Due to App engine Quota, I have to find an alternative for accessing firebase realtime database from app engine. I had a though about using firebase REST apis with URLFetch service of google app engine. I tried but its not updating my firebase database.
String surl = "https://MyApplication.firebaseio.com/";
URLFetchService urlFetchService = URLFetchServiceFactory.getURLFetchService();
URL url = new URL(surl);
FetchOptions fetchOptions = FetchOptions.Builder.withDefaults();
fetchOptions.doNotValidateCertificate();
fetchOptions.doNotFollowRedirects();
fetchOptions.setDeadline(60D);
HTTPRequest request = new HTTPRequest(url, HTTPMethod.POST, fetchOptions);
request.setPayload("{ 'key': 'Some Kind of Value' }".getBytes());
HTTPResponse httpResponse = urlFetchService.fetch(request);
Related
I'm trying to authenticate a request from my Google Cloud Function to my API on App Engine (Standard environment).
I have something working, but I'm new to OAuth2 and am looking for a sanity check.
In my Cloud Function, I send an authenticated request to my API doing the following:
import { GoogleAuth } from 'google-auth-library';
// Send Request Code:
const auth = new GoogleAuth();
const tokenClient = await auth.getIdTokenClient(`/protectedEndpoint`);
await tokenClient.request({
url: `https://${process.env.GCLOUD_PROJECT}.appspot.com/protectedEndpoint`,
method: 'POST',
});
In the API (on App Engine), I do the following:
import { GoogleAuth } from 'google-auth-library';
// Handle Request Code:
const token = <Bearer token parsed from request headers>
const googleAuth = new GoogleAuth();
const tokenClient = await googleAuth.getIdTokenClient('');
const loginTicket = await tokenClient.verifyIdToken({
idToken: token,
audience: '/protectedEndpoint',
});
if (loginTicket.getUserId() !== process.env.SERVICE_ACCOUNT_ID)) {
throw new Error('Unauthenticated Service Account');
}
return 'Successful Authentication'
Note: In both cases, I'm using Google's default application credentials to initialize the GoogleAuth client. (my Default App Engine service account)
This all works. My function sends a request to my API, and my API is able to parse the bearer token and tell me that it came from my approved service account... but I'm not 100% confident that this is actually secure. Is it possible for someone to spoof my service account without having its credentials?
Thanks in advance!
Is it possible for someone to spoof my service account without having
its credentials?
A precise answer requires the specification of time. Given enough time and processing power, any authentication/authorization/encryption/hashing/signing method can be broken.
A Google service account contains an RSA 2048-bit private key. Current guesstimates are 300 trillion years to break RSA 2048 bit encryption. With the rapid advances in computers, let's assume your data will probably not be of any use/value by the time RSA is broken.
The private key is used to sign a JWT. The Signed JWT is used to request OAuth Access/Identity Tokens.
Spoofing would require signing with the same private key. Therefore, spoofing is not possible with today's technology.
Stealing/leaking the private key or the generated OAuth tokens is the only realistic method today.
I've successfully implemented this tutorial and have a client + server working locally.
However, the front-end application that I'm building is an Angular app - this means that it isn't possible to store a client secret in it..
Relevant code:
ConfidentialClientApplication cca = new ConfidentialClientApplication(Startup.ClientId, Startup.Authority, Startup.RedirectUri, new ClientCredential(Startup.ClientSecret), userTokenCache, null);
var user = cca.Users.FirstOrDefault();
AuthenticationResult result = await cca.AcquireTokenSilentAsync(scope, user, Startup.Authority, false);
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, apiEndpoint);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
How can I set my frontend up securely to work without having a client secret, based on the tutorial mentioned?
I'm currently using this angular library .
You can achieve this by using implicit grant flow
You can seamlessly integrate into any SPA application.
Follow https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-spa, this article helps you.
There is an SPA sample already available in GitHub, you can try https://github.com/Azure-Samples/active-directory-b2c-javascript-hellojs-singlepageapp
you can use oidc-client library instead hello.js in above sample, both are very similar and easy to implement.
I need to form a POST to publish a Google PubSub message. I can't use the client libraries because they use gRPC which is incompatible with Google App Engine. I can form the critical POST request, but I'm not sure how to authenticate it using OAuth2.
This link shows what I'm doing, but it obscures the authentication part.
https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/publish
(If GAE standard environment would support gRPC this would not matter.)
JSONObject obj = new JSONObject();
JSONArray attr = new JSONArray();
obj.put("script_name","foo_script.py");
obj.put("script_args","arg1");
attr.put(obj);
JSONObject jsontop = new JSONObject();
jsontop.put("messages",attr);
URL url = new URL("https://pubsub.googleapis.com/v1/projects/{my-URL}/topics/topic_run_script:publish");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
This code comes back "401 : UNAUTHENTICATED". How do I authenticate it?
App Engine has an API to fetch an access token that you can use to when calling Google services. For documentation and an example, see https://cloud.google.com/appengine/docs/standard/java/appidentity/#asserting_identity_to_google_apis
You might also be able to use the pubsub client library on GAE Std if you switch to the Java 8 environment. This doc implies that it should work.
I am currently making API calls to my backend using the Google Cloud Endpoint generated JavaScript Client. The problem is the cookies for my page are not being added to the HTTP requests. How can I add the Gitkit gtoken cookie to my request.
Backend is Google App Engine Java
Using Goole Cloud Endpoints to build my API
Using the Google Cloud Endpoints JavaScript web client loaded as follows gapi.client.load('myApi', 'v1', resourceLoaded, 'https://my-project-id.appspot.com/_ah/api');
I have already configured Google Cloud Endpoints, on the backend, to allow cookies. auth = #ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE)
My endpoint looks as follows.
#ApiMethod(path = "user-account")
public UserAccount get(HttpServletRequest httpRequest) {
GitkitUser gitkitUser = Gitkit.validate(httpRequest); // returns null
Cookie[] cookies = httpRequest.getCookies();
log.severe("# of cookies: " + cookies.length);
for (Cookie cookie : cookies) {
log.severe("cookie name: " + cookie.getName());
log.severe("cookie value: " + cookie.getValue());
}
/*
* Logs 1 for # of cookies, with a cookie name of "G_ENABLED_IDPS"
* a value of "google". No gtoken cookie, even though I have
* checked and there is one!
*/
...
}
I am making calls with the Google Cloud Endpoints JS client as so.
gapi.client.myApi.userAccountResource.get().execute(function (resp){
...
});
Is there something I have to do to make sure the Endpoints JS client includes the gtoken cookie in it's request?
You better add screenshots of cookies storage + request headers and create a plunker/jsfiddle/jsbin to reproduce the problem.
There are chances that cookies are not set or not send to server. You need to localize where is a problem. If it's sent over wire by browser then issue is on server side. If it's in cookies storage but not sent it's client issue. If it's not in storage there is just nothing to sent and it's a different problem to find out why they are not at client at all.
You can view cookies & requests headers in devtools of your browser. And yes, cookies are send automatically if not expired and match to host & path prefix.
I have created a database in the Parse.com cloud. I now need to write a Servlet in my Google App Engine application to call the REST services on Parse. The REST services require
user authentication which is the Parse app id and the Javascript key.
...
URL url = new URL("https://api.parse.com/1/classes/OBJECT");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestProperty("Content-Type", "application/json");
Base64 enc = new Base64();
String userpassword = "{PARSE_APP_ID}" + ":" + "javascript-key={PARSE_JS_KEY}";
String encodedAuthorization = enc.encodeBase64String(userpassword.getBytes());
connection.setRequestProperty("Authorization", "Basic " + encodedAuthorization);
connection.setRequestMethod("GET");
...
I use org.apache.commons.codec.binary.Base64 for encoding to get REST call authenticated.
The Parse.com REST API recommends using the following request format to make a HTTP call:
https://myAppID:javascript-key=myJavaScriptKey#api.parse.com/1/classes/GameScore/Ed1nuqPvcm
The problem is that I kept getting
{"error":"unauthorized"}
Is there anyone having the experience with working with calling a authenticated REST service? Thanks!
EDIT.
URL url = new URL("https://api.parse.com/1/classes/OBJECT");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("X-Parse-Application-Id", "{APP_ID}");
connection.setRequestProperty("X-Parse-REST-API-Key", "REST_ID");
connection.setRequestProperty("Content-Type", "application/json");
I still got the same error while the responseCode was "200".
Cheers,
Use the header version of authentication instead:
connection.setRequestProperty("X-Parse-Application-Id", "app id here");
connection.setRequestProperty("X-Parse-REST-API-Key", "rest key here");