GAE Golang - OAuth and OAuth2? - google-app-engine

I'm trying to implement a Google App Engine Go application that will be using OAuth and OAuth2 for users logging in. I'm wondering if it is possible, and if so, how to do it? Can someone provide an example of this?

You can use goauth2 to implement an OAuth2 client on App Engine
You can then log your users with their Google Account by requesting https://www.googleapis.com/auth/userinfo.profile scopes as shown on Using OAuth 2.0 for Login

Related

Oauth for authorization JWT for authentication for an app using DRF and cloud functions

I'm building a web app with Wagtail as back-end, running on app engine, cloud functions doing micro-services and triggered via http.
I want to let my users register and authorize using social apps and classic login-password and get a JWT token from Wagtail App. Then, the token will be used to authenticate users both on cloud functions and Wagtail back-end.
How do I provide the user with JWT tokens if he/she authorizes with OAuth?
Is my approach correct? Any suggestions on how this should be done in the proper way?
The best solution I found so far is to use firebase auth. In python I verify token like that:
from firebase_admin import auth
decoded_token = auth.verify_id_token(id_token)
uid = decoded_token['uid']

How to perform authentication with Google Cloud Endpoints?

We are migrating part of our web app to a native mobile app (iOS and Android). We store all user info in our own database, including authentication info (username & pwd). We have a REST API for use by mobile apps and are trying to implement that in Google Cloud Endpoints.
We use an API key for identifying the app.
We want to also authenticate each user. The app will request the username and pwd and then pass that through the REST API. Our backend will confirm (by looking up the username/pwd in the db) if the user is valid. Ideally, at this point we would return a JWT.
Can this be done? The GCE documentation talks about authenticating Google users, and Facebook users. We don't want that. We don't want to use Firebase (unless a custom mechanism can be set up to authenticate). We will manage accounts. We will check if the username and pwd provided (through the app) identifies a valid user.
In trying to use a backend based on Google App Engine Standard and ESPv2, the documentation states that IAP must be enabled. IAP appears to authenticate users in a way we don't want. We want to authenticate users based on the username and pwd they provide and that we manage. Can this be done?
Any pointers would be greatly appreciated.
Thank you.

Methods of Authentication in Go for App Engine

I am building a reservation system in Google App Engine using Go. I need 2 forms of authentication in my program.
Public Form -- form built in Angular that is on our public website. I want my front-end to have some sort of credentials.json file to use when requesting the book and getOpenDates endpoints in my RESTful API running in Go on Google App Engine.
Private Companion App -- protected by username and password that the user supplies in my app built in Flutter. The app is requesting many endpoints in App Engine. I would like to use JWT to authenticate this portion, but I'm not 100% sure JWT is what I need.
I'm not sure if this tutorial on Identity Platform is what I want. I'm very new to App Engine and authentication in general, so I am a bit lost.
Please describe how I could implement these authentication methods in my RESTful API in Go running on Google's App Engine. I think I may be able to implement the username/password method using a tutorial like this but I'm very lost on the 1st form of authentication with just a credentials file as authentication. If I'm going in the complete wrong direction to accomplish what I want please tell me, but what I'm looking for is code or a tutorial describing how to authenticate using these 2 methods. Thanks for any help.
From what I understand, you want to have a golang backend API in App Engine that serves both your web frontend (1.) and your users app (2.).
I am going to suppose that any user with username/password can use both your frontends: the web app and the mobile app with these credentials.
The credentials.jsons are not designed to authenticate users of your services, but rather server to server communication.
With that in mind, I have found the guide Session based authentication in golang, that could help you to set up your backend to accept only authenticated requests over HTTPS. The web browser will automatically save the cookie, however you need to store the cookie in your mobile app.
For much more complicated scenarios for authenticating from different webpages, it is required to use OAuth2 as you can see in this thread. If you don't find any of your requirements listed in here it is probably overkill to use Auth0 nor OAuth2.

Access Google IAP protected API from Angular

My application has 2 modules
Spring boot back-end API
Angular front-end (SPA application)
Both were deployed in Google app engine (GAE).
I used Google IAP for authentication. After enabling the IAP is there any way to generate the IAP JWT token for the different users within the organization to authenticate the APIs from the web client.
I tried token generating mechanism using the Service account. But for my scenario, I just want to authenticate and authorize users not service account. I found this reference to enable the web resource access for users, but it is using cookie based authorization. And it is not the recommended way for the application such as angular.
If you're using IAP to protect your backend api, it means your users have a Google Account or an account managed in Cloud Identity.
In your Angular front-end app, you can retrieve JWT token of your user, with Google Sign-In for Websites.
To easily integrate Google Sign-in with Angular, I recommend you to use ng-gapi from Ruben.
Main lines of the workflow :
Angular uses ng-gapi with Google Sign-in behind the scene
Users are authenticated with their Google Account
You're able to retrieve GoogleUser idToken which is a JWT token.
Each HttpRequest could be executed with Authorization: Bearer JWT
IAP will accept request.
To better understand how to use ng-gapi, check this stackblitz Demo made by creator of lib.
I also suggest you theses resources :
My answer on Stackoverflow about Angular stateless authentication workflow. Just skip the Spring Boot JWT part if you're using IAP.
Google Sign-In for Websites official docs.
Note that you need to use the OAuth 2.0 Client ID configured by Identity-Aware Proxy for your app, and add the correct Authorized JavaScript origins.
Yes, You can generate a JWT token using angular-oauth2-oidc.
Get the default IAP Web App client ID and client secret. Use AuthConfig and redirect to your link after credentials are entered; you can capture the token after they are redirected.
This link has all the details:
https://medium.com/#ishmeetsingh/google-auth-integration-with-angular-5-and-angular-oauth2-oidc-ed01b997e1df
You have told that you tried authenticating from service account. Were you able to generate JWT for service account? I am able to capture the JWT token for individual accounts and use it.
Please give more information on how you authenticated from service account.
Thanks,
Bharath

How to use OAuth2 / OpenID Connect with UserService?

I'm running several apps on Google App Engine. I am using the UserService for Authentication to be able to send emails on behalf of the user etc. and OAuth2 for API authorization.
I am now trying to publish the apps on the Google Apps Marketplace, but I received an email telling me it is required to use OAuth2 for authentication.
As I am just using the supported Google stack I assume there is a way to meet the requirements for publishing my apps on the Google Apps Marketplace but right now I'm stuck.
This is similar to another question. The challenge is that the User service is using still using OpenID. You'll need to use a Client library to authenticate the user.
Here are good samples in Python & Java.
Currently we use Openid 2.0 for user authentication and Oauth for authorization of other services. Openid 2.0 is deprecated and Google will not provide authentication using Open Id. For time line refer this link https://developers.google.com/+/api/auth-migration#timetable
So they are suggesting to use OpenidConnect for authentication of user. OpenIdConnect is a layer written over Oauth 2.0 for authentication of user.
For references visit http://openid.net/connect/ and https://developers.google.com/accounts/docs/OAuth2Login?hl=ja#appsetup

Resources