I've been using the remote API for google appengine for a couple years. Several months ago I updated to the Oauth2 authorization approach as documented here and everything has worked fine for months.
https://cloud.google.com/appengine/docs/java/tools/remoteapi
Today I ran into the following error
Exception in thread "main" com.google.appengine.repackaged.com.google.api.client.http.HttpResponseException: 401 Unauthorized
You must be logged in as an administrator, or access from an approved application.
I don't understand what changed or how to resolve it. I've made sure that I'm logged in with the correct account by using the following command.
gcloud auth login
Which successfully logs me in.
The account that I use to login, is a google apps account which I suspect is the problem. I think the integration of google apps accounts with appengine has changed based on this old, but seemingly related question.
https://code.google.com/p/googleappengine/issues/detail?id=1462
Any help would be appreciated. Thank you!
I had to use a #gmail.com account instead of my Google app account. It looks like changes are being made to google app accounts to move functionality into the Google cloud platform.
Although I have things working again, I would prefer to use my username and password associated with by app domain and it's not clear how to do that.
I had a myriad of problems, then switched from my Google Apps (Dasher) account to my #gmail account, and everything worked.
I suspect (but can't prove) that this is related to the turndown of ClientLogin on 12-Apr-2016.
Related
I had a look a lot of days to find a solution for my problem regarding offline authentication of a user in my Blazor Standalone PWA.
With .Net 5.0 I changed the Authentication scenario on Azure AD from Web to SPA.
After that change, my PWA was not able to login the user in offline mode.
I work on Program.cs with AddMsalAuthentication and save the tokens and ID's in local storage with help of MSAL.
If I'm online everything works like expected and I can login with the users and the tokens will be stored in local storage.
After changing the online state, the PWA try to get the openid-configuration data from azure.
I tried to also serve this request with the service worker, which worked quite fine but the token request after that fails also.
I searched and found the CarChecker app and the docs as well but this didn't solve my problem.
Did I missed something or is there really no way, to make offline auth workable on Blazor Standalone PWA's?
I have a GAE app that requires end user credential to call Google Cloud APIs. I use the oauth2 decorator and it worked well in my first version. However, in my second version, I added another scope so that I can call another Cloud API.
I changed my codes and re-deployed the app. However, the web app didn't ask me to re-authorize, and I got the 403 response with the message: "Request had insufficient authentication scopes." My teammate tested the app for me, and she was asked to authorize the correct new scope, so I guess the problem the app is still using the old scope for me.
How could I make the app re-prompt the consent form?
Thanks!
I got my answer from a coworker. Wanna post it here if any one needs it.
"A user can revoke access by visiting Account Settings".
When I try to open the google appengine datastore admin tool it redirects me to:
https://ah-builtin-python-bundle-dot-myapp.appspot.com/_ah/login_required?continue=https://ah-builtin-python-bundle-dot-myapp.appspot.com/_ah/datastore_admin%3Fapp_id%3Dmyappid
and gives me a 500 error.
According to this appengine bug report:
https://code.google.com/p/googleappengine/issues/detail?id=10150&q=%22datastore%20admin%22&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log
"This looks to be a problem because you are using non-default authentication scheme.
Are you using user service/Google Accounts API for authentication of users inside your application? If not, consider changing your authentication method.
If you are, then you'll need to setup a custom domain and access the datastore admin via:
https://ah-builtin-python-bundle-dot-
so that the correct authentication cookies can be used."
I'm using simpleauth for authentication and have a custom domain with an ssl certificate.
I would love to be able to backup my datastore data, it's a pretty big risk for my site if I can't!
Any ideas?
Must have been a problem on Googles end, because when I tried again a few months later it magically worked.
Total GAE beginner here.
Maybe total obvious answer. Maybe so obvious that I was not able to get a clear information via search because nobody spend even a single thought on it.
I just uploaded my first test app into GAE and in order to access it I need to login with my google account.
Why is that? If I want a login logic for my app, I will implement one by myself?
And if I do implement a custom auth mechanism: What is the user experience? Do a user need to first login into his google account and then into my app?
Do all my future users need a google account to access my web app hostet via GAE?
Clarification would be much appreciated.
EDIT:
Switch to "Federated Authentication" shown here to deactivate the google login screen.
This is clearly shown in the google gae documentation. Even a google search about 'google appengine user authentication' shows in the 1st result: https://developers.google.com/appengine/articles/auth
I deployed a web application using Google accounts Authentication on the appengine server. If I log out the app with the link from create_logout_url(), my Gmail in the same browser is also logged out. Is that normal behavior? Thanks.
I think it is absolutely normal. My experience is the same as yours.
Many Google services use the same cookies I think, If you log into your Gmail, you can access Google Reader without logging in again.
It is for security purpose I think.