I have develop a Spring MVC Rest service on Google App Engine with Spring Security 3.1.
Since the service will be available only to my other apps, I have a basic authentication setup with predefined username and password.
Now, I have a client developed with RestTemplate. But I am not able to find a way to access my services securely with username and password, sent via RestTemplate.
I have gone through many articles, but most are using Apache HttpClient (not supported by google appengine).
SO, is there any alternatives to getting what i want on google appengine.
You can try the Basic Auth with URLFetch as this is supported by google, though you want to have the ssl enabled to for use Basic Auth.
You might want to see at this link, though not for appengine but should be good.
http://www.jpalace.org/docs/technotes/spring/rest-security.html
Related
I am building a reservation system in Google App Engine using Go. I need 2 forms of authentication in my program.
Public Form -- form built in Angular that is on our public website. I want my front-end to have some sort of credentials.json file to use when requesting the book and getOpenDates endpoints in my RESTful API running in Go on Google App Engine.
Private Companion App -- protected by username and password that the user supplies in my app built in Flutter. The app is requesting many endpoints in App Engine. I would like to use JWT to authenticate this portion, but I'm not 100% sure JWT is what I need.
I'm not sure if this tutorial on Identity Platform is what I want. I'm very new to App Engine and authentication in general, so I am a bit lost.
Please describe how I could implement these authentication methods in my RESTful API in Go running on Google's App Engine. I think I may be able to implement the username/password method using a tutorial like this but I'm very lost on the 1st form of authentication with just a credentials file as authentication. If I'm going in the complete wrong direction to accomplish what I want please tell me, but what I'm looking for is code or a tutorial describing how to authenticate using these 2 methods. Thanks for any help.
From what I understand, you want to have a golang backend API in App Engine that serves both your web frontend (1.) and your users app (2.).
I am going to suppose that any user with username/password can use both your frontends: the web app and the mobile app with these credentials.
The credentials.jsons are not designed to authenticate users of your services, but rather server to server communication.
With that in mind, I have found the guide Session based authentication in golang, that could help you to set up your backend to accept only authenticated requests over HTTPS. The web browser will automatically save the cookie, however you need to store the cookie in your mobile app.
For much more complicated scenarios for authenticating from different webpages, it is required to use OAuth2 as you can see in this thread. If you don't find any of your requirements listed in here it is probably overkill to use Auth0 nor OAuth2.
I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.
We implemented OAuth2.0 security in our project, which is working as expected locally with Google App Engine.
In our application we are redirecting to another URL:
res.sendRedirect("/oauth/authorize?response_type=code&client_id=Alexa&redirect_uri=/authCode");
As mentioned, this is working as expected locally. However, when we deployed the same code in Google Cloud Platform, we observed redirection to another URL and it's not working using sendRedirect() in Spring Boot.
Please suggest a possible solution.
The client_id should be an Oauth client id. As explained in official documentation, App Engine generates [MY_CLIENT_ID].apps.googleusercontent.com as Oauth client id.
If your application use languages and frameworks like PHP, Java, Python, Ruby, and .NET, you also have to include the endpoints in the Authorized redirect URIs on purpose that the OAuth 2.0 server can send responses.
Check this doc for more details to implement OAuth 2.0 authorization to access Google APIs.
I have a rest API hosted in Google App Engine. (API lives in a Docker container in the Flexible environment).
I need to support only internal API calls (from another service in the same App Engine Project) and for developer testing be able to call it directly (I don't want user authentication, but I should be able to access it still using the application_default_credentials...I'm just unsure how)
Can you direct me to documentation or examples of how to set this up?
The Google documentation is very lacking.
You have several options, including the following:
The App Engine documentation states that the recommended approach is OAuth for microservices that require authentication.
A second option is to use Cloud Endpoints with service account authentication.
Third, you can use Identity-Aware Proxy to secure the server. Clients can get an identity token from the metadata server.
Discovered a problem with connecting all together - Facebook, GWT and App Engine.
I need to authenticate user on my web site hosted on App Engine (Java) that uses GWT. After authentication, some information should be passed to server from facebook - like profile information, user list, etc.
Currently am trying to use facebook4gwt and authentication works fine, and I can obtain all needed information on client side, but can not transfer facebook session to server, particularly, obtain Facebook cookies for session verification.
Could anyone suggest any good solution for this? Probably, it would make sense to get rid of facebook4gwt and do everything on server side.
I have been using the gwt-facebook library for one year to authenticate users of my application on App Engine. When a user is already logged into Facebook, and has already authorized my application, I can automatically get the access_token in GWT and send it to the server which can then do the hard work (data syncing) with facebook-java-api library.