GAE Endpoint Security testing with local dev envrionment - google-app-engine

I am trying to secure my GAE service endpoints. So I added the following annotations to my service class and deploy this service to GAE:
#Api(name="mytestapi",version="v2", description="An API for testing" ,
scopes = {Constants.EMAIL_SCOPE},
clientIds = {Constants.WEB_CLIENT_ID, Constants.ANDROID_CLIENT_ID, Constants.API_EXPLORER_CLIENT_ID},
audiences = {Constants.ANDROID_AUDIENCE})
When I try to access my service with the API explorer at the Google Development Server everything works fine. I receive the answer that the User is authorized but when I try to access this service from my local machine I just receive the message that the user is not authorized
GET http://localhost:8888/_ah/api/mytestapi/v2/ .....
Authorization: Bearer ya29.1.AADtN_X_Uku4qj0ehwOwRqLLmKvbIOOYOCC2KXOnVskUXT7Yy19bNsiIGepXTzI
X-JavaScript-User-Agent: Google APIs Explorer
401 Unauthorized
- Show headers -
{
"error": {
"message": "User is Not Valid",
"code": 401,
"errors": [
{
"domain": "global",
"reason": "required",
"message": "User is Not Valid"
}
]
}
}
Any Idea what I have missed to configure or what I am doing wrong?
Regards
Michael

In the credentials of your application, on the console Google, you have to add the localhost origin in the Javascript Origins, section Client ID for web application.

Related

How to implement email sending on behalf of a user in Microsoft Azure AD

What is the recommended architecture using Microsoft Azure AD to implement delayed mail sending on behalf of a user in a React frontend and Python backend?
I want the user to connect to their Microsoft account in the frontend and obtain the necessary tokens in my backend for subsequent use in sending emails on behalf of the user.
Should I use OAuth 2.0 or OpenID Connect for the user authentication in my frontend?
I am currently using MSAL in my frontend to allow the user to connect to their Microsoft account, but I am unable to obtain a refresh token in my backend. I have set my frontend as an SPA and my backend as a web application in Azure AD, but I am not sure if this is the correct configuration. Are there any best practices or recommended approaches to achieve this?
Progress shareing:
prog 1:
I obtained an authorization code in my frontend by following the instructions on this page:
https://learn.microsoft.com/en-us/azure/energy-data-services/how-to-generate-refresh-token#get-authorization.
I then sent this authorization code to my backend to obtain a refresh token, but I am encountering an error that says 'AADSTS9002313: Invalid request. Request is malformed or invalid.'
I suspect that the error is caused by the fact that I'm using different uri's in my frontend and backend. If this is the case, how can I pass the information needed to get the refresh token to my backend?
[Both endpoints included in web urls in Azure AD]
prog 2:
I have obtained an access_token using this method, but I am unable to obtain a refresh token. While the "client_credentials" grant_type works, the "authorization_code" grant_type is not working for me. I am unsure whether the issue lies with Azure AD or if I am not sending the correct body parameters.
prog 3:
Successfully obtain both an access token and a refresh token.
prog 4:
failed to send mail:
"{'error': {'code': 'ErrorAccessDenied', 'message': 'Access is denied. Check credentials and try again.'}}"
prog 5:
Email sent but the sender is user-id#outlook.com instead of user-email#domain.xx
Note that: If you want send mail on behalf of a user client_credentials flow. Use Authorization code flow for user interaction.
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added Application permission:
I generated access token using Client Credentials by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
To send mail, I used below query:
POST https://graph.microsoft.com/v1.0/users/FromAddress/sendMail
{
"message": {
"subject": "hi",
"body": {
"contentType": "Text",
"content": "how are you"
},
"toRecipients": [
{
"emailAddress": {
"address": "****"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "****"
}
]
},
"saveToSentItems": "false"
}
As mentioned by you, using Authorization code is not working.
I created an Azure AD Application and added Delegated permissions:
I generated auth-code using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=mail.send offline_access
&state=12345
Now, I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:mail.send offline_access
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
To send mail, I used below query:
POST https://graph.microsoft.com/v1.0/me/sendMail
{
"message": {
"subject": "hi",
"body": {
"contentType": "Text",
"content": "how are you"
},
"toRecipients": [
{
"emailAddress": {
"address": "****"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "****"
}
]
},
"saveToSentItems": "false"
}
Reference:
user: sendMail - Microsoft Graph v1.0 | Microsoft Learn

Error 403, Metadata scope doesn't allow format FULL . Web application Gmail API get message through postman

I'm getting forbidden 403 error when hitting Gmail API get message through postman please help me how to solve this. error
https://www.googleapis.com/gmail/v1/users/userId/messages
this url for getting message list
https://www.googleapis.com/gmail/v1/users/userId/messages/id
this is for getting message for particular id
I can able to hit the get message list API but get Message API not working for me
I'M doing all these stuff through postman
error message :
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Metadata scope doesn't allow format FULL"
}
],
"code": 403,
"message": "Metadata scope doesn't allow format FULL"
}
}
This is another disappointing design in the Gmail API. I resolved this issue with the following steps:
Remove GmailScopes.GMAIL_METADATA from scopes setup.
Remove the credential file from your local FileSystem. This file is generated by Google's Authorization Flow which store your credential locally.
Re authorize your app by signing in again https://accounts.google.com/o/oauth2/auth?access_type=offline....
Hope this helps you guys out.

Google Drive upload file rest api returns 401 error

I want to store my json object to google drive.
And google authentication is working fine.
But when I am calling google drive api, it returns 401 error.
I set authentication, content-type, and content-length to api headers.
Not sure why this happen.
401: Invalid Credentials
Invalid authorization header. The access token you're using is either expired or invalid.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization",
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Suggested action: Refresh the access token using the long-lived refresh token. If this fails, direct the user through the OAuth flow, as described in Authorizing Your App with Google Drive.

"Access not configured" when accessing google cloud endpoints from web app

I wrote a webapp with angularjs frontend, google app engine for storing data, and google cloud endpoints for api access from the frontend client. I tested everything fine locally, but after deploying, accessing the api from the frontend javascript client gives me the following error:
[
{
"error": {
"code": 403,
"message": "Access Not Configured",
"data": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
]
},
"id": "gapiRpc"
}
]
I've checked the production api explorer after deployment and it works fine. Also, I tried directly accessing the api by URL which also works fine. Just the frontend client does not work. Any ideas?
Turns out I set the API key in the client with gapi.client.setApiKey(API_KEY); where the API Key is the browser key from the cloud console. I removed this and it works fine. I have no idea what the API key is for.
I'm looking at the problem now on one of my projects. Might be that the ipv6 address must be registered for the project. Take a look at this post Google API returning Access Not Configured
The usual reason for this is that the API, which is being queried is not yet enabled in Google Console by the time of the request. Once it is turned on - error goes away.

Mirror API Playground not posting to timeline

I believe I've gone through all the steps of creating a (web) client-id for authorizing requests from the Mirror API Playground, yet when I hit the Authorize button, and then Insert a card from a template, nothing is sent to glass.
I also note that the Timeline tab below is empty.
Web I bring up developer tools, I note that the POST to https://www.googleapis.com/rpc is returning results:
[
{
"error": {
"code": 403,
"message": "Access Not Configured",
"data": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
]
},
"id": "gapiRpc"
}
]
Am I missing something in how to authorize the Mirror Playground?
You need to enable the Google Mirror API.
Do this by toggling the switch on the Services panel for your project as pictured here:
. This toggle will only be visible if you have been whitelisted for the Google Mirror API as part of the developer preview.

Resources