In the AppEngine console I have enabled datastore administration. I also enabled the remote API. However, when I try to access it I see the following message:
Error: Forbidden
Your client does not have permission to get URL
Many people seem to have a 400 (Not found) or 500 (Error), but none of the fixes for these issues seem to fix this permission problem
The permissions issue was caused by having login for my webapp restricted to one domain, while I was accessing the AppEngine administration from another domain.
As an example, AppEngine administration was being performed from support#my_developer_domain.com, whereas all the logins for the app itself were in the form xyz#client_company_domain.com.
The solution was to get the client to assign me an email address at their own domain (andy#client_company_domain.com) then invite that account to be a developer for the web app. After accepting the invitation and logging in with this account, the datastore admin page was visible.
Related
The problem: I'm getting errors from Google while attempting SSO through Azure AD and can't even begin to guess why or how to go about debugging the issue.
The story:
My org is looking at leveraging Microsoft's nonprofit benefits by setting up Azure for web hosting and Sharepoint to start with, which also entails using Active Directory. As it stands right now, we've successfully gotten our website running and accessible to the world on our custom domain, and our AD is populated with a copy of what's in our Google Workspace directory so we can use Active Directory as our authoritative directory.
We've been trying to implement SSO with the Azure/Gsuite connector, to have them auth with their Azure credentials to get into GMail, Docs, Drive, etc, but Google Workspace seems to choke. I have gone over the setup instructions repeatedly, ensured we're using all of the proper URLs in the Connector's SAML settings and in Workspace's "SSO with third party IDPs" settings, the proper certificate is in place... Provisioning is set up but not active, and I have successfully provision-on-demanded my account and an unprivileged test account.
Here are my settings in Azure:
Here are my settings in Google:
And to test this here's what I've done:
I open up a fresh InPrivate/Incognito window.
I go to https://myapplications.microsoft.com/ and am prompted to login. I use my unprivileged test account credentials.
Upon auth I click on the Connector app to attempt to go to my Gmail inbox.
After a wait on a white screen, I get a Google error screen with "Invalid Email - We are unable to process your request at this time, please try again later."
If I disable the SSO settings for my org in Google Admin, I'm able to log into the account just fine with Google, get to the gmail inbox, etc.
Conversely, if I attempt the same steps with my admin account, I get a similar page with a slightly different message, "Server Error - We are unable to process your request at this time, please try again later."
I have been bashing my head against this for two whole nights and can't make any headway. What gives? I can't even figure out how to debug these errors.
Somebody (me) failed their perception check repeatedly because the problem was that the Unique User Identifier SAML claim in Azure was set to user.mail instead of user.userprincipalname as it should have been as per the tutorial.
I'll see myself out now.
When I try to open the google appengine datastore admin tool it redirects me to:
https://ah-builtin-python-bundle-dot-myapp.appspot.com/_ah/login_required?continue=https://ah-builtin-python-bundle-dot-myapp.appspot.com/_ah/datastore_admin%3Fapp_id%3Dmyappid
and gives me a 500 error.
According to this appengine bug report:
https://code.google.com/p/googleappengine/issues/detail?id=10150&q=%22datastore%20admin%22&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log
"This looks to be a problem because you are using non-default authentication scheme.
Are you using user service/Google Accounts API for authentication of users inside your application? If not, consider changing your authentication method.
If you are, then you'll need to setup a custom domain and access the datastore admin via:
https://ah-builtin-python-bundle-dot-
so that the correct authentication cookies can be used."
I'm using simpleauth for authentication and have a custom domain with an ssl certificate.
I would love to be able to backup my datastore data, it's a pretty big risk for my site if I can't!
Any ideas?
Must have been a problem on Googles end, because when I tried again a few months later it magically worked.
We are using Google AppEngine for my site. Unfortunately I can't seem to get full owner admin access even though I am supposed to be a Super Admin according to my Google account.
When I go to Google Appengine (https://appengine.google.com/permissions....) using my Google account, it indicates I am a "developer". I believe I need full owner access in order to upload ssl certificate for the domain plus add or edit the permission. I've called Google support and they wash their hands saying the above is outside their core knowledge. Any suggestions would be most welcome.
Google Apps admin status does not give you "owner" status on AppEngine. Owner of the AppEngine app has to go to the "Permissions" tab in GAE console and grant you this status.
I've set up an AppEngine account using Google Apps Authentication and I've resigned myself to the fact that it can't be changed. But can you switch the domain that it's bound to?
UPDATE
Forgot one point. We've already added users from the new domain as AppEngine administrators and we're able to log into the AppEngine console with them. But there are certain URLs in the app itself (e.g. cron jobs/task queues) that we've restricted to access by admins only. When we try to access them, we are directed to the domain-specific AppEngine page (i.e. http://appengine.google.com/a/myolddomain.com) to log in. When I update the URL to the new domain, I can log in but then I get a page saying "The page is requesting permission to access your Google account. Select an account you would like to use." And there are no options in the list to select. I can click Continue but then I'm redirected back to the login page for the old domain again.
No. If you created an app with Google Apps authentication, it is tied to that domain to authenticate against forever. This only matters if you're using the Users API, of course.
Yes you can switch to another domain. App Engine is a service in your apps domain. Because it is a service, I think you can add the same appspot service to multiple apps domains.
I have an application deployed to Google App Engine.
The application relies on App Engine User API to login and signup. However I noticed that if user signup using hotmail account, after verify the account through OpenID option. App Engine tries to direct the browser to the following URL: https://appengine.google.com/_ah/conflogin?continue=https://myappid.appspot.com/login.do, where /login.do is used in UserService.createLoginURL("/login.do") to create the login URL.
At this step I am getting 500 Server Error as the following. When I check my server log, I couldn't find any request to login.do. Please help.
Error: Server Error
The server encountered an error and could not complete your request.
If the problem persists, please report your problem and mention this error message and the query that caused it.
I got this error when logging in 4 accounts.
It works on logging in 3 accounts.
We can not control the number of accounts a user login at the same time.
I think it is a critical bug in the implementation of Google.
Conclusion, Users API is not usable. The only way is to use OAuth.