Redirect loop when logging in to appengine - google-app-engine

(yes - cross-posted from the google-appengine google group...I can't tell if they answer support questions like this there or here or what...it's all kind of a mess :) )
I am having a problem logging in to the appengine console using certain accounts on my google apps domain (but not others).
No matter what browser I use (Firefox, Chrome, Safari, IE), I get a "too many redirects" error on https://appengine.google.com/start when I try to log in using a specific account. I have tried resetting all the browsers as well (clearing all cookies, cache, etc - even trying it on a clean install of an OS) - with no luck. Going directly to https://appengine.google.com/a/domain.name causes the same loop for those accounts. The same thing happens when running the browsers with privacy mode enabled.
One of the accounts having problems is the user nathan.toone on the k9webprotection.com google apps domain - however we can log in with the user "admin" or the user "build-agent" on the same domain just fine (but not "build.agent" or "user2"). It seems to be all over the place as to which accounts are able to log in without the redirect loop and which ones aren't.
I have contacted google apps for your domain support, and they have said that it is outside their scope. They very "helpfully" pointed me to https://developers.google.com/appengine/kb/general - which didn't help AT ALL. :(
Again - the odd thing is that there are some of the accounts on the same domain that are able to log in just fine. Does anyone have any idea what could be happening, or have a way for me to contact someone to get this worked out? I have found a couple of other people saying they have had this problem, but have not been able to encounter a solution.
-Nathan

Related

Serve Files From Naked Root Domain

I run Google Ads on my Google-App-Engine-hosted website (www.bigriddles.com), and they tell me I need to have an "ads.txt" file served from the root domain (i.e. http://bigriddles.com/ads.txt, as opposed to http://www.bigriddles.com/ads.txt).
My DNS is hosted on Gandi, and I created their "ALIAS" record (which I think just does CNAME flattening or something similar) to alias "bigriddles.com" to "ghs.googlehosted.com." I chose "ghs.googlehosted.com" because that's what I CNAMEd "www.bigriddles.com" to (many years back), and that CNAME has been working fine.
However, now when I visit "bigriddles.com", I get an "HTTP 301 Moved" to "www.bigriddles.com", and as far as I can tell, this response isn't coming from any code I wrote (I've looked through my code and don't see anything that would redirect this). Furthermore, there is a "Server: ghs" header in the response from "bigriddles.com", whereas if I visit "www.bigriddles.com", which works fine, the response includes the header "Server: Google Frontend". I'm not sure if there is some hint of my problem in the difference between those two Server headers.
Anyway, I'm not sure exactly what's going wrong. It could be a DNS issue. I say this because "dig www.bigriddles.com" comes back with the IP 172.217.14.115, whereas "dig bigriddles.com" comes back with "172.217.168.211", so maybe one of these really is a "ghs" server and the other is a "Google Frontend" server (I'm not sure the difference) and this "ALIAS" DNS solution just isn't going to work.
More likely though I feel like maybe there is just some settings problem with my App itself where it's not set up to allow the apex domain "bigriddles.com", and if I change that setting it will start working?
I have gone through the steps on https://cloud.google.com/appengine/docs/standard/python/mapping-custom-domains. When I view the "Custom Domains" for my project, I see "www.bigriddles.com" and "m.bigriddles.com", but I don't see the naked domain "bigriddles.com". However, when I try to add it on that page, it tells me that "bigriddles.com" is already mapped to a project, so I'm not sure what to make of that.
Any help would be appreciated, thank you!
This seems like an issue with your domain provider.
You can use this tool that might help you contact the domain provider with detailed info.
If they insist it's not an issue on their side (I strongly believe it is), then you should contact Google Cloud Platform Support so a deeper inspection can be made on your project.
If you're also using G Suites for your domain, the criminal is G Suites' Domain -> Redirect. If it is, it's a pity that Google does not let us turn off the so-called feature.
Since G Suites use as the same entry point as App Engine, you have no chance to solve this other than moving your site outside Google services or stop using G Suite.

Why is Google IAP putting double-digits request cookies in my headers?

I have an app running on Google app engine (Flask, python 3, flexible environment) using the Identity-Aware proxy to allow everyone in our organization (which uses GSuite) to control access. Recently we've been getting 413 errors.
When I looked at the cookies of the failing requests I expected to see one request cookie prefixed with GCP_IAAP_AUTH_TOKEN. Instead I see 11, each one slightly different. Their combined sizes put us over the 15kb header size limit indicated in the link below, causing a 413 error.
https://cloud.google.com/appengine/docs/flexible/go/how-requests-are-handled
I don't understand why there are so many cookies, or how to make them go away. Our users all use Chrome, and many but not all of them are intermittently running into this error. Those that aren't, when their cookies are inspected, show only a couple cookies with this prefix. See below for an example of what this collection of cookies looks like:
Eleven IAP cookies in a single header
Posting what ended up solving this particular instance of the problem in case something like it occurs to other people in the future.
The original IAP code for our project was written in 2018. At the time, IAP had a known issue requiring re-logging in every hour. The suggested workaround from this thread was to use a hidden iframe.
https://issuetracker.google.com/issues/69386592?pli=1
We followed that guidance, but Google fixed the underlying issue in June of 2019. Now, following that guidance causes a gradual accumulation of session cookies in the headers. Removing the no-longer-needed offending iframe code solved the problem.

Cannot log in to Drupal site

I have a VM that I set up to do development on two sites hosted on Acquia with the same codebase. I'm using version Drupal 7.26. I have it where I can access both sites from the host computer, but when I try to log in using /user/login on either site, I get nothing. The POST returns a 404 containing the log in page again.
I've tried settings $cookie_domain = '.my-site.dev' as well as $cookie = 'www.mysite.dev'. Neither has any effect. I also tried adding a bunch of random charactersto the file to make sure I was editing the correct file; with the random characters, pages didn't load at all. (See https://www.drupal.org/node/611920#comment-3110010.)
I also tried doing repair table sessions. I forgot which site I saw that recommendation from. I also tried delete from sessions just for kicks. Neither worked.
Any ideas? Thanks!
edit: Per https://www.drupal.org/node/261411#comment-3182566, I tried to go to www.mysite.dev/?q=user/login. This did not give me a 404, but I had tried (unsuccessfully, it seems) to reset my password through the database. I'm at least getting an error about a bad username/password combination rather than nothing at all. Still, I would think /user/login should have worked, too.
edit 2: The production site uses CAS, but logging in through /user/login still works.

Problems using Twitter4j on GAE throws 401 just after deploy

Well, I'm having a weird error here:
I'm developing one GAE app to read some Twitter Data, and after read a lot of docs, I have it working on my test server (Running on my pc) but after deploy and test on the real (my appspot domain) it shows this message:
401:Authentication credentials (https://dev.twitter.com/pages/auth) were missing or >incorrect. Ensure that you have set valid consumer key/secret, access token/secret, and the >system clock is in sync.
message - Could not authenticate you
code - 32
I've tried to recreate my OAuthAppToken and OAuthAppTokenSecret keys, even changing the permissions to "Write, Read and Direct Messages" and even assingning one Callback URL but nothing seems to work...
I've tried using twitter4j.properties OR using setOAuthConsumer(TW_CONSUMER_KEY, TW_CONSUMER_SECRET) OR a ConfigurationBuilder whith the correct constants and I'm experimenting the same Issue.
I'm working with AppEngine 1.8.3 and Twitter4j 3.0.4
Iv'e been writing on log and the Twitter object seems to be well created... I dont understand why is working on my PC but not on the real app.
On some other post someone says that could be because it needs to use Sync clock.. but he doesn't explains where to change that property...
Did someone had a clue?
Ok, the problem was me (and Twitter.... well..... I really think it was Twitter problem for being so dark on his api messages)...
On testing server I was looking for an existing account and on the cloud I was looking for an inexistent one. So, It was my mistake. But seriously, what about Twitter saying: "Access Forbidden"? That doesn't have any sense...

Datastore Admin Redirect loops

I can't access the Datastore Admin tab due to a "This webpage has a redirect loop" error and I can't figure out what I'm doing wrong or have set up wrong.
I have Datastore Admin Enabled in my web console.
I've added (although I don't know if this is even necessary):
builtins:
- datastore_admin: on
I've cleared cookies, etc.
Authentication Options is set to Google Accounts API
Has anyone else seen this or know how to fix it?
The issue is being discussed here and I am going to answer it.
http://code.google.com/p/googleappengine/issues/detail?id=4233
First a question. Which browser is this on?
I've had this problem on chrome and it's related to Chrome blocking third-party cookies, over-all a nice thing for it to do. You can add an exception to your third-party cookie settings to make fix the problem.
You need to go to the Chrome settings page. You may need to expand an option called Show advanced settings...
Then look for:
Privacy / Content settings...
Cookies / Manage exceptions...
Then add an exception at the bottom of this list. The exception should look like this:
https://ah-builtin-python-bundle-dot-latest-dot-[YOUR_APP_ID].appspot.com/_ah/datastore_admin/*

Resources