I am trying to use Google Apps Script in Google Spreadsheet and have an OAuth issues.
The Spreadsheet and Google App application are both protected by Oauth provided by Google as I am using Google Apps for Business.
Below is the script I am using. It gives me the oauth dance but fails to invoke the URL and retruns with a 302 response.
Not sure what to do next. have tried setting auth callback hadler and everything but did not get far. I also have ScriptProperties being set for key and secret (not seen below). Also the scope is not set as App Engine indicates that OAuth is for the entire app.
I get a 302 response at the end of this, after Google App Engine telling me that an app is requesting access. It also indicates that appspot.com is an external provider
var oAuthConfig = UrlFetchApp.addOAuthService("google");
oAuthConfig.setAccessTokenUrl("https://<blah>.appspot.com/_ah/OAuthGetAccessToken");
oAuthConfig.setRequestTokenUrl("https://<blah>.appspot.com/_ah/OAuthGetRequestToken");
oAuthConfig.setAuthorizationUrl("https://<blah>.appspot.com/_ah/OAuthAuthorizeToken?hd=<blah.com>");
oAuthConfig.setConsumerKey(consumer_key);
oAuthConfig.setConsumerSecret(consumer_secret);
var requestData = {
"method": "GET",
"oAuthServiceName": "google",
"oAuthUseToken": "always"
};
var response = UrlFetchApp.fetch(url, requestData);
You can't use the consumerKey and consumerSecret on AppEngine api's. AppEngine is not part of the authorization/configuration used for Google Apps for Business. Try without them and revoke the permissions granted already or change the name (from "google") to something else.
Related
Using App Engine (Java) to add custom claims to a user's Firebase token as shown here. I'm using the Application Default Credentials as my project owner account. Running gcloud auth list shows that the correct account is active.
I've configured my Firebase settings in the app as follows:
// Error handling and try/catches omitted
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.getApplicationDefault())
.setProjectId("<my-app>")
.setDatabaseUrl("https://<my-app>.firebaseio.com/")
.build();
FirebaseApp.initializeApp(options);
Once this is set, I use the following code adapted from the example here.
Map<String, Object> claims = new HashMap<>();
claims.put("role", "admin");
fbInstance.setCustomUserClaims(usersFirebaseAccessToken, claims);
This throws the following error:
Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
After seeing this, I reverted to the standard service account approach where instead of GoogleCredentials.getApplicationDefault(), I used ServiceAccountCredentials.fromStream(serviceAccountStream) where serviceAccountStream = new FileInputStream("path-to-service-account-file"). This complained about insufficient privileges despite having the Firebase Admin group in GCP IAM settings. The real issue, though, is that the Identity Toolkit docs here mention that the Identity Toolkit is being replaced by Firebase Authentication, which seemed to be the approach I was originally trying.
I'm interested to know what the error message above means by "end user". This seems to suggest that the GCP SDK is trying to authenticate as the user represented by the Firebase token but I'm almost certain this isn't what it means.
Is there something I'm missing in my Firebase config that's causing the system to think I'm the wrong user?
I have an Angular4 Application hosted in an Azure Web App and a .NET core Web API hosted in an Azure API App.
The API is secured with Azure Active Directory. Currently I use ng2-adal to aquire an access token which I inject to the headers to perform my API calls.
Now I try to remove the ng2-adal module and secure my Web App with the Authentication / Authorization feature using the same ClientId (like the API). When I browse to my website I get redirected to the AAD login and after I successfully login, I get redirected to my site. Now I wan't to call the API (that is secured with the same ClientId) within my Web App but can't find a way to retrieve the token.
Is there a way to retrieve the access token within my Angular App in this scenario?
It looks like the token is stored encrypted within the AppServiceAuthSession Cookie:
The AppServiceAuthSession is cookie which is different than a token. In this scenario, you need to modify the config of Azure app to make it acquire the access_token for the web API.
We can use the Resource Explore to modify the settings like below:
1 . locate the angular web app
2 . locate the config->authsettings(resource is the clientId of Azure app which used to protect your apps)
"additionalLoginParams": [
"response_type=code id_token",
"resource=3fa9607b-63cc-4050-82b7-91e44ff1df38"
],
3. config the redirect_uri for Azure app like below:
https://appfei.azurewebsites.net/.auth/login/aad/callback
Then after you login in the angular app, you can get the access_token via the endpoint:
https://appfei.azurewebsites.net/.auth/me
Then we need to protect the web API using the Advanced Azure Active Settings like figure below to enable the access_token could call the web API:
I've been working on this for a week.
So, I'd like to share how I got it.
I was able to have authentication for my app using AAD.
I have AppServiceAuthSession in my cookies storage.
Then on my application, I called the auth/me API.
https://yourwebsite.azurewebsites.net/.auth/me
So, it's like:
this.$http
.get('https://yourwebsite.azurewebsites.net/.auth/me').then(response => {
console.log(".auth/me", response)
}, err => {
console.log("Error: ", err)
})
I'm actually using Vue. calling your HTTP might be different.
And that's it.
I basically called the auth/me API to retrieve the information I needed.
P.S. You need to be authenticated of course.
found this solution:
just need to add your app url on
Authentication / Authorization-> ALLOWED EXTERNAL REDIRECT URLS
so the webapi will automatically accept those cookies.
ps: make sure your ajax request is passing those cookies on it.
What URLs I need to enter in Google API credential page?
I created an Oauth2 credential for my Google App engine web app.
I entered callback as https://myapp.appspot.com/oauth2callback and it works fine.
Now I am developing V2 and am deploying the app to 2-dot-myapp, Oauth2 stopped working. Do you have to specify callbacks for all versions I am going to deploy?
Yep! Google (or any OAuth provider) will not allow people to log in unless the callback URL provided during authorization exactly matches one that configure on the credentials page.
I am working on a chrome app which is using an appengine app as a backend. Usually it is possible to use the Google OAuth or the deprecated Google ClientLogin to obtain the ACSID token. The chrome app API provides identity to support oauth2 in chrome apps.
I am able to get an auth token, but am failing in converting it into a valid ACSID token. I have done successfully something similar on android. The key was that when asking for the auth token, I had to specify the specific service ("ah" for the appengine). Could anyone point me out what should be the scope and how to configure the outh2 params in the manifest file?!
Thanks in advance for any help.
I want to implement some form of access control for a REST API implemented in App engine. Is it possible to get the list of GAE Applications that a user has permissions to administer or view in the app engine console. Or whether the user has permissions to administer/view the current application.
Note: the Users API does not work for me because this is a rest server called by another google app not a web service called by a user from the browser. OAuth API seems promising but I was unable to find an OAuth scope or rest endpoint for getting GAE related information.
there is no API that can provide a "list of GAE Applications that a user has permissions to administer." Google Cloud Endpoints on App Engine (Trusted Tester program) may be useful for hosting custom RESTful APIs with user authorization may be useful, read more here: http://endpoints-trusted-tester.appspot.com/
There must be an API as the Google Eclipse plugin is using it.
https://developers.google.com/eclipse/docs/signin?hl=de
But it is not documented.