I'm using cloud endpoints with authentication on python environment.
And I have two registered apps, one is native, other is web, on Cloud Console.
In native app, I can use my apis after authentication. But in web app, below error is happened.
Oauth framework user didn't match oauth token user.
The sequence is below:
I can get the result of gapi.auth.authorize() with token.
And when I call gapi.client.oauth2.userinfo.get(), I can get user info without error.
But when I call my api, I get this oauth error.
Of course I added client ids(native, web, api explorer) to allowed_client_ids.
But if the client id of web is removed, same error is happened and no warning about client id missing.
(As far as I know, If the client id in the request is not in allowed_client_ids, the warning about Client ID is not allowed is in the log)
And when I call api through the api explorer, same error is happened.
I don't have any idea how to investigate about this error with this short log message.
Is there any check points, suggestions?
Sorry for my poor English.
thanks,
UPDATE:
After some investigations, I've got root cause, it's Authentication Type of the application.
The Authentication Type of my application is Google Apps domain.
I created another application with Google Account API authentication type and deployed same code,
I can get user info from get_current_user().
In the document, Cloud Endpoints project is created through Cloud Console,
but my application is created through AppEngine Console before.
thanks,
Related
I need to make an app via app engine, I am familiarizing with the [demos] (https://github.com/google/earthengine-api/tree/master/demos). I have successfully deployed all of them except for "export-to-drive". I am able to deploy it, but I get a 500 Internal Server Error. It is the same on the cloud shell, but when I run it locally it run well.
Since the web console shows no error, I checked in the cloud shell console and got those errors:
redirect_uri_mismatch
invalid_grant
I tried to authorize all the redirect domains I could think of, but nothing changes. I know it is not my API key because it is working when I run the code locally.
You need to set up both Service account and OAuth 2.0 Client ID credentials to authorize requests to Earth Engine.
Make sure that client_id and redirect_uri are properly configured as instructed here
Note that the value redirect_uri must match an authorized URI you have set up in API console > Credentials >
Client ID for Web application > Authorized redirect URIs
.
I currently have two app services
Web App (Asp.net core 2 w/ front end in react)
Web Api (Asp.net core 2)
Note: Both are configured with different Azure active directory app id.
user signs into Web App and retrieves a token for it's own appId/ClientId/ClientSecret stored in tokencache.
from the WebApp, the user wants to talk to a WebAPI but needs to get a token since it's protected with AAD as well but it's a different app id/client id/client secret.
Problem:
When I try to do a AcquireTokenSilentAsync() for the web api, I get an error throwing that I the token is not in the cache?
It also seems that with depending if your using AAD v2.0 or v1.0 will determine if the web app and web api can have different app ids. So it seems like i would have to use AAD v1.0. With Asp.net core 2, it's not clear to me what OpenIdConnect is using or configured to use under the covers.
Question:
It's not clear to me why the acquire token silent async didn't work and failed. Does that only look for the token in the cache; otherwise it fails?
Is it possible to configure the token from web app to have permission to access web api resources. I notice that in the azure portal, you can selected resources like microsoft graph, but I don't know how you would associate a custom API. In my case, I want to get it running on my local machine before I move it all to azure.
If the web app token does not have permission to access the web api, do i need to do another login authentication with the user even thou both are within the same tenant?
Any Advice appreciated,
Derek
Yes, AcquireTokenSilentAsync will look into the cache, and see if it can find tokens. If it does, it will check to see if the access token is still valid and return that back. If the token is expired, it will use the refresh token to fetch a new access token and return that back. When this call fails, it's an indicator you need to perform an AcquireTokenAsync (which will likely show UI in the case silent already failed).
Yes, you can associate a web app to get tokens for your own custom web API. I'd recommend using Azure AD v1.0 (register the app in the Azure portal, ADAL library). You'll need to register the two apps (web app and the api), both will be type web app/api. In the API, you can register an App ID URI which will act as the resource identifier for this API. In your web app, you'll want to go into the Required Permissions, and add the Web API you have registered as a permission. Then in your web app, you'll need to use the ADAL library (alongside an OpenID OWIN middleware) to acquire a token for the resource as specified by the App ID URI field. Here's a code sample that implements the exact scenario you're describing (Web App/API in ASP.NET Core).
I'm working on an Outlook Add-in which authenticates the user against Azure AD and runs queries against SharePoint Online sites. The app uses AngularJS and makes use of the ADAL.js and ADAL-Angular.js libraries to conduct the authentication process. The app works well within the browser, however fails during the authentication process when used through the Windows Version of Outlook.
Once the user inputs his username and password within the add-in in Outlook (Windows), and Internet Explorer window pops up with the message below:
AADSTS90056: This endpoint only accepts POST requests.
Screenshot of error
Has anyone encountered this issue? I've followed the Office Dev tutorials (below) to the letter, but still no luck...
https://github.com/OfficeDev/O365-Angular-GettingStarted
I was getting same error while trying to get access token for Microsoft Azure Active directory. the problem was url.
using https instead of http solved my problem.
my correct url for token as follows:
"https://login.microsoftonline.com/"
This is in relation to my other question about the need to create a Facebook app.
I've been reading a lot about how to best approach login for mobile apps users (iOS and Android) that access my web service running on Google App Engine. I'm still not clear how to best do it as I would like to offer login with both Google and Facebook. The app and the web service does nothing with Facebook or Google other than I would like to piggyback on their login.
Having only login with Google for GAE is very easy and the same goes for using OpenIDConnect. Facebook unfortunately does not support this.
Reading an old question here on SO where someone wanted to do the same as I it looks like the app should do Facebook Login and then get a token that it passes to my backend which needs to be validated by contacting Facebook. Is this how to do it today?
I also found Google Identity Toolkit, which seem to be what I need. However, I do not have a website or just apps. I would need to have the apps do the Facebook login and somehow provide my web service with something so it can validate the login info.
Later on an app user should be able to log in using randomly Facebook, Google and my custom username/password. The app and the web service should know the user is logged in and authorize it to access the REST API.
How do I accomplish this? BTW, I'm using Go on GAE.
I would really appreciate if someone could explain if there are several options how to do this, pros and cons, and provide an overview of the best approach and what needs to be done.
Many thanks for any help with this!
UPDATE
OK, thanks a lot everyone for the help and pointers. I have successfully run the quickstart sample app for iOS for my GAE backend. Basically, created a Facebook app and permissions credentials on my web service on GAE so that the sample iOS app can log in.
A bit of a gap still before I have an authenticated user in the datastore and can authorize successive API calls.
Main open questions at this point:
how to get the gtoken in the iOS app after successful Facebook or Google login?
should I explicitly call an API on my web service to pass in the gtoken or is this somehow automatic with Gitkit API enabled?
Thanks for any help!
UPDATE
To answer #1 and #2 myself, there's a "successful sign-in url" that can be given in the app engine config so the app knows where to call with the gtoken. Then after that it's like explained in the answers.
Looks like you have an app and a backend on GAE.
If you are using google identity toolkit, it will allow you to signin with Facebook, Google, and email/password.
When user successfully signs in to your app using identity toolkit, your server should receive a gtoken. You have two options here:
Pass the gtoken to your app and save it there. When your app makes API calls to your backend, you app should attach the gtoken to every request. Your backend should verify the gtoken(https://developers.google.com/identity/toolkit/web/required-endpoints) for every API that needs authorization.
Verify the gtoken, generate a token that your backend can recognize/identify the user. Then pass the token to your app and everything else is the same as option 1.
If you do not want to use identity toolkit, you can implement facebook login on your app/backend and use facebook token to communicate between your app and backend.
Whatever your decision is, apps that use your API should pass you something that your backend can recognize/authorize the user.
The answer is about using Google Identity Toolkit (GIT). GIT itself is an identity provider, which would be integrated with your apps and backend. The flow works along these lines:
your app requests login via its GIT API
GIT will perform the federated login with Facebook or other 3rd party provider (transparent to your app) and returns a GIT token to the app (representing a unique user from your end-to-end system perspective, i.e. apps plus backend)
the app makes a request to the backend in which it passes the GIT token
the backend verifies the GIT token validity (using this go GIT client API, for example) and from it can extract the identity of the user and thus validate the request
You can find more detailed info about the backend token validation in the backent endpoint doc, look for these sections in particular:
Understanding the Identity Toolkit cookie/token
Getting information for users
Now the actual token validation on the backend may take a few seconds, so it might not be practical to do it for each and every REST request from the app. If so you'd need to somehow:
save the info that the user of that specific app instance is
authenticated in something like a "session" managed between your app and the backend
map a specific REST request received by the backend to a specific such authenticated "session"
But I'm not sure how exactly is this "session" functionality done in the apps+backend context, I didn't write any apps yet.
Discovered a problem with connecting all together - Facebook, GWT and App Engine.
I need to authenticate user on my web site hosted on App Engine (Java) that uses GWT. After authentication, some information should be passed to server from facebook - like profile information, user list, etc.
Currently am trying to use facebook4gwt and authentication works fine, and I can obtain all needed information on client side, but can not transfer facebook session to server, particularly, obtain Facebook cookies for session verification.
Could anyone suggest any good solution for this? Probably, it would make sense to get rid of facebook4gwt and do everything on server side.
I have been using the gwt-facebook library for one year to authenticate users of my application on App Engine. When a user is already logged into Facebook, and has already authorized my application, I can automatically get the access_token in GWT and send it to the server which can then do the hard work (data syncing) with facebook-java-api library.