Is there a way to configure Google App Engine so that the log-in page appears either inline or in an iframe, instead of requiring a link.
I would like it to be as simple as
<iframe src="{{ login_url }}">
<!-- no iframes -->
Log in
</iframe>
However that seems to be an undocumented way to go about logging in users, and I'm not sure if that's the way to go about this.
I'd be grateful for any thoughts
Thank you for reading.
Brian
This is not a good idea. By showing a google login form on your domain how do your users know it is legitimate? By redirecting your users to a page on Google's domain it reduces the amount of confusion.
Also, you might want to review the Terms before doing this. I would not be surprised if Google specifically mentions not doing this somewhere. It's like teaching your users to give up there Google login details whenever prompted.
There have been several posts in the groups discussing this as well; Nick, and many other users, responded to this question with similar comments.
I just tried doing what you suggest here, except that I don't have the hyperlink inside of the iFrame. I want Google's authentication page to appear in the iFrame over my page rather than redirecting to the authentication page and then back to my page. I also append a query string to the login_url, and my main request then returns a simple "Welcome" message rather than my app's main page.
It works beautifully in the sandbox, but it doesn't work when deployed to GAE. The page returned by Google's login_url refuses to be displayed in an iFrame. The console message is "Refused to display document because display forbidden by X-Frame-Options." I've thought about possible workarounds, but Google obviously doesn't want the login page displayed this way. I'm disappointed, because my app uses HttpRequests heavily, so the main page never refreshes otherwise, but I'm still very happy with GAE.
Related
I'm not posting any code, but can if anyone believes it's relevant. But the symptoms don't seem to point to the page or the code.
We have configured a Digital Experience. For the experience, we have created a single Visualforce page. The guest profile has been given access to the page and the page's controller. We have assigned that page as the "Active Site Homepage". The site will work as planned, meaning that when going to the base site URL or directly to the page, it will load without authentication. After a given amount of time (which we are not sure how long at this point) of the site not being accessed, when attempting to access the site, it will require authentication.
When that happens we try to troubleshoot. For example, I commented out some of the code on the page that was loading a Visualforce component. Tried loading the page, but it still took me to the login page. So I removed my comments, setting the page back to normal. Suddenly the page starts working and is accessible to everyone, from any location. Even for people who have never logged into the backend org. The page will continue to work for the rest of the day. The next morning we are back to square 1 and the site is requiring authentication.
I thought maybe it was the proxy caching by Salesforce, so I told everyone to stay out of the experience and waited 30 minutes. Since Salesforce says the caching is 10 minutes. But when I went to the page it worked without requiring authentication and I'm pretty sure that tomorrow morning it will start asking for authentication again.
The biggest issue is that we can't seem to troubleshoot. I will make a change to try and see what is happening and sometimes that change will cause the page to work, but then immediately reversing that change doesn't cause the page to break.
Has anyone else experienced this behavior before?
Interesting.
You might have more luck posting in dedicated https://salesforce.stackexchange.com/
Have you tried attaching debug logs? You can find the special {site name} guest user in the lookup and put debugging on for 24h, maybe it'll catch something. Is there any fancy JavaScript on the page that might be causing redirects, lazy loading of some images that might need authentication? Is there a LiveAgent embedded in the community?
Put up as simple version of the page as you can and inspect the generated html. Maybe you're using spyware... sorry, analytics / tracking scripts like Google Tag Manager or Adobe's?
Have you tried browsing with browser's console open (typically F12), maybe you'll catch something weird in Network tab that fails and redirects you to login page. Can you reliably reproduce it in incognito / inprivate / etc mode? Maybe something with cookies?
I am getting a weird error in my Google App Engine Go app. When I prompt the user to log in, they are redirected to a login screen for Google. After logging in, they get a message
Please use https://accounts.google.com/ServiceLogin instead.
I haven't touched my app's code in a few months and it wasn't an issue before. My login code is basically what one can see in the official documentation. I can easily recreate this error in both Chrome and Firefox and on multiple accounts.
The app can be viewed here (NSFW-ish), login button is on every page.
I think this can be a bug on our side. I'd recommend you file a bug report on our issue tracker, hopefully with some more details like the URL where you see that message, app-id, etc.
I decided to write a personal blog engine on Google App Engine.
But I really do not like the idea of adding a login button somewhere. How can I still do admin things, i,e, post an article, delete a comment and etc, without a login button?
One ugly solution may be not showing the login button but still proviing the login url which you can type in manually to login. There is not much difference. I don't like this one.
Any one know some other ways around this? I've seen many blogs without the login button, how do they implement this?
UPDATE:
One offline solution may be using the remote_api provided by App Engine, that is somewhat applicable and I'm considering using it. But you always need the App Engine Toolkit to do it. So it might not be as portable as an online version in which case every thing you need is just a modern and the network connection.
You can restrict access to a specific resource of your application by using the login option in app.yaml handler definition:
- url: /admin
login: admin
script: admin.app
Then using the Users API you can easily check on your main page if the current user in is an admin, and decide to show or not a link to this protected resource:
if users.is_current_user_admin():
# render link to /admin
I am working on a chrome bookmarking extension with google app engine as the backend. I am the only user now but I thought that if in the future there are other users the url needs to include the user name for the extension to interact with the backend. So I was thinking to change
http://ting-1.appspot.com/useradminpage
to
http://ting-1.appspot.com/user_name/useradminpage
where "user_name" is the gmail user id.
But I looked at twitter url and I see that they have
http://twitter.com/#!/user_name/
What is the purpose of "#!"? Is my scheme good enough in this case?
The # in a URL signifies the 'fragment identifier'. Historically this has been used to identify a part of a document identified by an 'anchor' tag, but recently webapp developers have begun to use it to pass information about the page state to Javascript code running in the page. This is used because it's possible for Javascript code to modify the fragment of the current page without causing the page to reload - meaning it can update as you browse through the webapp, and go right back to where you were when you reload the page.
The fragment is not sent to the server when the browser loads a page, so Twitter's server just sees a request for twitter.com; it's up to the Javascript code in the page to examine the fragment and determine what to do after that.
In your particular case, assuming you're using the App Engine User service to authenticate users, you have a number of options for how to distinguish users in your URLs:
Use their email address. In theory this can change, and users may not want their address in a URL they will share. If the URLs are private, this is more or less a moot point.
Use their user_id. This is opaque and reveals no useful information about the user, so it's safe, but it's also meaningless and hard to remember.
Let users pick a nickname for their URLs, like Facebook and other services do, on a first-in, first-served basis.
I have been struggling all day with an issue. I am sure there must be some easy solution that lots have already implemented as it looks to me as a basic setup.
I am building an app with GWT and appengine using requestfactory. This app has some "pages" (they are actually MVP views) that everybody should have access to. It's like the home page and a couple of views where the service we provide is described. Then if you want to use the service you have to login (with google accounts and all that). Only being logged in you have access to the rest of the views (pages) in the app. The question is, how to handle this?, the fact that some pages and some requestfactory calls are public and some other have to be available to those that have logged in?
I have already discarded the auth-constraints tags in web.xml because they work with all or nothing.
The next alternative was to use servlet filters (as the expenses demo does). That could work, but only if the "open" or not secured pages didn't need to access any data from appengine datastore (and I don't want to close that door, maybe in the future I want to show status or number of users, etc etc). The reason for this is that with request factory you only have one servlet so if you put a filter you shut down all comunication with appengine if the user is not logged in.
I was thinking of implementing this filter, with requesfactory for all the stuff once the user is logged in and also implement some RPC services for the data i might want to display in the "home or information pages" that i might need to retrieve from the datastore. However it looks a bit overkill for me.
Another alternative is to implement a check that the user is logged in all the request factory service methods that i want to protect. But that doesn't look to elegant either...
Anyone had the same problem? any ideas?
I'd appreciate any help on this.
Thanks,
You say that the auth constraints are "all or nothing", but that's not true - they're per-url. See here for details. Also, your connection of servlet filters and datastore access is a non-sequitir - the two have nothing to do with each other.