I am quite new to openID and GAE and there are lots of documentation that I get confused. So
I am building a Java web application.
I have GAE for Business.
As I understand GAE are automatically become openID providers. Can I in my Java web app identify only my GAE users using openID, like when user clicks login button it redirects to my GAE login page and identifies them? If user is not my GAE user my Java app rejects the access.
If something is not clear just tell me, because English is not my native language.
I am not really sure I got you right but if you want only the users you have invited the relevant emails to your application through appspot.com under permissions, you can include in your relevant handlers in your app.yaml file the login parameter like that.
handlers:
- url: /.*
login: admin
In case the user is trying to login is not under your application's permission list he will receive an unauthorized error.
Related
I am trying to get the user who is logged in via. SAML Single Sign On.
I have already implemented SAML Single Sign On and it works.
The code I use for programmatic login is :
apps = gdata.apps.service.AppsService(email=username, domain=domain, password=password)
apps.ProgrammaticLogin()
logging.info("current user %s", users.get_current_user())
//Redirect to a Google mail page.
But users.get_current_user() returns None always even though correct username and password is provided. I have crosschecked it by redirecting the page to Google Mail page and it successfully redirects.
I have googled this issue for hours now nothing goes the right way.
Can anyone please guide me what I am doing wrong ?
There are three different things going on here, I just want to make sure are clear for my suggested answer to make sense:
Google App Engine users service: You, as the developer, delegate authentication and authorization responsibility to Google Accounts (or the selected OpenID provider). Google will act as the Identity Provider and you'll act as the Service Provider.
SAML single sign on: Google delegates to you the authentication and authorization responsibility, you'll act as the Identity Provider and Google will act as the Service Provider. You'll be using SAML SSO every time you try to login any Google service using you Google Apps account, that includes Google App Engine applications using the users service.
ClientLogin: It is one of the methods for authenticating to use a Google API by giving username and password. It's deprecated, it's hard to maintain and insecure since you are hard coding the credentials and the app could have access to everything. I'd recommend switching to OAuth instead. In the first two lines of code You are initializing the Google Apps provisioning API with gdata.apps.service.AppsService, if you are not going to retrieve or create users/groups/alias is useless to do that. If you are I'd also recommend switching to the Directory API part of the new AdminSDK
For your particular case I'd suggest checking if there is a current user logged in, if not redirect to the login URL using the GAE users service.
user = users.get_current_user()
if user:
logging.info("current user %s", user.email())
else:
return redirect(users.create_login_url(request.url))
In case you always require that the user is logged in you better set the handler as login: required
The user will be redirected to the SAML SSO page to log in to his Google Account in order to access the GAE app.
I'm coding a Python - Google App Engine application. There are 2 important things this app must do:
Write in user's calendar.
Write in user's profile (working with users in a Google Apps domain)
First operation is easy. If I understood OAuth, this is the classical 3-legged scenario. The scenario for which OAuth was originally developed. The logged user provides credentials to the client (my app) to access the user's data (calendar) on his/her behalf. So, this can be done just with the logged user's credentials.
Second operation is not so easy. It can't be done with just the logged user's credentials. This is a 2-legged OAuth scenario. So, I need to delegate in a Google Apps domain admin's account to access the users's profiles using Google Profiles API (via google data library). So far, I hardcode admin user/password in a json file, and my app loads that file. But that sounds kind of dirty for me.
At the end, my app needs to handle the classical 3-legged OAuth scenario (no problem, just need the logged user's credentials) plus a 2-legged OAuth scenario (need administrator credentials).
Is there any official or more elegant way to handle both scenarios in Google App Engine, working with Google Apps domain, that hardcoding admin credentials?
Many thanks in advance
AFAIK there is no way to authorize a write operation to Google Contacts Data API using 2-legged OAuth.
Google's documentation specifies which APIs are accessible via 2-legged OAuth, but it seems that someone at Google's forgot to specify that some of them are read-only :-S
Some people had the same problem here and here.
I look forward someone at Google to fix this. Until then, harcoding admin-level credentials is the only option I know that it works. I don't like it at all: it's dirty but effective. If someone knows a more elegant zen-level way, please illuminate us!
When I click on "Datastore Admin" in my AppEngine (Python27) application with federated login, the following error shows up:
Error: Not Found
The requested URL /_ah/login_required?continue=https://ah-builtin-python-bundle-dot-latest-dot-ah/datastore_admin/?app_id=s~lpgng2 was not found on this server.
Seems like I am redirected to the /_ah/login_required page on admin instance and not on the frontend instance.
What's wrong?
If you take a closer look at the documentation here: https://developers.google.com/appengine/articles/openid as soon as you select "Federated Login" your code would need to handle requests to /_ah/login_required in order to serve any requests that requires login. Datastore admin is just a built-in app, which have its handlers requiring login.
Implementing this should resolve this. Hope it helps!
I refer here to that page you are redirected after you login to GAE app with your google account, which asks your permission to access your google account.
Put this toghether with custom domain and https and you get my problem.
Sorry for the lengthiness. I searched everywhere. Didn't find anything. Not sure it is an OAuth issue (think not).
My configuration:
developed myapp.appspot.com
configured custom domain myapp.mydomain.com to point to myapp
myapp is making use of GAE login service
need for https posts from custom domain (!), solved as follows:
page is loaded in HTTP from http://myapp.mydomain.com
some submit HTTPS URLs are hardcoded in the page, as https://myapp.appspot.com/someservice
same domain policy resolved server side by means of http headers
GAE login service applies both to http://myapp.mydomain.com handler AND https://myapp.appspot.com/someservice handler
The workflow is:
user not yet authenticated
user browse http://myapp.mydomain.com (not ssl)
user is redirected to google account login page
user logins
user is redirected to the abovementioned page: myapp is requesting permission to access user's google account
user grants his permission
user is in - OK
Now comes the problem:
user makes a submit to https://myapp.appspot.com/someservice (so that data is ssl transmitted), which is loginrequired decorated
login is ok, user is not again redirected to the login page,
I think this is because the google login is cross application (the same should appen if the user was already logged in into gmail, to say)
but now https://myapp.appspot.com/ is again requesting permission to access user's google account - and this is the problem
The user is prompted TWICE to grant permission to myapp to access his account:
once when he browse to http://myapp.mydomain.com
and another one when he submits data to https://myapp.appspot.com/someservice
My user doesn't like it and me too !!!
I suspect this is because the user answer (Allow or No Thanks) is saved server side with respect to the URL of the app
and not with respect to some other unique id of the app.
But I have no idea how to solve it or at least work it around.
Thank you for your patience in reading up to here.
Any help would be appreciated.
The cookie that is issued for the user's session is per-domain and per-protocol. As a result, the same session won't work on the appspot app and on your custom domain. This isn't an App Engine limitation - it's simply how HTTP works.
The best solution, currently, is to put the form itself on HTTPS as well (which is in general a good idea anyway).
i would like to provide a third party user authentication on my app engine app.
the federated login option on appengine is not exactly what I'm looking for and i can't see endpoints
what i want is authenticating users via openid like its done here on stackoverflow.
the first time a user has to authorize the app and the subsequent times it will only need to be logged in or log in again on the third party app and then redirected to my app.
my app is written in python and im using tornado web as a framework. i've seen that tornado has its own auth module i want to check out but i wanted to ask for suggestions before jumping into code.
basically i would like users to be able to log in via facebook, twitter and google.
the facebook authentication seems not to be that hard on graph.facebook.com but its not easy to test
authenticating via twitter looks more difficult to me and i can't find any clear examples.
i would love to hear your experiences/suggestions about it.
What you describe is exactly how federated login with OpenId works on App Engine. Whether or not users get prompted for authorization after the first login is up to the OpenId provider, not the consumer.
Facebook login doesn't use OpenID, and you'd need to implement that yourself, in conjunction with a sessions library to keep track of logged in Facebook users.