I am developing a custom skill in Alexa, and just trying to return a hard coded response on a https service endpoint on port 8443 based on my sample utterances and intent schema defined on Amazon Alexa Console.
While testing from Alexa Service Emulator i am getting error There was an error calling the remote endpoint, which returned HTTP 405 : Method Not Allowed
While accessing the endpoint URL from POSTMEN i do get below mentioned response
{"response":{"shouldEndSession":true,"outputSpeech":{"text":"All appliance are working as expected","type":"PlainText"}},"sessionAttributes":{},"version":"1.0"}
I am finding it hard to understand where i am doing wrong.
Alexa is pretty picky when it comes to hosting skills externally. It sounds like this could be the issue. It can be done, you just have the follow the rules Alexa defines.
From the docs
The service must support HTTP over SSL/TLS, leveraging an Amazon-trusted certificate.
The service must accept requests on port 443
For testing, Amazon accepts different methods for providing a certificate.
For details, see the “About the SSL Options” section of Registering and Managing Custom Skills in the Developer Portal.
Related
Authenticated calls between Google App Engine services
Is there a way to make Google App Engine services only callable within the App engine?
For example, I create service-a and service-b in my GAE.
By, default, service-a and service-b are public, so I can send requests to them without authentication.
I would like to make them unreachable from the public, but service-a and service-b can still communicate with each other.
Appreciate it if someone could help me with this.
Thanks.
Use Identity Aware Proxy to secure your services and allow access only to the App Engine Service Account. The benefit of IAP is that you don't need to make any changes in you code to secure your service.
After your service is secured by IAP, you can call it by adding the Authorization header with the service account's OIDC Token as bearer value. This is pretty easy to do with almost any programming language. Take a look at this link to learn how to do it.
I personally find the learning curve for anything related to IAP to be very steep.
An easy way to create your own authentication is to do the following:
Create a secret token and put it in the code of your services.
When your service calls another one of your services, put the secret token in the header.
The receiving service rejects calls that don't have your secret token.
Another way might be to look for the X-Appengine-Inbound-Appid header that Google adds. See https://cloud.google.com/appengine/docs/standard/python/reference/request-response-headers
I haven't done that so you should verify that it would work.
Lets assume your projects are "myprojectABC" and "myprojectDEF" and you want to allow request only for these projects.
ALLOWED_PROJECTS=["myprojectABC","myprojectDEF"]
ALLOWED_APS=["myprojectABC.appspot.com","myprojectDEF.appspot.com"]
Check for the header "X-Appengine-Inbound-Appid" if present and is in ALLOWED_PROJECTS, is authorized. if present and not in allowed project, then is not authorized.
If the header is not present, check header "X-Appengine-Taskname", if present check for the header "Referer" and make some comparisons with the allowed apps to authorize the request. Log the host header to understand how to convert and replace some parts ("-dot-") to build the project name.
if that header is not present check for the header "X-Appengine-Cron" if that header is present check for the header "Host" and if present check if is in ALLOWED_APPS, in that case authorize the request
if none of above, the request is from external site.
NOTE: The examples works for Python GAE, may be for other languages the notation of the app domain in 2) or 3) could change.
I have a react web application with a flask api (I used to use express). The product of this app is the data that it displays. I don't want other people to be able to take that data easily from calling the api.
I want to secure the api such that it can only be accessed by my react app and nothing else. How can I do that?
The only way to truly secure your API is by authenticating your app's user with something like Oauth2 and verify that credential on server-side with something like passport, and make the authorization expire with sessions. AND use SSL so none of that is easily visible through a protocol analyzer.
Sure, you can hard-code some sort of "secret key" with the app, but anyone who want it bad enough will read it off your app or sniff the packets through a packet logger until they find the key.
EDIT: Oh, and as a part of the authorization upon login, provide them with a uniquely generated "API-KEY" as part of identity, so you can validate them upon submission, and if they violate your trust, mark their API key invalid in the server so they can't use them any more.
First, if your client code and API server are running on different domains or ports, configure CORS on your API server to only honor requests that originate from the client code's domain. Second, authenticate legitimate users so that only authorized requests for data are honored. There are lots of 3rd-party libraries to help with authentication.
Since it is mandatory to register non app-engine endpoints as mentioned here,I can't register my endpoint and it shows the error: Invalid property URL; please specify a site or directory URL, not a page URL.Screenshot here
What can be the alternative?
Make sure you have:
A HTTPS server.
A valid SSL certificate.
Register the endpoint domain with the GCP project.
Register the https:// version of your site URL.
Configuring HTTP Endpoints
You need a publicly accessible HTTPS server to handle POST requests in order to receive push messages. The server must present a valid SSL certificate signed by a certificate authority and routable by DNS. You also need to validate that you own the domain (or have equivalent access to the endpoint). Finally, you must register the endpoint domain with the GCP project. Note that these steps are considerably simplified on App Engine, where SSL certificates are provided and verification requirements can be relaxed.
Step 1: Verify you have access to the domain
Complete the site verification process using Search Console. Be sure to register the https:// version of your site URL. For more details, see the site verification help documentation.
I have a GAE app set up to use a custom domain, let's call it mycustomdomain. This naked domain is working fine over HTTP and HTTPS. I also have a service called api, it can be accessed successfully by going to http://api.mycustomdomain.com (custom domain convention).
However, I can't access the api service over HTTPS. I uploaded a SSL for mycustomdomain.com, but I got an error (site can't be reached) for trying to accessing the api service over HTTPS. My question is do I need to purchase the wildcard.mycustomdomain.com SSL in order to access the api service over HTTPS? I don't have much experience dealing with SSL certs and GAE custom domain, so any help would be greatly appreciated. Thank you!
Edit: updated information for GCP Console configurations.
My app setup in the Console contains the following:
Services: default, api
Custom domain setup: mycustomdomain.com
SSL uploaded: ultrahdlivewallpaper.com (NOT the wildcard version), api.ultrahdlivewallpaper.com (unable to be enabled for custom domain, none matching)
More detail: The problem is when I map both ultrahdlivewallpapers.com and api.ultrahdlivewallpapers.com, they are both mapped to the default service. I want api. to point to the API service. If I only map ultrahdlivewallpapers.com, that allows me to access api service at the api subdomain, but then the api SSL can't be applied to api. subdomain because it's not listed as a subdomain.
07/24/17 Update: I believe this is a limitation with the App Engine Settings after trying out several scenarios via GAE Console. We have a custom domain set up for ultrahdlivewallpapers.com and enabled the SSL cert for this domain. The domain is pointing to the default service. We have a second service set up called API. Google's routing rules for any service set up is via HTTP:// service-id.custom-domain, which in our case is api.ultrahdlivewallpapers.com. However, when I upload the SSL for the api subdomain, Console couldn't find matching domains because the api subdomain is not specified via the Console. Now if I set up api.ultrahdlivewallpapers.com as a custom domain, I'm able to enable the SSL for api subdomain. Problem then becomes api subdomain is now pointing to the default service instead of the api service. If I remove the api mapping, I'm able to browse to the api service again, but no HTTPS! I don't believe there is a way to get this set up correctly without a wildcard SSL enabled for all subdomains. Please let me know if I'm missing anything. I have tried everything I can think of via the Console. Thanks.
You don't necessarily need a "wildcard" cert, per se. But, you do need to get a cert that covers all the subdomains. For example:
mycustomdomain.com
www.mycustomdomain.com
api.mycustomdomain.com
It's a standard solution, and not difficult to do. Certbot (Let's Encrypt) makes it easy.
If you choose to get a wildcard certificate installation is pretty straight forward:
You upload the certificate in the developer console (in App Engine -> Settings -> SSL Certificates -> Upload a new certificate). May require a bit of effort, see also Google App Engine SSL with Let's Encrypt "could not be inserted".
Once it's visible in the certificate table you can click on its name and you'll end up in the certificate edit screen where you can select which custom (sub)domains it applies to (from the list of all custom domains mapped in the app), looks like this:
Note: these are the corresponding custom domain mappings:
If you have another app (under the same admin account) which is also mapped to subdomains of the same domain you can activate the certificate on it as well in a similar manner (the console automatically shows the certificate in the list when you switch apps, no need to upload it again).
I am trying to authenticate a ruby on rails app through SAML with Azure Active Directory.
In the AD settings it is only allowing https not http URLs as the "reply url" AKA the ACS or Assertion Consumer Service.
My question is does the ACS url have to be over https, if so, is there a way to develop with an app on localhost?
For this specific issue, I always use tunnelling app https://ngrok.com/
Install and run
ngrok http 3000
Then you can use https
ADFS is somewhat specific and sometimes does not implement the SAMLv2 spec correctly (i.e. the IdP meta data has not been meta data schema compliant).
The ACS endpoint need not be secured on the transport layer, although SAMLv2 recommends this.
However as you might use a so called "frontchannel binding" (HTTP POST or HTTP redirect binding), why do you bother? The browser is doing the communiation, not the app. Only if you use a 'backchannel binding', like Artifact binding the App (acting as the SP) needs to talk to the IdP (not with the ACS in this case, but the "ArtifactResolutionService")