In my project, I'm combining App Engine and Container Engine services that need to communicate with each other.
The Container Engine service needs to make an authenticated request to my App Engine service. As I've used Application Default Credentials to talk to Google APIs previously, I was thinking I could also use them for my own service.
In App Engine yaml, I've defined the handler with the login restriction like this:
handlers:
- url: /.*
script: _go_app
login: admin
Simplified code to match what is used for making a request:
client, _ := google.DefaultClient(ctx, "https://www.googleapis.com/auth/cloud-platform")
req, _ := http.NewRequest("GET", URL, nil)
client.Do(req)
In IAM permissions, I've granted App Engine Admin permissions to the service account.
However, the result is a 302 which redirects to the Google login page.
Does this mean that this setup is not possible or that it's a configuration mistake?
By supplying login: admin in your app.yaml configuration file, you are telling App Engine to 302 redirect all requests to your '/.*' handler to a log in form. This form will then ask the requester for credentials, and will check the provided credentials again your set IAM Administrators to ensure they are a member of your project.
Since this is Server-to-Server communication using the Application Default Credentials, and not Client-to-Server, you can remove the login: admin client auth step in your app.yaml for this handler.
Related
I have created a tenant under my organization and registered an app for my testing react application. I have deployed my react application in one of the kubrnetes http server. Is there a way to add http url (react application uri which deployed in kubernetes) in Redirect URI in app registration.
I have given SPA during app registration
Account type - Single tenant
Checked both access token and ID token
The Redirect URIs must begin with the scheme https.
The HTTPS scheme (https://) is supported for all HTTP-based redirect URIs.
The HTTP scheme (http://) is supported only for localhost URIs and should be used only during active local application development and testing.
Please check this for more information
There is no other option available to use Http Schema.
I have a Python Streamlit app hosted in GCP via App Engine. Following this tutorial, I added an Idenity-Aware Proxy to secure the app.
The IAP is activated and the OAuth consent screen it set to internal.
In the IAP settings, I added myself and a fellow both with the "IAP-secured Web App User"-role.
While I can access the app after login with my associated google account, he gets and "Error 403: org_internal" error when login within his associated google account.
What I already tried:
Setting the OAuth consent screen to external (test mode) and added both of us
Adding him to our GCP organization
None of both approached worked. He just can't access the app after all.
Any ideas what I am doing wrong?
I am creating a Google App Engine application using PHP 5.6 in the 'Flex' environment.
I have deployed the application to GAE successfully and can see the pages when authentication is disabled.
When I attempt to add basic route authentication by updating the handlers in my app.yaml file to include either login: required or login: admin to specific routes, instead of being redirected to sign in as expected, I receive a 403 Forbidden response. Even if I attempt to visit the same page in a browser other than Chrome, or with an incognito window, I still get a 403.
Steps Taken
Create the GAE Project
Enabling Billing
Enabling the Google+ API within the API Manager in the Google Cloud Console
Updating the app.yaml file to include a login-protected handler
Ensuring that my Google Account has Owner access in the IAM & Admin section of the Google Cloud Console, as per Enforcing sign in and admin access with app.yaml
Ensuring that the Google authentication setting is set to Google Accounts API within the App Engine -> Settings menu in the Google Cloud Console
Deploying the Application to GAE by using gcloud app deploy app.yaml from the root directory of the project on my local machine
Opening the project in my browser by running gcloud app browse
Verifying that the elements within my app.yaml file match with the app.yaml Reference
app.yaml [snipped]
handlers:
- url: /.*
script: index.php
login: admin
Have I missed anything obvious or not-so-obvious? I can't seem to find a cause or a solution to this problem. Thanks in advance for any help you might be able to provide!
Unfortunately, the login: admin protection doesn't work with App Engine Flex:
https://cloud.google.com/appengine/docs/flexible/php/migrating#users
I've developed a simple AppEngine application for my Google Apps domain. Access is restricted to users in my domain, and the app is enabled in the admin console for the domain.
The authentication/authorization in the application is done using decorators, using the JSON client secrets downloaded from my API console. I've created the client secrets of type "Client ID for web applications".
My main handler, on the GET method, is as follows:
#decorator.oauth_aware
def get(self):
if decorator.has_credentials():
.... do stuff .....
else:
self.response.out.write("decorator doesn't have credentials")
The problem is that the application works well when I'm logged in my account. For all other users in the same domain, I get the "decorator doesn't have credentials" error.
any clue on why this is the case?
the problem was actually quite simple: the user was not logged in and, instead of presenting a login window, the app was crashing.
to present a login window we should use #decorator.oauth_required instead of simply oauth_aware, and put login: required in the app.yaml file
I am quite new to openID and GAE and there are lots of documentation that I get confused. So
I am building a Java web application.
I have GAE for Business.
As I understand GAE are automatically become openID providers. Can I in my Java web app identify only my GAE users using openID, like when user clicks login button it redirects to my GAE login page and identifies them? If user is not my GAE user my Java app rejects the access.
If something is not clear just tell me, because English is not my native language.
I am not really sure I got you right but if you want only the users you have invited the relevant emails to your application through appspot.com under permissions, you can include in your relevant handlers in your app.yaml file the login parameter like that.
handlers:
- url: /.*
login: admin
In case the user is trying to login is not under your application's permission list he will receive an unauthorized error.