I'm plan on deploy a Java application to Google AppEngine and use federated login (still experimental according to Google). The application is pretty simple Java EE application which expose RESTful interface for simple CRUD operations.
I then want to be able to authenticate to this application using Windows Client Application written in C#.
I think the application should be able to open a window with a browser in ti which will present the login page of my web application and after successful authentication I should be able to get the login token or a cookie to use in the rest of my HTTP requests.
Is it possible to do such thing using federated login? I've found a post explain how to do it using google proprietary login.
Thank you,
Ido.
I've manage to make this work much easier then I thought it would be.
When I send HTTP request to my web service I get 302 Found response with response header name Location which point to the login page.
I use WebBrowser control, register to it Navigated even and navigate to the URL in the Location header.
When the Navigated even fire I use the code from this answer to get the cookies container.
I check each cookie until I find one with the name ACSID and store it.
For every web request to my service I add cookie name ACSID with the value saved at step 4.
This is not the most secure way of doing this. I will add check for the domain of the cookie but this looks good.
Related
We're using Google App Engine (python) and Google Cloud Endpoints (OpenAPI).
We have some endpoints for admin-exclusive use. In our app.yaml we have something like this:
handlers:
- url: /_ah/api/appname/v1/admin/.*
script: main.api
login: admin
Usually I use Postman when I need to POST a special request, but for requests to login: admin endpoints, Postman redirects to and opens source of the Google Login page, which doesn't actually allow me to login.
If I open such redirect URL in the browser, I'm actually able to login, but after that, I'm redirected to the GET version of the endpoint, which doesn't help as well. I don't think the browser has a feature which easily allows me to make a custom POST requests after I've login.
So in the end I see two alternatives... one would be "importing" the authentication cookies into POSTMAN after login. The other would be use javascript in the browser's console to "manually" make the POST request I'm trying to make.
Both options seem to me somewhat overcomplicated, and I feel like I gotta be missing some easier way of doing what I'm trying to do.
So my question is what's an easy way to make a POST request to a deployed google cloud endpoint which is protected by login: admin?
Upon investigating I see you're using App Engine with Python 2.7 runtime and that the login: admin endpoint is authenticated with Google Accounts. When you protect the endpoints all requests made to it need to be properly authenticated in order to be accepted, therefore you actually need to provide your authentication credentials to the server with every request. Since the credentials posseses a Time To Live for security reasons you cannot simplify the process permanently storing them in a file.
The answer is indeed in your question, if you want to use POSTMAN you have to import the cookies after login or create a script that handles both the authentication process and the subsequent request. Here's the documentation for POSTMAN if you decide to go this way and here's Google's documentation on making authenticated API requests.
Nevertheless, there are some important things to note. Python 2.7 is sunsetting, this means that security vulnerabilities may appear and probably won't get patched which could result in huge security breaks and/or the need to rewrite your whole backend in the newer python runtime; Google's documentation encourages the switch.
Additionally, the users library will be deprecated at some point too, so you might consider changing your authentication scheme to use Auth0 with the advantage that this option is available for both runtimes.
The cookie associated with authenticating this kind of endpoint protection is called SACSID, and the domain is your own application domain, that is, in the format project.appspot.com.
You should be able to call an endpoint using the browser, which will redirect you to the google login page, and after authenticating you should be able to copy the cookie into Postman, allowing you to make authenticated endpoint calls from there.
When adding it in Postman, you'll need the domain, the cookie name and its value.
I have tried following several ADAL (Azure AD Authentication Library) examples to get my WPF application to call an Azure secured Web API. Everything appears to work fine. I receive the login prompt, it accepts my credentials, I'm able to acquire a token. I attach the token to my request but the request always returns the HTML for the Azure login page as if I'm not authenticated.
Has anyone else experienced this type of issue? Are there certain things I should be checking for?
I think you are securing your API using a redirect based protocol instead of the oauth bearer. For a discussion on the differences between the two see http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/.
The canonical WPF sample is in https://github.com/AzureADSamples/NativeClient-DotNet. See how the web API is secured.
First of all, I am developing an AppEngine application. As framework, I am using jQuery Mobile. I use GMail API too.
To connect with GMail, I need to work with OAuth 2.0. I have set the credentials into my application (I already have client_secret.json into my project).
My situation is: I am in a JSP page when I call to my Java code (server side) to get my Gmail Service. For this task, I need to get the permissions (Oauth 2.0) from my user. Later, we need to redirect to my application.
My problem is what I do not know what I have to write exactly in "AUTHORIZED JAVASCRIPTS ORIGINS" and "AUTHORIZED REDIRECT URI".
I am testing my application in local mode and the normal URL is: localhost:8888/mobile/index.jsp
Can you help me?
Best regards,
Diego.
Details here
AUTHORIZED JAVASCRIPTS ORIGINS -> Protocols (ie HTTP and HTTPS) and domains (my-app-id.appspot.com) that can use JS and OAuth calls. For local add
http://localhost:8888/
. You will need to add one for the production URL as well.
AUTHORIZED REDIRECT URI -> When doing OAtuh calls from the app it needs a handler setup to get responses from the OAuth server. Personally I use decorators, so my redirect URI is
http://localhost:8888/oauth2callback
. Yours will vary depending on how you handle the OAuth flow.
I'm using phonegap and I want to set up google oauth for mobile and web (e.g. desktop chrome) with the same code. The end result should be an app engine cookie on the client side (whether it is the inapp browser or a desktop browser).
Since I don't want my users to do the consent screen more than once, I need a refresh_token and not just an access_token. (also I've noticed that the cordova webview doesn't have access to cookies like the regular browser)
As I understand, a refresh_token can only be received if you're doing the protocol recommended for web servers, meaning first obtaining the code, then using it to obtain the access_token and refresh_token.
When I'm authenticating in this way, the protocol requires that I send the received code to google to receive the access token, but this is a cross domain request and is blocked on desktop browsers.
How can this be conveniently solved? What is the correct way to achieve the end result?
I crudely solved my problem using my server as a mediator for the cross-domain post requests.
So the flow works like this: I get an authentication code using a pop up window. Then the user enters the code and my javascript sends it to my server. Then the server sends a request for access_token and refresh_token to google, and sends it back to the user.
Seems to work well for now, and not very complicated.
We're writing a Desktop application that relies on Google Appengine to authenticate the user and retrieve and store data associated to it.
The way we'd like to authenticate the user is that on launching the application the browser is launched at the login url for our application. Then the user logins there, and then the application makes restful calls without any OAUTH object, but re-using the browser session. I'm questioned that this won't work, since we cannot so transparently use the browser session. Is that correct?
Any alternatives beside authenticating from within the app using the ClientLoginApi?
I'm aware of:
How do you access an authenticated Google App Engine service from a (non-web) python client?
The only way to do this is if you can capture the authentication cookie used by the browser, and send it yourself. Obviously, there's no browser- or platform- independent way to do this.
A better option would be to use OAuth, with OAuth for installed apps to obtain the original token.