I have a little appengine app running for me and my friends and forgot the email address I created it with (I still know the password though). While I can't log into the admin interface I still have the ~/.appcfg_oauth2_tokens file and can still deploy code to it from the commandline.
Is there any way to find the email address this way? I checked the documentation but I didn't find any way to programatically get the email address that owns the app. I also looked for how to get user info from the google user API with the access_token from the file but only got "invalid access" errors.
Is there anyway to find out the email address that I used to create the app based on the access_token?
it IS possible to get the user email from a token but ONLY if its scopes included a scope that has access to the user email. see: https://developers.google.com/identity/protocols/OAuth2UserAgent#tokeninfo-validation
however dont get excited yet as on your case its very unlikely that your token would have it unless you had specifically added a scope like userinfo.email to the scopes when you got that refresh token originally.
No, there's no way to get an email address from an oauth token, even your own.
Related
I've been working with the Azure B2C for a couple of days now and have a few issues and questions:
Url that it creates to redirect for login is formed incorrectly. It contains a question mark twice - after the url, and again after the profile name. This causes a 404 not found error every time you login, log out, etc. For example, the URL it tries to redirect to for login looks like this: https://login.microsoftonline.com/samlmanbc.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_firstdemoprofile?client_id=08fcblahblah. You'll notice a second question mark after the profile name, and that's what breaks it.
If I fix that and try and log in, it doesn't recognize the username / password of my account that's a global admin. It DOES recognize the username / password of a new user I created locally in the directory.
In the OnRedirectToIdentityProvider method, when the request type is authentication, the AuthenticationResponseChallenge is null, which makes this call fail:
OpenIdConnectConfiguration config = await mgr.GetConfigurationByPolicyAsync(CancellationToken.None, notification.OwinContext.Authentication.AuthenticationResponseChallenge.Properties.Dictionary[Startup.PolicyKey]);
I worked around this by using the static string SignInPolicyId for the second parameter. That works fine when an account already exists, but if it doesn't then Azure fails at login and says an account doesn't exist for the user. So what is the right value to use there, and/or how does one initialize it so it isn't null?
The type of a claim that was added to a profile is preceded with "extension_"; is that always going to be true or just for now? For example, I added a property called "favoriteTeam", but the claim type for it is "extension_favoriteTeam".
When you use FaceBook as an identity provider, is there any way to pass along the Facebook access token claim (http://www.facebook.com/claims/AccessToken)? This was useful when using ACS with Facebook because your app can then use that token to make additional calls to Facebook to get data from it.
In relation to issue 1 - I updated my reference Microsoft.IdentityModel.Protocol.Extensions to v1.0.2.206221351 and it started working. I made some updates to other references before this, so if the first one doesn't work, try updating more assemblies from nuget.
This is as expected. A page that signs in "local account" users will not sign in your work or school account (in this case, the global admin user).
Always going to be true. We will be cleaning up the Admin UX to make this more clear.
This is on our roadmap. No ETA as yet.
I am trying to get all the friends of the user currently signed in. I tried /me/friends but that didn't work as it returns only the users using my app already. I then tried https://graph.facebook.com/me/taggable_friends?access_token=somecodehere
In the browser it says
"To use taggable_friends on behalf of people who are not admins,
developers and testers of your app, your use of this endpoint must be
reviewed and approved by Facebook. To submit this feature for review
please read our documentation on reviewable features:
https://developers.facebook.com/docs/apps/review"
But when I do a GET (using Angular.js) on this URL with a valid access token using my application, it returns me a list of my friends, with their id, name, picture. Why is this happening? How can my app get the data if my browser cannot?
Also, the picture currently returned is too small. How can I get the email and larger picture of all my friends in this response?
Any help is highly appreciated.
PS: I am building a cordova app and getting access_token via CordovaOAuth.
taggable_friends works for you because it works without review for everyone with a role in the App (Admin/Developer/Tester). You only need to go through the review process if you want to go public with your App.
That beind said, taggable_friends is for tagging only, a larger picture is not neccessary for that and you definitely canĀ“t get their email. What would you do with the email of friends who did not even authorized your App? You would not be allowed to use those emails anyway. You can ONLY get the email of a Facebook user by authorizing that user with the email permission.
More information about getting access to friends: Facebook Graph Api v2.0+ - /me/friends returns empty, or only friends who also use my app
Here's the situation: I have successfully set up email to come from a custom domain on App Engine before, but that was always done through the Google Apps for Business set up process. This time I have added the custom domain through the new developers console instead (https://console.developers.google.com/project/[APP_ID]/appengine/settings/domains) and now I'm getting the "unauthorized sender" error every time.
I've tried a lot of variations on the set up process, checked for typos or other potential bugs repeatedly, and scoured both the docs and Stack Overflow without finding an answer. Most of the docs and answers that come up seem woefully out of date. The docs hardly ever reference the new developer console or the fact that Google Apps for Business doesn't have a free tier any more. And most of the answers seem to ignore the fact that the docs (https://cloud.google.com/appengine/docs/python/mail/sendingmail) explicitly state that "Domain accounts do not need to be explicitly verified, since you will have verified the domain during the registration process."
So has anyone actually gotten domain accounts to work with the new process? Do I have to modify DNS records? DKIM? Something else I'm missing? Any insight would be much appreciated.
As stated in the docs:
For security purposes, the sender address of a message must be the
email address of an administrator for the application or any valid
email receiving address for the app (see Receiving Mail). The sender
can also be the Google Account email address of the current user who
is signed in, if the user's account is a Gmail account or is on a
domain managed by Google Apps.
So only logged in Google accounts or admin (owners in the new console) addresses can be used to send emails through GAE. If you want to use a set of custom domain addresses you can either:
1) Add and validate all those addresses as owners in the project's "permissions" settings.
2) Use as external party to send your emails through a Web API, EG Sendgrid which gives you 25.000 emails/month for free for GAE developers (https://cloud.google.com/appengine/docs/python/mail/sendgrid)
Here's the problem I am trying to solve (I'm 100% sure I'm asking the "right" question) in my node.js / angularJS web application:
Authenticated members of the app can "invite" anyone with an email address.
Invitees can register using google (OAth 2.0) or with their email address and password.
In either scenario, it's possible that the invitee chooses to register with an email address (either a google one or one they type in) that differs from the email to which the invitation was sent.
I want to associate the two emails, and am having trouble figuring out how to do so.
My current approach:
The URL in the invitation email includes a unique parameter which references the email of the recipient. When that link is followed, I store that parameter using an angular service - the same that I use for storing the user once they are authenticated.
The problem (or at least one of them):
When I call the google authentication and it, subsequently returns the user to my site via the callbackUrl, my angular service instance no longer has a reference to the initial invitee's email, which I assume is expected since I the user left the angular application and then returned. Thus, I can't compare it to the email returned by the google authentication and, if they are different, prompt the user, join them, whatever.
What is the best way to toss that reference I take from the link that first took the user to the site to the other side of the OAuth process?
Or, is there a different approach entirely I should consider?
You would be able to pass a state parameter in your oath request. Google then returns the same parameter back with the oath response:
https://developers.google.com/accounts/docs/OAuth2UserAgent -> paramater: state
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/