I try to make a SP hosted on Google app engine, with a third party IdP, and I'm facing multiple problems.
I'm using Spring SAML extension for java. I was able to run the stand alone (not in GAE) demo app, from the official guide http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/chapter-quick-start.html using as IdP idp.ssocircle.com.
Now my problem comes whey I tried to integrate this code in my GAE project. When running with GAE I can get to the phase where I'm redirected to do the login on ssocircle.com and from there when I should be redirected back to my page I'm getting this error: "Error 401 Authentication Failed: Error decoding incoming SAML message", and on local GAE server logs I can see this message
"[INFO] Dec 17, 2014 5:21:23 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry [INFO] INFO: I/O exception (java.net.SocketException) caught when processing request: Permission denied: Not allowed to issue a socket bind: permission denied."
I was wondering if this is a limitation from GAE regarding sockets: 1) Sockets are available only for paid apps (I don't have a paid app, but could consider this options) 2) You cannot create a listen socket; you can only create outbound sockets. 3) You cannot bind to specific IP addresses or ports. (for me this one sounds like it is my problem).
And whey I tried to deploy on GAE, the app remained in a start-up loop because of other errors regarding "nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "modifyThreadGroup")", that sounds like another GAE limitation to me.
At some point I was ready to gave up, because I was thinking that SAML Spring extension can't work with GAE, because of limitations present on GAE. But I see you have the same project running as a demo on GAE (or at least I think it is running on GAE because of the appspot part in domain name). https://saml-federation.appspot.com/saml/discovery?returnIDParam=idp&entityID=saml-federation.appspot.com
I would appreciate if you can give me some hints regarding my problems, and best would be if you could help me with the source code of this demo project (could not find it anywhere), and all configuration that is needed for GAE.
I've created a new repository https://github.com/vschafer/spring-security-saml-gae which includes instructions for deployment of Spring SAML applications on Google Application Engine. It also includes classes helping to avoid issues you're facing (sockets and threads).
In order to use it:
include the jar created from the repo in your project
use the provided org.springframework...StaticFilesystemMetadataProvider for loading of your metadata
in case you are using HTTP-Artifact binding replace bean org.springframework...ArtifactResolutionProfileImpl with org.springframework...google.ArtifactResolutionProfileGAE
Please comment if you spot some mistakes in the documentation or code.
Related
I deployed Java 11 app on Google Cloud App Engine, and app is running fine, I can see the home page in the browser, but when the app tries to call Microsoft Graph API (the HTTP call is executed by using Microsoft Graph SDK), I am getting runtime failure.
The failure relates to Google debugger, but I didn't even enable debugger. I found information that debugger is enabled by default when Google builds the container image. I have two options - either to figure out why I am getting 401 error for the debugger, and configure debugger properly, or disable debugger completely.
I tried to find information how to disable Google debugger for container image generation, but didn't find anything helpful. I also tried to find information how to configure debugger properly for app engine, and also was not able to find complete working instructions. Does someone know what I need to configure on App Engine to bypass this error:
java.io.IOException: Server returned HTTP response code: 401 for URL: https://clouddebugger.googleapis.com/v2/controller/debuggees/register
at com.google.devtools.cdbg.debuglets.java.GcpHubClient.registerDebuggee
Assuming your Java app is in an App Engine Standard environment and using the bundled services, then you are still using appengine-web.xml file for app configuration. As stated in GAE standard Issuing HTTP(S) Request documentation:
URL Fetch will handle all outbound requests and cause requests that you send to your VPC network or the client libraries to fail. If any of these scenarios apply to you, make sure that the url-stream-handler field in your configuration is not set to urlfetch.
This scenario includes Google Cloud Debugger Client for Java hence the HTTP error. As a workaround, you can omit the following line in the appengine-web.xml file:
<url-stream-handler>urlfetch</url-stream-handler>
I have a Quarkus application already deployed on Google Cloud Run.
It depends on MySQL, hence there is an instance started on Cloud SQL.
Next step in my deployment process is to add keycloak. From what I've read the best option seems to be Google App Engine.
The approved answer in this question gave me some good insight of what needs to be done ... mostly.
What I did was:
Locally I made a sub-directory in the main project.
In that directory I added the app.yaml and the Dockerfile (as described here for instance).
There I executed the said two commands: gcloud init and gcloud app deploy.
I had my doubts about this set up and they were backed up by the error I got eventually:
ERROR: (gcloud.app.deploy) INVALID_ARGUMENT: The first service (module) you upload to a new application must be the 'default' service (module). Please upload a version of the 'default' service (module) before uploading a version for the 'morph-keycloak-service' service (module).
I understand my set up breaks the overall structure of the project but I'm not sure how to mix those two application with the right services.
I understand keycloak is a stateful application, hence cannot live on Cloud Run (by the way the intention is for keycloak to use the same database instance shared with the application).
So does any one know a more sensible set up, or what can I move in mine in order to fix it?
In short:
The answer really is in reading the error message (thanks #gaefan) - about the error itself it explains enough. So I just commented out the service: my-keycloak-service line in the app.yaml (thus leaving gcloud to implicitly mark it as the default one) and the deployment continued.
Eventually keycloak didn't connect to the database but if I don't manage to adjust the configurations that would probably be a subject to a different question.
On the point of project structure and functionality:
First off, thanks #NoCommandLine and #guillaume-blaquiere for your input!
#NoCommandLine the application on Cloud Run is sort of a headless REST API enabled backend. Most of the API calls are secured by keycloack. A next step in the deployment process would be to port an existing UI (React) client on the Firebase hosting (or on another suitable service - I'm still not completely sure which approach is best) and in order for the users to work with this client properly they must make an SSO through keycloak first.
I'm quite new to GCP and the number and variants of the available options are still overwhelming to me - one must get familiar with the nuances but I guess it takes time. So I'm still taking suggestions on how to adjust my project structure to fit better the services stack. Thanks!
I've recently been migrating an App Engine (Go) app from Go 1.9 to 1.11. I've followed the steps in the
Migrating your App Engine app from Go 1.9 to Go 1.11 document, excluding the optional ones. I plan on doing the optional tasks later once I get this working.
I get the app to build and I can deploy it just fine. Most of everything works fine, with the exception of one API that is used to look up some info on a Google Play IAP. When I do that, I get the following error:
Error 403: Insufficient Permission: Request had insufficient authentication scopes., insufficientPermissions
I've checked, and the scope that I'm using is https://www.googleapis.com/auth/androidpublisher, which is still the scope listed in the Google Play Developer API documentation.
I'm using the App Engine default service account for the client by calling DefaultClient from the golang.org/x/oauth2/google library, which returns a client without an error
When I test the same code with Go 1.9, there are no authentication issues at all, and the API works. I'm guessing that these is something in the authentication setup which has changed but I can't find any documentation on it, nor on what I should do differently.
I have to imagine that a lot of people have had to do this migration, and I can't find any posts with this problem, so I'm lost as to why I'm getting it.
I think the issue is in the differences of runtime in Go 1.9 and 1.11. It doesn't seem to allow you to use Application Default Credentials anymore, you have to set them via a JSON file in 1.11. I found someone who had a very similar issue to you and they used a workaround by uploading a key and using that to get a Client.
Have a look here
Let me know.
On an App Engine application, deployed on standard environment with java 8 activated, I get the exception below if I use both Objectify 6.0 AND the tag <url-stream-handler>urlfetch</url-stream-handler> in the appengine-web.xml file.
com.google.cloud.datastore.DatastoreException: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
Any idea how I can bypass that?
Things get back to normal if I remove the urlfetch tag (and activate the billing) or if I downgrade Objectify to v5.
I suspect what you're running into is one of the differences between the Java 7 and the Java 8 Standard Environments. There are substantial benefits to avoiding the urlfetch path, as Issuing HTTP(S) Requests notes (e.g. HTTP/2). In particular, the metadata server, which does automatic authentication for the Google Cloud SDKs when running on App Engine, isn't reachable using urlfetch (see that page).
I think your best option here is probably to enable billing, if you're comfortable with that. From the docs page:
Despite the requirement to enable your application for billing, your app won't incur any more cost than the same application running on Java 7.
If you'd still like to give urlfetch a try, I think the error you're encountering can be fixed by manually supplying credentials (e.g. bundling them in your app), but that won't be as secure or performant.
The best option is to use the
<appengine-web-app>
<url-stream-handler>native</url-stream-handler>
<appengine-web-app>
and enable billing. Without billing you can only use the legacy urlfetch and you have to face all these problems.
you can set credentials explicitly, like it is shown in the example below:
Resource credentialsCyberpower = resourceLoader.getResource("classpath:yourservice-datastore-access.json");
GoogleCredentials credentials = GoogleCredentials.fromStream(credentialsCyberpower.getInputStream())
.createScoped(Lists.newArrayList("https://www.googleapis.com/auth/cloud-platform"));
DatastoreOptions options =
DatastoreOptions.newBuilder().setProjectId("XXXXXX").setCredentials(credentials).build();
Datastore datastore = options.getService();
ObjectifyService.init(new ObjectifyFactory(datastore));
generate yourservice-datastore-access.json in IAM service accounts. working with Objectify 6.0.5
I am attempting to follow the tutorial at: http://www.youtube.com/watch?v=v9TG7OzsZqQ
My Cloud Endpoint REST API works well on my local development machine, but when I deploy to App Engine, I receive errors in my Admin Log that "API serving not allowed for this application".
Is this a paid feature that I must enable billing to receive? If not, is there documentation that explains this issue and how to fix this error?
To use Endpoints in production you need to be accepted into the trusted tester program. You can apply here. Mention this Stack Overflow post in your request and I'll see if I can expedite approval.