I am able to log a user in okay with the Firebase Auth SDK implementation. However, it does seem that when the issued JWT expires, the user is logged out, and the automatic token refresh from the SDK fails.
The error I get is this:
{
"error": {
"code": 403,
"message": "Requests to this API securetoken.googleapis.com method google.identity.securetoken.v1.SecureToken.GrantToken are blocked.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_SERVICE_BLOCKED",
"domain": "googleapis.com",
"metadata": {
"service": "securetoken.googleapis.com",
"consumer": "projects/621503541053"
}
}
]
}
}
I don't understand what permissions I might need to grant. The config and API key are from the Firebase console, generated for the Web App I registered there.
The documentation shows that this error is caused due to not having the right APIs enabled. According to this post Firebase authentication, the following needs to be enabled:
Requests to this API firebaseinstallations.googleapis.com method google.firebase.installations.v1.FirebaseInstallationsService.CreateInstallation are blocked.
If you enable restrictions for your API, go to Google Cloud Console -> Credentials, Edit API key -> API restrictions, and enable Firebase Installations API.
com.google.firebase.FirebaseException: An internal error has occurred. [Requests to this API identitytoolkit method google.cloud.identitytoolkit.v1.AuthenticationService.SignInWithIdp are blocked.]
Enable Identity Toolkit API to your API restrictions.
Requests to this API securetoken.googleapis.com method google.identity.securetoken.v1.SecureToken.GrantToken are blocked.
Enable Token Service API to your API restrictions.
Enabling the “Token Service API”, along with the “Identity Toolkit API” or “Anonymous Sign-in” should solve the error.
Related
I am trying to manage SAML and OIDC providers in Google Identity management.
Their package seems to be broken for Python 2 currently, so I am trying to copy the code to make it work.
To call the APIs properly I need the Bearer Oauth Token. I couldnt find any APIs that are there in google cloud sdk documentation. Can you guys help me figure out how to get the OAuth Token?
The API I am trying to access is
https://identitytoolkit.googleapis.com/v2beta1/projects/mca-shaurya-7/inboundSamlConfigs
Obviously getting authentication error
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"service": "identitytoolkit.googleapis.com",
"method": "google.cloud.identitytoolkit.v2beta1.ProjectConfigService.CreateInboundSamlConfig"
}
}
]
}
}```
But the URL mentioned in the response no longer exists.
Do not use Python 2. Google dropped support for that version two years ago.
Python 2 support on Google Cloud
Start with this link on OAuth 2:
Using OAuth 2.0 to Access Google APIs
Does the Smart Device Management API support access using a Service Account? If so what's the magic combo?
I can access the API using registered OAuth2, and get valid device list response.
When using Service Account credentials to access the device list API I get:
{
"error": {
"code": 404,
"message": "Enterprise enterprises/{project-id} not found.",
"status": "NOT_FOUND"
}
}
I think the problem is that google have chosen to cut off the "home project" user. They seem to only support oauth2 auth and if you want to use it you have to get your app certified, otherwise they revoke the refresh token after 7 days. If the refresh token didn't get revoked every 7 days then I'd be happy with oauth2 offline auth. Come on google, support the home hobbyists!
I am developing the backend for a mobile app using Google App Engine Standard Environment (Python) and Cloud Endpoints with Firebase for authentication. This backend needs to connect to a frontend created with Unity.
I am having trouble with Cloud Endpoints reading the authentication token being sent from the Unity frontend after logging in to Firebase. The App Engine logs state "No auth token is attached to the request" with each attempt at sending an authenticated request.
Here is the Cloud Endpoints declaration that includes Firebase as an issuer in my main Python file:
#endpoints.api(name='connected',
version='v4.4.0',
allowed_client_ids=["32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com "],
issuers={'firebase': endpoints.Issuer('https://securetoken.google.com/fleet-fortress-211105',
'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com')})
Here is the end of the swagger.yaml file that has the security definitions:
securityDefinitions:
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-issuer: 'https://securetoken.google.com/fleet-fortress-211105'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com'
x-google-audiences: "32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com"
security:
- firebase: []
I am sending the auth token that was received from Firebase to my Cloud Endpoints API in the Authorization header (e.g. Authorization:Bearer {token}).
Headers being sent:
request headers
Decoded JWT being sent in authorization header as Bearer:
{
"iss": "https://securetoken.google.com/fleet-fortress-211105",
"aud": "fleet-fortress-211105",
"auth_time": 1533831541,
"user_id": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"sub": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"iat": 1533831566,
"exp": 1533835166,
"email": "XXXX#gmail.com",
"email_verified": false,
"firebase": {
"identities": {
"email": [
"XXXX#gmail.com"
]
},
"sign_in_provider": "password"
}
}
Any help in getting my GAE Cloud Endpoints backend to read the authorization header for a JWT is greatly appreciated.
I don't know why that error is getting logged; the authorization header properly contains a Bearer token, which is what's required.
However, that error message shouldn't actually stop authentication from working. (The authentication system in the Python Frameworks is kind of a mess and there are two parallel mostly-working implementations.)
Instead, you need to call endpoints.get_current_user() in each method that you want to be protected.
I have receive the mail from google like
Great news! We’ve received your request to join the Google Analytics
Account Setup and Configuration APIs Beta and your project has been
whitelisted for access. These APIs allow you to programmatically
create and edit properties, views, and goals.
But when I am wondering to access the management api here https://developers.google.com/apis-explorer/?hl=en_US#p/analytics/v3/analytics.management.profiles.insert?accountId=83303713&webPropertyId=UA-83303713-1&_h=3&resource=%257B%250A%257D&
I am getting the same error like
"errors": [ {
"domain": "global",
"reason": "insufficientPermissions",
"message": "Your project does not have access to this feature." } ], "code": 403, "message": "Your project does not have access
to this feature." }
what else is missing?
I am currently trying to use the Google Identity Toolkit Token Service REST API (https://developers.google.com/identity/toolkit/reference/securetoken/rest/v1/token) to generate an access token which I can use in my backend server.
When I specifying "authorization_code" as "grant_type" and the gtoken cookie value after authentication as "code" in the POST request to https://securetoken.googleapis.com/v1/token, I get a 403 response with the following error message:
{
"error": {
"code": 403,
"message": "The request cannot be identified with a client project. Please pass a valid API key with the request.",
"status": "PERMISSION_DENIED"
}
}
I inspected the gtoken value via a JWT decoder and it looks to be correct in format. In particular I can see that aud is set to my application/client ID. The documentation doesn't say anything about specifying API key - usually I would expect that to be specified in the Authorization header. So I am not sure what I am missing here.
Any pointer to this matter would be appreciated.
An API key in the URL is required when calling Google Identity Toolkit APIs (including the Token Service API). However, I would suggest you take a look at the new version of the service - Firebase Authentication. The Firebase Auth SDK has build-in support of the Token Service API.