The "user" submodule in Google App Engine uses "Google Account" rather than a "G+" sign-in. Are the base ID's the same? I'd like to associate their sign-ins with my own user records...
If you are asking the about the ids...
Specifically:
using
user = users.get_current_user()
returns a user object and that is not what you are referring (regarding to your comment)
The user_id() is what you where reffereing to for the users api:
user = users.get_current_user()
user.user_id()
From the Docs
If the email address is associated with a Google account, user_id returns the unique permanent ID of the user, a str. This ID is always the same for the user regardless of whether the user changes her email address.
If the email address is not associated with a Google account, user_id returns None.
Now from my experience my GoogleID according to user_id() is xxx8005350796570706xx and my Google Plus profile ID is 102445631084043565507 which are totally different. I also checked this with my apps and Google + known followers and found no similarity.
I would say they are not the same thing, but yes, you can associate them.
If you have used the support built into GAE (or Android) for basic Google accounts (User) to authenticate a user then you have their e-mail address which uniquely identifies their google account.
On Google+, use the email scope to gain access to their e-mail address:
https://developers.google.com/+/api/oauth#email-scopes
These e-mail addresses should match, so this will allow you to associate the Google and Google+ accounts. The downside to this method IMO is if you weren't already requesting the g+ email scope then you will have to add it.
You should create an own user model which will have info about registered users. Using users.get_current_user() you may take an e-mail address from user google account and login him to an app.
Related
Inviting a consumer user to Azure AD B2C has been covered by other Stack Overflow questions & answers, and AFAIK requires the use of custom policies that entail a signed JWT being created and used during invite redemption.
What I'm trying to figure out: In our application, we have differently permissioned user groups and different organisations managed by internal RBAC logic. We identify & authorize users based on their oid claim in the access token that's returned to msal-react/msal-browser and used to authenticate against our backend's API.
In Microsoft Graph, a user can be invited and the API will respond with the created user's oid. However, this is the wrong type of user and not appropriate for B2C scenarios.
With the custom policy route not creating the user object in AAD B2C at the time of invite, and therefore without knowing the user's oid at the time of inviting them to the application, what might be the best way to configure their in-app profile and have them identifiable to the application itself upon first login?
My thought at the moment is to have the application store the emails of users that are invited who have not yet redeemed/signed-in. We can configure the emails claim to be returned upon login, which is checked against the invited emails store when an oid claim is returned that isn't present in the database. This can then trigger a function to update the user's internal id with the oid in their first login's claim.
If this is inadvisable or if there's a better way, I'd be very grateful to hear it.
It would work, or just pre create the user up front via MS Graph API. Then you have an email and objectId available.
You could also put an extension attribute on the account indicating whether the user has redeemed their invite. That would allow you to monitor who has redeemed, and also be a way to provide a different experience depending on if the user has redeemed or not redeemed the link.
I am building a web app with go and GAE. I would like to use Google Accounts for authentication. The appengine/user package contains a type, User. I was planning on using ID property of User as the ancestor to descendent entities in the Datastore. However I'm confused by the comments in this section of documentation:
type User struct {
Email string
AuthDomain string
Admin bool
// ID is the unique permanent ID of the user.
// It is populated if the Email is associated
// with a Google account, or empty otherwise.
ID string
FederatedIdentity string
FederatedProvider string
}
Source: https://cloud.google.com/appengine/docs/go/users/reference#User
Under what circumstances might an email not be associated with a google account and therefore ID be empty?
I'm very new to go and GAE so please excuse my ignorance.
There are several key differences between email and id. E.g. "The app can also access a user ID that identifies the user uniquely, even if the user changes the email address for her account." Also "Every user has the same user ID for all App Engine applications."
Like ThunderCat said, if you use a Federated Login (OpenID was the only one supported, but is no longer), then you will not get a user id.
See the docs for more info.
I'd like to find out how to configure an app engine application to request custom permissions. The example below asks to "manage your applications deployed on Google App Engine". How did they pull that off?
Overview:
The method that the application is using to login is OAuth. What shows up in that box is controlled by the scope.
The purpose of OAuth scopes is accessing information about authenticated users. The scopes are different for each application, and determine what information about a user an application is granted access to.
The following resources might be worth checking out:
Google's OAuth 2.0 for Login
Using OAuth 2.0 to Access Google APIs
OAuth Playground
The OAuth Wikipedia isn't that great, but might be useful depending on your understanding.
In general, the documentation for each API you intend to use will have the information about what scopes available and should be used.
In Detail:
Concretely, an OAuth request with the scope parameter as
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
would show the user a prompt similar to the following when logging in:
+ View basic information about your account
* View your name, public profile URL, and photo
* View your gender and birthdate
* View your country, language, and timezone
+ View your email address
* View the email address associated with your account
While one with only https://www.googleapis.com/auth/userinfo.email would show something like:
+ View your email address
* View the email address associated with your account
You can customize the scopes depending on what information you want from a user.
Just wondering if the userId returned by calling the user.getUserId() should be treated as a secret, or can it be used in public URLs? for example, the profile page URLs look something like http://example.com/userprofile/11901930903930 where 11901930903930 is the Google generated userId on Appengine.
This is the function we are using to get the userId:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
String id = user.getUserId();
Actually, I found this info on Google and the conclusion is that they should not be used publicly.
From Google:
Accessing Account Information
While a user is signed in to an app, the app can access the account's email address or OpenID identifier for every request the user makes to the app. The app can also access a user ID that identifies the user uniquely, even if the user changes the email address for her account.
The app can also determine whether the current user is an administrator (a "developer") for the app. You can use this feature to build administrative features for the app, even if you don't authenticate other users. The Go, Java, and Python APIs make it easy to configure URLs as "administrator only."
Note: Every user has the same user ID for all App Engine applications. If your app uses the user ID in public data, such as by including it in a URL parameter, you should use a hash algorithm with a "salt" value added to obscure the ID. Exposing raw IDs could allow someone to associate a user's activity in one app with that in another, or get the user's email address by coercing the user to sign in to another app.
Link to page
How do I send email from Google App Engine with a random, non-app admin sender using a custom domain name (e.g. xyz#myshop.com ) ? We need to allow the users of our website to communicate with each other through a custom made messaging system but also allow them to reply directly from their email. Something similar with the craigslist system. However seems that GAE doesn't allow us to send email from an address that is not admin. Is there any workaround / patch ? We are the owner of myshop.com domain name (verified through google apps) so I don't see why a such thing is not allowed.
While you can't use just any random address, you can use a registered administrator address with a '+' suffix. So you could send the mail with a 'from' of, say, message-reply+HASH_VALUE#myshop.com. Then your app will receive the reply, and can use the hash to decide which user to forward the mail to.
How about sending the email from your admin account, but adding a reply-to header, specifying the user's email-address?
Google doesn't allow to use random addresses. You can star this bug.
http://code.google.com/p/googleappengine/issues/detail?id=3069
However, since the users are apparently registered with Google Apps, the system can send emails on their behalf when they are signed into your application.
The sender address must be one of the following types:
...
The address of the user for the current request signed in with a
Google Account. You can determine the current user's email address
with the Users API. The user's account must be a Gmail account, or be
on a domain managed by Google Apps.
http://code.google.com/appengine/docs/python/mail/emailmessagefields.html