I'm looking into using OAuth2 with Go in Google App Engine.
Here is a link with an example:
https://developers.google.com/appengine/docs/go/users/#Go_OAuth_in_Go
But this remark isn't clear to me:
Note that using OAuth to identify your users is completely orthogonal to the
standard user authentication modes. For example, pages marked with
login: required or login: admin will refuse to load if the user is
only authenticated via OAuth.
Does this mean I can't use the standaard authentication mode with OAuth?
Can I use other providers like Facebook with the user package?
Or is it better to use this package instead of the default user package?
https://code.google.com/p/goauth2/
Are there disadvantages to using this?
(I only need it for authentication)
This just means that the app.yaml/module.yaml key "login" won't consider users who have authenticated via OAuth to be authenticated and will deny them access to that resource.
For example, if you have created a page at /admin/ and you want GAE to enforce that only people who have authenticated can access that page, then you need to ensure that they have authenticated using a google account, not an OAuth login. Anyone accessing that after they have logged in using OAuth will still appear unauthenticated to GAE.
All that this means is that if you have pages you only want authenticated people to see and you want to support OAuth as a valid authentication method, then you need to not have the "login" key set for those resources in the .yaml file. Then it's up to you to enforce that they have been logged in before allowing them access to that resource. GAE can't help you out in that case.
Related
According to this page, admin consent should not be required for a native app using Directory.AccessAsUser.All
As a side note, for native applications, this permission behaves like a User permission instead. A native app does not have an identity per se, and it is already doing the direct user’s bidding anyway. It stands to reason that the app should be able to do what the user is able to do, just as happens on-premises when a classic native client (say Word or Excel) can or cannot open a document from a network share depending on whether the user has the correct permissions on that folder.
I'm not seeing this in practice. The "API Permissions" page in Azure portal warns me that admin consent will be required, and users attempting to sign in using my app also get told that admin consent is required.
I haven't provided a Web redirect URL, just checked https://login.microsoftonline.com/common/oauth2/nativeclient under the Public Clients section - i'd expect this to be enough for admin consent not to be required, but it doesn't seem to be the case.
Is the doc above wrong, or am I missing something?
That page is wrong, consent framework doesn't allow a permission to be Admin/User.
If it is marked Admin, it requires admin consent.
That may have been right in the past though.
I am trying to get the user who is logged in via. SAML Single Sign On.
I have already implemented SAML Single Sign On and it works.
The code I use for programmatic login is :
apps = gdata.apps.service.AppsService(email=username, domain=domain, password=password)
apps.ProgrammaticLogin()
logging.info("current user %s", users.get_current_user())
//Redirect to a Google mail page.
But users.get_current_user() returns None always even though correct username and password is provided. I have crosschecked it by redirecting the page to Google Mail page and it successfully redirects.
I have googled this issue for hours now nothing goes the right way.
Can anyone please guide me what I am doing wrong ?
There are three different things going on here, I just want to make sure are clear for my suggested answer to make sense:
Google App Engine users service: You, as the developer, delegate authentication and authorization responsibility to Google Accounts (or the selected OpenID provider). Google will act as the Identity Provider and you'll act as the Service Provider.
SAML single sign on: Google delegates to you the authentication and authorization responsibility, you'll act as the Identity Provider and Google will act as the Service Provider. You'll be using SAML SSO every time you try to login any Google service using you Google Apps account, that includes Google App Engine applications using the users service.
ClientLogin: It is one of the methods for authenticating to use a Google API by giving username and password. It's deprecated, it's hard to maintain and insecure since you are hard coding the credentials and the app could have access to everything. I'd recommend switching to OAuth instead. In the first two lines of code You are initializing the Google Apps provisioning API with gdata.apps.service.AppsService, if you are not going to retrieve or create users/groups/alias is useless to do that. If you are I'd also recommend switching to the Directory API part of the new AdminSDK
For your particular case I'd suggest checking if there is a current user logged in, if not redirect to the login URL using the GAE users service.
user = users.get_current_user()
if user:
logging.info("current user %s", user.email())
else:
return redirect(users.create_login_url(request.url))
In case you always require that the user is logged in you better set the handler as login: required
The user will be redirected to the SAML SSO page to log in to his Google Account in order to access the GAE app.
When we were using the UserService api, we can specify a domain when generate auth url. But when we switch to oauth2 (with google client library for java API), we are using AuthorizationCodeFlow.newAuthorizationUrl() to generate auth url, however we cannot specify any domain, so for example, if one customer already logged in with his gmail account in some other google sites, but he want to sign in our app with another google apps account, he has to logout from google site since the authFlow always get the gmail account credential, we don't have a way to force him log in to a specific domain. We didn't have this issue when using UserService api.
Just want to know if there is any solution for this.
If you attach "hd=$domain" to the OAuth2 authorization request query parameters it will prompt user to login to that domain (if user not yet logged in) and/or optimize selection of the user's account in that domain.
App engine has by default an integrated google sign in features, which gives back the current authenticated user email and ID (permission is asked to the user before).
I was wondering if the app engine has an option to extend to permissions asked to the user to include more scopes for examples (contact information, manage youtube account).
Or is it only possible via oauth authentication?
No, you can only do this via OAuth.
User API uses OpenID which does not support "scopes". OAuth does support scopes so you should use it if you need broader access to users profile.
I have an application hosted on Google AppEngine. This app requires users authentication. I know that users can be authenticaded through OpenId, Google Accounts and so on. However, some user don't have any of these accounts. Thus, i have to suggest that they create an OpenId or a Google Account before they can be able to access my application.
I was wondering if it's possible to host an OpenId provider inside AppEngine, this way, instead of suggesting user to go away, create an OpenId and later get back, i could simply display a simple form. In this form, that user could create they new account and, at same time, create an OpenId, since the application would also be an OpenId Provider.
I'm not sure if i could host and OpenId provider inside appengine . Would I?
Thanks a lot
http://code.google.com/p/google-app-engine-samples/ contains a sample OpenID provider application. It uses Google accounts to authenticate, but it shouldn't be too difficult to use it to create your own accounts.
Of course, it's a bit bizarre that you want to create accounts on your service for the users but then use openID to authenticate them from that service to itself; why not just have a non-OpenID login in addition to OpenID if you want to manage some users' accounts yourself?