I've been trying to implement OAuth2 for Go with App engine server to server request.
Here is the code (following the example):
oauthConf, err := google.NewServiceAccountJSONConfig(
"./key.json",
"https://www.googleapis.com/auth/adsense.readonly",
)
if err != nil {
log.Fatal(err)
}
client := http.Client{Transport: oauthConf.NewTransport()}
resp, err := client.Get(urlStr)
...
And I get the error message:
http.DefaultTransport and http.DefaultClient are not available in App Engine.
I'm pretty sure the json.key file is valid as for the other stuff
Googling lead me to understand that it is preferred to use urlfetch, but I can't figure out how to make the setup with the oauth2 config.
The NewServiceAccountJSONConfig returns a oauth2.JWTConfig
https://github.com/golang/oauth2/blob/master/google/google.go#L69-L87
Its .NewTransport() you are using:
https://github.com/golang/oauth2/blob/master/jwt.go#L86-L88
Defaults to the http.DefaultTransport, that is not supported on appengine:
https://github.com/golang/oauth2/blob/master/jwt.go#L163-L168
I would go for using the AppEnigneConfig instead (if possible). See http://godoc.org/github.com/golang/oauth2/google
c := appengine.NewContext(nil)
config := google.NewAppEngineConfig(c, "https://www.googleapis.com/auth/bigquery")
// The following client will be authorized by the App Engine
// app's service account for the provided scopes.
client := http.Client{Transport: config.NewTransport()}
client.Get("...")
Otherwise if you need to use ServiceAccountJSONConfig, you probably can, but you'll need to use urlfetch Client and Transport. Have a look how AppEngineConfig is set up: https://github.com/golang/oauth2/blob/master/google/appengine.go
Related
I wanted to authenticate myself (Google Account) using a golang client against protected apps on Google App Engine where login: required or login: admin is specified in app.yaml.
First I wrote a simple OAuth2 offline access client but it didn't work at all - the server just redirects clients to Google Account's sign in page. I've tried with various Google API scopes and currently no luck.
package main
import (
"context"
"fmt"
"io"
"log"
"os"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
)
const (
AppURL = "https://login-requried-app.appspot.com"
AuthClientID = "....."
AuthClientSecret = "....."
AuthRedirectURL = "urn:ietf:wg:oauth:2.0:oob"
AuthScope = "https://www.googleapis.com/auth/cloud-platform"
)
func main() {
ctx := context.Background()
conf := &oauth2.Config{
ClientID: AuthClientID,
ClientSecret: AuthClientSecret,
Endpoint: google.Endpoint,
RedirectURL: AuthRedirectURL,
Scopes: []string{AuthScope},
}
url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline)
fmt.Printf("Visit the URL for the auth dialog: %v\n", url)
fmt.Printf("Enter authentication code: ")
var code string
if _, err := fmt.Scan(&code); err != nil {
log.Fatal(err)
}
tok, err := conf.Exchange(ctx, code)
if err != nil {
log.Fatal(err)
}
client := conf.Client(ctx, tok)
res, err := client.Get(AppURL)
if err != nil {
log.Fatal(err)
}
defer res.Body.Close()
log.Println(res.Status)
io.Copy(os.Stdout, res.Body)
}
I'm looking for the details of GAE's user authentication modes used in such apps to write a non web browser client. I feel it's something different than standard OAuth2 authentication/authorization after reading App Engine Users API docs and code that is receiving user information via HTTP headers like X-AppEngine-User-Email.
Users Go API Overview
google.golang.org/appengine/user package document
user.Current() implementation (it's for flex env but almost the same in standard env)
UPDATE: After some research it looks like the GAE frontend uses SACSID cookie for tracking authenticated sessions, which isn't related to the OAuth2 standard. Indeed as stated in Users Go API document:
Note that using OAuth to identify your users is completely orthogonal to the standard user authentication modes. For example, pages marked with login: required or login: admin will refuse to load if the user is only authenticated via OAuth.
Is there any supported way for a CLI application to acquire SACSID properly authorized by user's consent?
Related questions:
Access an App Engine app from command line using OAuth2?
On Google App Engine, can I relate a Google OAuth 2 Token and a SACSID token I got using Android's AccountManager?
Given the situation you explain here, I suggest using a remote API. This way you can access App Engine services from your Go app.
First you have to configure your app.yaml file by adding the following:
- url: /_ah/remote_api
script: _go_app
You also have to add the following import to your .go source file:
import _ "google.golang.org/appengine/remote_api"
When this is done, deploy your updated app to App Engine:
gcloud app deploy app.yaml
The website I included here includes an example on how to use the remote API. You can try it and adapt your code if this works for you.
I'm trying to use Firestore in my AppEngine (standard environment) app written in Go. I've been following the "Getting Started with Cloud Firestore" guide and have been using the firestore package documentation to implement a simple example that works fine when running it on my local dev server.
However when I deploy the app and try the deployed version the call to DocumentRef.Set() fails with the error
rpc error: code = Unavailable desc = all SubConns are in TransientFailure
This is my code that reproduces the issue:
func init() {
http.HandleFunc("/test", testHandler)
}
type testData struct {
TestData string `firestore:"myKey,omitempty"`
}
func testHandler(w http.ResponseWriter, r *http.Request) {
ctx := appengine.NewContext(r)
var firestoreClient *firestore.Client
var firebaseApp *firebase.App
var err error
conf := &firebase.Config{ProjectID: "my-project"}
firebaseApp, err = firebase.NewApp(ctx, conf)
if err != nil {
fmt.Fprintf(w, "Failed to create a new firestore app: %v", err)
return
}
firestoreClient, err = firebaseApp.Firestore(ctx)
if err != nil {
fmt.Fprintf(w, "Failed to create a new firestore client: %v", err)
return
}
data := testData{"my value"}
_, err = firestoreClient.Collection("testCollection").Doc("testDoc").Set(ctx, data)
if err != nil {
fmt.Fprintf(w, "Failed to create a firestore document: %v", err)
return
}
firestoreClient.Close()
fmt.Fprint(w, "Data stored in Firestore successfully")
}
As mentioned before, on the dev server this works fine. So there the returned page contains the text Data stored in Firestore successfully.
When running the deployed code I get Failed to create a firestore document: rpc error: code = Unavailable desc = all SubConns are in TransientFailure instead. Why do I get this error and how can I avoid it?
I've raised an issue about this in the Firestore client library issue tracker and it seems like the situation is a bit complex.
When using App Engine the Firestore client library's network connections goes trough the App Engine socket library. However sockets is only available for paid App Engine apps:
Sockets are only available for paid apps, and traffic from sockets is billed as outgoing bandwidth. Sockets are also limited by daily and per minute (burst) quotas.
So this is the reason why the Firestore client library fails. For small scale projects it's possible to enable billing of your App Engine app and still stay within the free range. If billing is enabled it should work when the app is deployed as well.
However if you are living within the European Union you are not allowed to have a paid App Engine app for non commercial purposes due to Google policies:
If you are located in the European Union and the sole purpose for which you want to use Google Cloud Platform services has no potential economic benefit you should not use the service. If you have already started using Google Cloud Platform, you should discontinue using the service. See Create, modify, or close your billing account to learn how to disable billing on your projects.
So if you are in Europe or for some other reason are unable to use have a paid App Engine app you will not be able to use the Firestore client library.
One alternative in this case is to use the Firestore REST API instead and manually make HTTP requests to Firestore. It's a bit more work, but for smaller scale projects it works.
On AppEngine you need to create a client that uses Http client provided by urlfetch service.
The firestore.NewClient() function accepts ClientOptions parameters that you can create using WithHTTPCLient() function.
Here is an article on issuing HTTP requests from AppEngine Go.
That should help.
For some reason I cannot figure out how to send emails using a gmail account, Appengine and Golang.
Here's what I've done:
I went to Google Cloud Platform > Appengine > Settings > Select Project and I added the gmail account on Email API authorized senders.
I' tried to make this work using the code from (https://golang.org/pkg/net/smtp/#pkg-examples) (func SendMail)
package main
import (
"log"
"net/smtp"
)
func main() {
// Set up authentication information.
auth := smtp.PlainAuth("", "user#gmail.com", "password", "smtp.gmail.com")
// Connect to the server, authenticate, set the sender and recipient,
// and send the email all in one step.
to := []string{"recipient#example.net"}
msg := []byte("To: recipient#example.net\r\n" +
"Subject: discount Gophers!\r\n" +
"\r\n" +
"This is the email body.\r\n")
err := smtp.SendMail(smtp.gmail.com:587", auth, "sender#example.org", to, msg)
if err != nil {
log.Fatal(err)
}
}
On the front-end (JavaScript) I get an unsuccessful response after trying to run this code.
I've been running this on the appengine staging server
I tried different smtp server, ports, users and it still not work (support.google.com/a/answer/176600?hl=en)
I found a few examples on github and some other blog and I tried them but it didn't make different.
github.com/golang/go/wiki/SendingMail
nathanleclaire.com/blog/2013/12/17/sending-email-from-gmail-using-golang/
On all the examples it everything looks straight forward but there's something that I'm definitely missing or misunderstanding.
There're some limitations with establishing raw tcp connections on GAE:
https://cloud.google.com/appengine/docs/go/sockets/#limitations_and_restrictions
I would recommend to use GAE mail api (which is slightly diffrent from standart smtp package) to send emails:
https://cloud.google.com/appengine/docs/go/mail/sending-receiving-with-mail-api
I am trying to use LoginURLFederated for logging users in. My code is as follows:-
c := appengine.NewContext(r)
u, _ := user.CurrentOAuth(c, "")
if u == nil {
if loginUrl, err := user.LoginURLFederated(c, "/webservice/uid-test", "gmail.com"); err != nil {
http.Error(w, "here1"+err.Error(), http.StatusInternalServerError)
return
} else {
http.Redirect(w, r, loginUrl, http.StatusFound)
return
}
}
I got this error
here1API error 2 (user: NOT_ALLOWED)
When I change from LoginURLFederated to LoginURL function, it worked fine. What did I miss? I tried to use user.Current(c) as well, however, I didn't work either.
The reason I am doing this is because I am trying to verify the idToken that is being sent from an android app that uses google sign-in api for signing in. Google sign in api implements oauth2 standard and generate idToken for other app: in this case, my web app written in Go running on GAE, to use the idToken to verify the signed in user. More information about android google sign in is here https://developers.google.com/identity/sign-in/android/backend-auth#send-the-id-token-to-your-server
However, I didn't realize that Google ID that I received from calling user.LoginURL(c) in Go web app on GAE was different from the sub value (ID) received from calling Google idToken endpoint here
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=value
Then I realized that the IDs were generated by two different Google endpoints. I decided to use Google federated login function on the web app side to match the ID received from
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=value
since federated login implements openid (oauth) but I am receiving an unknown error API error 2 (user: NOT_ALLOWED)
Am I doing things right? Can federated login generate the identical id with the sub value (id) sent from google idToken endpoint?
I'm using Go on GAE. One of my tasks is sending an email. I am using this documentation successfully to test.
However, what if I do not want a request handler:
func confirm(w http.ResponseWriter, r *http.Request) {
c := appengine.NewContext(r)
...
But rather, send the email through a local func:
func confirm() {
...
Is there any way in Go to do this with GAE? I think what Im looking for is a way to call:
c := appengine.NewContext(r)
But without a request handler, or bypass it in any way possible (which Im reading is probably not possible)
I am thinking a work around could be making an http request from my application to my application - but wow is that ugly!
resp, err := http.Get("http://localhost:8080/sendMail?to=...")
NOTE: After attempting this -- ugly work around I get:
http.DefaultTransport and http.DefaultClient are not available in App Engine. See https://cloud.google.com/appengine/docs/go/urlfetch/
So this workaround is in fact NOT a work around in that urlfetch which is how GAE uses http.GET once again... requires c := appengine.NewContext(r)
You need an appengine.Context to interact with external services, including email and urlfetch. You will have to pass the Context instance into your confirm function.