I am creating a Google App Engine application using PHP 5.6 in the 'Flex' environment.
I have deployed the application to GAE successfully and can see the pages when authentication is disabled.
When I attempt to add basic route authentication by updating the handlers in my app.yaml file to include either login: required or login: admin to specific routes, instead of being redirected to sign in as expected, I receive a 403 Forbidden response. Even if I attempt to visit the same page in a browser other than Chrome, or with an incognito window, I still get a 403.
Steps Taken
Create the GAE Project
Enabling Billing
Enabling the Google+ API within the API Manager in the Google Cloud Console
Updating the app.yaml file to include a login-protected handler
Ensuring that my Google Account has Owner access in the IAM & Admin section of the Google Cloud Console, as per Enforcing sign in and admin access with app.yaml
Ensuring that the Google authentication setting is set to Google Accounts API within the App Engine -> Settings menu in the Google Cloud Console
Deploying the Application to GAE by using gcloud app deploy app.yaml from the root directory of the project on my local machine
Opening the project in my browser by running gcloud app browse
Verifying that the elements within my app.yaml file match with the app.yaml Reference
app.yaml [snipped]
handlers:
- url: /.*
script: index.php
login: admin
Have I missed anything obvious or not-so-obvious? I can't seem to find a cause or a solution to this problem. Thanks in advance for any help you might be able to provide!
Unfortunately, the login: admin protection doesn't work with App Engine Flex:
https://cloud.google.com/appengine/docs/flexible/php/migrating#users
Related
I have a Python Streamlit app hosted in GCP via App Engine. Following this tutorial, I added an Idenity-Aware Proxy to secure the app.
The IAP is activated and the OAuth consent screen it set to internal.
In the IAP settings, I added myself and a fellow both with the "IAP-secured Web App User"-role.
While I can access the app after login with my associated google account, he gets and "Error 403: org_internal" error when login within his associated google account.
What I already tried:
Setting the OAuth consent screen to external (test mode) and added both of us
Adding him to our GCP organization
None of both approached worked. He just can't access the app after all.
Any ideas what I am doing wrong?
I am using Firebase Auth (firebase 4.1.3) in my Angular4 project with Google sign in enabled. While working on localhost everything works as expected. However, when deploying my app hosted on Google App Engine, authentication popup fails with the "auth/unauthorized-domain" error.
How can I whitelist my custom domain in Firebase?
Checks already done:
My firebase project has billing enabled and active
Google sign-in with pop-up works on localhost
Google app engine domain is already whitelisted in "Authorized Domains" under Sign-In method, in Authenticacion module of Firebase console.
Double checked the javascript firebase config in my angular app (I copy-pasted the snippet given by the firebase console).
In the Google Cloud Console, the default web API key has no access restrictions and the OAuth client id already contains my App Engine domain in the list of "Authorized JavaScript origins" and also in the "Authorized redirect URIs" (https://console.developers.google.com/apis/credentials?project=MYPROJECT).
Some other similar SO questions refer to checking the previous things and even waiting up to 20 mins after whitelisting a new domain to allow change propagation. But none of these advices worked for me.
NOTE: Full error code
{
code: "auth/unauthorized-domain"
message: "This domain (PROJECT.appspot.com) is not authorized to run this operation. Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab."
}
Any help would be appreciated.
Ok, Answering my own question. I finally found the problem: I was deploying an old version of the web app. So it will never work this way...
In case it could be useful to others, the above steps for configuring firebase Auth are correct and enough!
I was taking over an existing project, and I got this error while deploying with the wrong environment. (the domain was correctly setup in Firebase)
ng build --prod && firebase deploy
While was deploying on my Dev Environment.
I've scripted the deployment to avoid this kind of mistake.
ng build --configuration "${ENV}" && firebase deploy
where env var is set as an argument of the script
I have faced the same problem. Then I find Out the solution.
First goto your firebase project then click Authentication goto sign-in method then scroll down you will find Authorized domains add your live site link there. Hurrey Problem Solved.
Authentication > sign-in medhod > Authorized domains
firebase solution image
Please can anyone help with config/troubleshooting for Firebase authentication with GAE Python apps.
I've tried to get the Firenotes app working (https://cloud.google.com/appengine/docs/python/authenticating-users-firebase-appengine) but when the app loads there's a popup with the error: The operation has timed out. Dismiss.
The email authentication works fine, all OK: can login, save notes, logout.
The problem is with the Google OAuth login.
Clicking on the Google sign button gives an error:
This site can’t provide a secure connection.
firebaseapp.com didn’t accept your login certificate, or your login certificate may have expired.
ERR_BAD_SSL_CLIENT_AUTH_CERT
The project was imported into the firebase project and as far as I can tell the config of main.js and app.yaml is correct.
The GAE .appspot.com has been added to the OAuth authorized doamins
The same error is if running local or deployed to GAE.
If you go to the 'Overview' section of your firebase console. You can select to "add firebase to your web app". A screen pops up with the config information for the frontend main.js file.
Mind you, the apiKey in the client config needs to be set to the google cloud platform api key for the app engine project your using.
This will enable the login.
I am new to Google Endpoints and Datastore. I've followed several tutorials, among which this one for example: https://github.com/GoogleCloudPlatform/endpoints-codelab-android
My question is: what is the security mechanism that is used when we deploy the Endpoints backend application to Google App Engine? How does Google App Engine know you are the owner of the project? And I have this same question both for deployment through a terminal (See Step 6 of above tutorial) and for deployment through an IDE (e.g. through Maven in Eclipse).
I imagine that somehow the terminal (or the IDE) gets your credentials from the browser, which is logged in to the GAE console but I am not sure at all this is the good explanation.
Thanks! :-)
There are several ways to authenticate when deploying to Google App Engine. The recommended method uses OAuth2 to authenticate with Google (see below for another method). OAuth2 is the method used in the tutorial you mentioned (search for oauth in the link you sent), and is activated by the setting
appcfg {
oauth2 = true
}
in the build.gradle file of that tutorial. If you prefer the command-line appcfg interface, use the flag appcfg --oauth2.
When you installed the Google Cloud SDK, you were shown a web page in which you authorized the SDK to access and modify various Google Cloud services, including App Engine. The SDK locally stores a token which indicates that it is allowed to deploy to App Engine under your username. The oauth2 = true line tells appcfg to request access to App Engine using this token.
If you like, you can view (and revoke) this authorization by navigating to Google's Account Permissions page. You should see an entry for Google Cloud SDK, and clicking on it will show you that the SDK is authorized to access App Engine. If you click on "Revoke", the locally stored token will no longer be valid and you will need to re-authorize in order to use most of the Cloud SDK functionality.
If for some reason you do not want to rely on oauth2 (for example, if for security reasons you want to enter a password every time you deploy), then you can remove the oauth2 = true line (or the --oauth2 command-line argument). This will cause appcfg to prompt for your Google username and password each time you deploy. However, this is a lot less convenient, both because appcfg will not store your password, and because it does not support 2-factor authentication. So, if your Google account uses 2-factor authentication (which is really recommended), you will need to use an App Password with this approach.
How can I set up an app with no authentication on google application.
I built and deployed it, but now if someone goes to myapp.appspot.com they are asked to login to my google apps account?
How do I make it 'public'?
Assuming you are using python...
You are either requiring login in configuration in app.yaml:https://developers.google.com/appengine/docs/python/config/appconfig#Requiring_Login_or_Administrator_Status
And/or inside your application code. In python it would be #login_required decorator.
You have to specify access in your app.yaml or in the web handlers
see link here
The default is "public"