will call
POST https://accounts.google.com/o/oauth2/token
content-type: application/x-www-form-urlencoded
client_secret=************&grant_type=refresh_token&refresh_token=1%2xxxxxxxxxx&client_id=999999999999.apps.googleusercontent.com
which will return you an access token
{
"access_token": "ya29.yyyyyyyyyyyyyyyyyy",
"token_type": "Bearer",
"expires_in": 3600
}
Put the access token into an http header for whenever you access the spreadsheet API
Authorization: Bearer ya29.yyyyyyyyyyyyyyyyy
And you're done
Pinoyyid has indeed provided wonderful help. I wanted to follow up with Python code that will allow access to a Personal (web-accessible) Google Drive.
This runs fine within the Google App Engine (as part of a web app) and also standalone on the desktop (assuming the Google App Engine SDK is installed on your machine [available from: https://developers.google.com/appengine/downloads]).
In my case I added https://www.googleapis.com/auth/drive scope during Pinyyid's process because I wanted access to all my Google Drive files.
After following Pinoyyid's instructions to get your refresh token etc., this little Python script will get a listing of all the files on your Google drive:
import httplib2
import datetime
from oauth2client.client import OAuth2Credentials
from apiclient.discovery import build
API_KEY = 'AIz...' # from "Key for Server Applications" from "Public API Access" section of Google Developers Console
access_token = "ya29..." # from Piinoyyid's instructions
refresh_token = "1/V..." # from Piinoyyid's instructions
client_id = '654....apps.googleusercontent.com' # from "Client ID for web application" from "OAuth" section of Google Developers Console
client_secret = '6Cl...' # from "Client ID for web application" from "OAuth" section of Google Developers Console
token_expiry = datetime.datetime.utcnow() - datetime.timedelta(days=1)
token_uri = 'https://accounts.google.com/o/oauth2/token'
user_agent = 'python urllib (I reckon)'
def main():
service = createDrive()
dirlist = service.files().list(maxResults=30)
print 'dirlist', dirlist
result = dirlist.execute()
print 'result', result
def createDrive():
credentials = OAuth2Credentials(access_token, client_id, client_secret, refresh_token, token_expiry, token_uri, user_agent)
http = httplib2.Http()
http = credentials.authorize(http)
return build('drive', 'v2', http=http, developerKey=API_KEY)
main()
I'm grateful to all who have provided the steps along the way to solving this.
The API is a backend to a mobile app. I don't need user authentication. I simply need a way to secure access to this API. Currently, my backend is exposed.
The documentation seems to only talk about user authentication and authorization, which is not what I need here. I just need to ensure only my mobile app can talk to this backend and no one else.
Yes, you can do that: use authentication to secure your endpoints without doing user authentication.
I have found that this way of doing it is not well documented, and I haven't actually done it myself, but I intend to so I paid attention when I saw it being discussed on some of the IO13 videos (I think that's where I saw it):
Here's my understanding of what's involved:
Create a Google API project (though this doesn't really involve their API's, other than authentication itself).
Create OATH client ID's that are tied to your app via its package name and the SHA1 fingerprint of the certificate that you will sign the app with.
You will add these client ID's to the list of acceptable ID's for your endpoints. You will add the User parameter to your endpoints, but it will be null since no user is specified.
#ApiMethod(
name = "sendInfo",
clientIds = { Config.WEB_CLIENT_ID, Config.MY_APP_CLIENT_ID, Config.MY_DEBUG_CLIENT_ID },
audiences = { Config.WEB_CLIENT_ID }
// Yes, you specify a 'web' ID even if this isn't a Web client.
)
public void sendInfo(User user, Info greeting) {
There is some decent documentation about the above, here:
https://developers.google.com/appengine/docs/java/endpoints/auth
Your client app will specify these client ID's when formulating the endpoint service call. All the OATH details will get taken care of behind the scenes on your client device such that your client ID's are translated into authentication tokens.
HttpTransport transport = AndroidHttp.newCompatibleTransport();
JsonFactory jsonFactory = new JacksonFactory();
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience( ctx, Config.WEB_CLIENT_ID );
//credential.setSelectedAccountName( user ); // not specify a user
Myendpoint.Builder builder = new Myendpoint.Builder( transport, jsonFactory, credential );
This client code is just my best guess - sorry. If anyone else has a reference for exactly what the client code should look like then I too would be interested.
I'm sorry to say that Google doesn't provide a solution for your problem (which is my problem too).
You can use their API key mechanism (see https://developers.google.com/console/help/new/#usingkeys), but there is a huge hole in this strategy courtesy of Google's own API explorer (see https://developers.google.com/apis-explorer/#p/), which is a great development tool to test API's, but exposes all Cloud Endpoint API's, not just Google's services API's. This means anyone with the name of your project can browse and call your API at their leisure since the API explorer circumvents the API key security.
I found a workaround (based on bossylobster's great response to this post: Simple Access API (Developer Key) with Google Cloud Endpoint (Python) ), which is to pass a request field that is not part of the message request definition in your client API, and then read it in your API server. If you don't find the undocumented field, you raise an unauthorized exception. This will plug the hole created by the API explorer.
In iOS (which I'm using for my app), you add a property to each request class (the ones created by Google's API generator tool) like so:
#property (copy) NSString *hiddenProperty;
and set its value to a key that you choose. In your server code (python in my case) you check for its existence and barf if you don't see it or its not set to the value that your server and client will agree on:
mykey,keytype = request.get_unrecognized_field_info('hiddenProperty')
if mykey != 'my_supersecret_key':
raise endpoints.UnauthorizedException('No, you dont!')
Hope this puts you on the right track
The documentation is only for the client. What I need is documentation
on how to provide Service Account functionality on the server side.
This could mean a couple of different things, but I'd like to address what I think the question is asking. If you only want your service account to access your service, then you can just add the service account's clientId to your #Api/#ApiMethod annotations, build a GoogleCredential, and invoke your service as you normally would. Specifically...
In the google developer's console, create a new service account. This will create a .p12 file which is automatically downloaded. This is used by the client in the documentation you linked to. If you can't keep the .p12 secure, then this isn't much more secure than a password. I'm guessing that's why this isn't explicitly laid out in the Cloud Endpoints documentation.
You add the CLIENT ID displayed in the google developer's console to the clientIds in your #Api or #ApiMethod annotation
import com.google.appengine.api.users.User
#ApiMethod(name = "doIt", scopes = { Constants.EMAIL_SCOPE },
clientIds = { "12345678901-12acg1ez8lf51spfl06lznd1dsasdfj.apps.googleusercontent.com" })
public void doIt(User user){ //by convention, add User parameter to existing params
// if no client id is passed or the oauth2 token doesn't
// match your clientId then user will be null and the dev server
// will print a warning message like this:
// WARNING: getCurrentUser: clientId 1234654321.apps.googleusercontent.com not allowed
//..
}
You build a client the same way you would with the unsecured version, the only difference being you create a GoogleCredential object to pass to your service's MyService.Builder.
HttpTransport httpTransport = new NetHttpTransport(); // or build AndroidHttpClient on Android however you wish
JsonFactory jsonFactory = new JacksonFactory();
// assuming you put the .p12 for your service acccount
// (from the developer's console) on the classpath;
// when you deploy you'll have to figure out where you are really
// going to put this and load it in the appropriate manner
URL url = getClass().class.getResource("/YOURAPP-b12345677654.p12");
File p12file = new File(url.toURI());
GoogleCredential.Builder credentialBuilder = new GoogleCredential.Builder();
credentialBuilder.setTransport(httpTransport);
credentialBuilder.setJsonFactory(jsonFactory);
//NOTE: use service account EMAIL (not client id)
credentialBuilder.setServiceAccountId("12345678901-12acg1ez8lf51spfl06lznd1dsasdfj#developer.gserviceaccount.com"); credentialBuilder.setServiceAccountScopes(Collections.singleton("https://www.googleapis.com/auth/userinfo.email"));
credentialBuilder.setServiceAccountPrivateKeyFromP12File(p12file);
GoogleCredential credential = credentialBuilder.build();
Now invoke your generated client the same way
you would the unsecured version, except the builder takes
our google credential from above as the last argument
MyService.Builder builder = new MyService.Builder(httpTransport, jsonFactory, credential);
builder.setApplicationName("APP NAME");
builder.setRootUrl("http://localhost:8080/_ah/api");
final MyService service = builder.build();
// invoke service same as unsecured version
Code to read file
boolean lockForRead = false;
String filename = "/gs/smsspamfilteraptosin/Data";
AppEngineFile readableFile = new AppEngineFile(filename);
FileReadChannel readChannel = fileService.openReadChannel(readableFile, lockForRead);
BufferedReader reader = new BufferedReader(Channels.newReader(readChannel, "UTF")); => I think something went wrong here.I put a string test and after this line the string test was null.
String line = reader.readLine();
Path in cloud storage
smsspamfilteraptosin/Data
ACL Permission for app
FULL_CONTROL
When I tried printing out line, the result was null.
And this is what I saw in the admin log : API serving not allowed for this application
Can somebody tell me what I did incorrectly?
Thank you.
I'm getting the same "API serving not allowed for this application" error when I try to follow the tutorial at: http://www.youtube.com/watch?v=v9TG7OzsZqQ
My Cloud Endpoint REST API works well on my local development machine, but is not visible when
when I deploy to App Engine.
Is it possible that this "API serving not allowed for this application" is the result of a dependency on a paid feature that we don't have enabled?
Update: Check GAE: API serving not allowed for this application for a (partial?) solution.
You didn't do something listed in the prerequisites, and this is preventing you from using GCS from app engine.
I'm developing GWTP project, and below scenarios are tested successfully in my local development mode :
Get authenticated and authorized by OpenID and OAuth
Save GoogleOAuthParameters object into HttpSession.
Another action handler reuses the GoogleOAuthParameters stored in session to get SpreadsheetService object.
Use SpreadsheetService to manipulate spread sheets in GDoc.
However, when being deployed to App Engine, nothing can be read from GDoc, and no error/warning also, and returned list is always empty.
spreadsheetService = new SpreadsheetService("test");
GoogleOAuthParameters oauthParameters = (GoogleOAuthParameters)sessionProvider.get().getAttribute(HttpSessionProvider.PARAM_OAUTH_PARAMETERS);
spreadsheetService.setOAuthCredentials(oauthParameters, new OAuthHmacSha1Signer());
oauthParameters.setScope(SCOPE_SPREADSHEET);
If I clearly use username/password as below when initializing SpreadsheetService, I can retrieve data from GDoc.
SpreadsheetService sService = new SpreadsheetService("test");
sService.setUserCredentials("username", "password");
I'm using App Engine SDK 1.6.6, and gdata-spreadsheet-3.0.
Please advise whether anything I did wrongly.
Thanks!
The documentation is for .Net, not Java. If you want to develop in Java, I found a solution here: Sharing authentication/token between Android Google Client API and SpreadSheet API 3.0
String token = GoogleAuthUtil.getToken(
this,
this.accountName,
this.scopes);
SpreadsheetService service = new SpreadsheetService("my-service-name");
service.setProtocolVersion(SpreadsheetService.Versions.V3);
service.setHeader("Authorization", "Bearer " + token);
Note that this does not work for setting the token and results in a 401 for me:
// BAD CODE
service.setUserToken(token);
// BAD CODE
The documentation has complete samples in Java showing how to perform authentication with all supported mechanisms. The recommendation is to use OAuth 2.0 which is explained at:
https://developers.google.com/google-apps/spreadsheets/#performing_oauth_20