I am trying to manage SAML and OIDC providers in Google Identity management.
Their package seems to be broken for Python 2 currently, so I am trying to copy the code to make it work.
To call the APIs properly I need the Bearer Oauth Token. I couldnt find any APIs that are there in google cloud sdk documentation. Can you guys help me figure out how to get the OAuth Token?
The API I am trying to access is
https://identitytoolkit.googleapis.com/v2beta1/projects/mca-shaurya-7/inboundSamlConfigs
Obviously getting authentication error
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"service": "identitytoolkit.googleapis.com",
"method": "google.cloud.identitytoolkit.v2beta1.ProjectConfigService.CreateInboundSamlConfig"
}
}
]
}
}```
But the URL mentioned in the response no longer exists.
Do not use Python 2. Google dropped support for that version two years ago.
Python 2 support on Google Cloud
Start with this link on OAuth 2:
Using OAuth 2.0 to Access Google APIs
Related
I am able to log a user in okay with the Firebase Auth SDK implementation. However, it does seem that when the issued JWT expires, the user is logged out, and the automatic token refresh from the SDK fails.
The error I get is this:
{
"error": {
"code": 403,
"message": "Requests to this API securetoken.googleapis.com method google.identity.securetoken.v1.SecureToken.GrantToken are blocked.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_SERVICE_BLOCKED",
"domain": "googleapis.com",
"metadata": {
"service": "securetoken.googleapis.com",
"consumer": "projects/621503541053"
}
}
]
}
}
I don't understand what permissions I might need to grant. The config and API key are from the Firebase console, generated for the Web App I registered there.
The documentation shows that this error is caused due to not having the right APIs enabled. According to this post Firebase authentication, the following needs to be enabled:
Requests to this API firebaseinstallations.googleapis.com method google.firebase.installations.v1.FirebaseInstallationsService.CreateInstallation are blocked.
If you enable restrictions for your API, go to Google Cloud Console -> Credentials, Edit API key -> API restrictions, and enable Firebase Installations API.
com.google.firebase.FirebaseException: An internal error has occurred. [Requests to this API identitytoolkit method google.cloud.identitytoolkit.v1.AuthenticationService.SignInWithIdp are blocked.]
Enable Identity Toolkit API to your API restrictions.
Requests to this API securetoken.googleapis.com method google.identity.securetoken.v1.SecureToken.GrantToken are blocked.
Enable Token Service API to your API restrictions.
Enabling the “Token Service API”, along with the “Identity Toolkit API” or “Anonymous Sign-in” should solve the error.
Does the Smart Device Management API support access using a Service Account? If so what's the magic combo?
I can access the API using registered OAuth2, and get valid device list response.
When using Service Account credentials to access the device list API I get:
{
"error": {
"code": 404,
"message": "Enterprise enterprises/{project-id} not found.",
"status": "NOT_FOUND"
}
}
I think the problem is that google have chosen to cut off the "home project" user. They seem to only support oauth2 auth and if you want to use it you have to get your app certified, otherwise they revoke the refresh token after 7 days. If the refresh token didn't get revoked every 7 days then I'd be happy with oauth2 offline auth. Come on google, support the home hobbyists!
I am developing the backend for a mobile app using Google App Engine Standard Environment (Python) and Cloud Endpoints with Firebase for authentication. This backend needs to connect to a frontend created with Unity.
I am having trouble with Cloud Endpoints reading the authentication token being sent from the Unity frontend after logging in to Firebase. The App Engine logs state "No auth token is attached to the request" with each attempt at sending an authenticated request.
Here is the Cloud Endpoints declaration that includes Firebase as an issuer in my main Python file:
#endpoints.api(name='connected',
version='v4.4.0',
allowed_client_ids=["32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com "],
issuers={'firebase': endpoints.Issuer('https://securetoken.google.com/fleet-fortress-211105',
'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com')})
Here is the end of the swagger.yaml file that has the security definitions:
securityDefinitions:
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-issuer: 'https://securetoken.google.com/fleet-fortress-211105'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com'
x-google-audiences: "32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com"
security:
- firebase: []
I am sending the auth token that was received from Firebase to my Cloud Endpoints API in the Authorization header (e.g. Authorization:Bearer {token}).
Headers being sent:
request headers
Decoded JWT being sent in authorization header as Bearer:
{
"iss": "https://securetoken.google.com/fleet-fortress-211105",
"aud": "fleet-fortress-211105",
"auth_time": 1533831541,
"user_id": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"sub": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"iat": 1533831566,
"exp": 1533835166,
"email": "XXXX#gmail.com",
"email_verified": false,
"firebase": {
"identities": {
"email": [
"XXXX#gmail.com"
]
},
"sign_in_provider": "password"
}
}
Any help in getting my GAE Cloud Endpoints backend to read the authorization header for a JWT is greatly appreciated.
I don't know why that error is getting logged; the authorization header properly contains a Bearer token, which is what's required.
However, that error message shouldn't actually stop authentication from working. (The authentication system in the Python Frameworks is kind of a mess and there are two parallel mostly-working implementations.)
Instead, you need to call endpoints.get_current_user() in each method that you want to be protected.
I have receive the mail from google like
Great news! We’ve received your request to join the Google Analytics
Account Setup and Configuration APIs Beta and your project has been
whitelisted for access. These APIs allow you to programmatically
create and edit properties, views, and goals.
But when I am wondering to access the management api here https://developers.google.com/apis-explorer/?hl=en_US#p/analytics/v3/analytics.management.profiles.insert?accountId=83303713&webPropertyId=UA-83303713-1&_h=3&resource=%257B%250A%257D&
I am getting the same error like
"errors": [ {
"domain": "global",
"reason": "insufficientPermissions",
"message": "Your project does not have access to this feature." } ], "code": 403, "message": "Your project does not have access
to this feature." }
what else is missing?
I'm learning oauth2 using the google playground, I'm trying this request:
https://www.googleapis.com/youtube/v3/activities?part=snippet
and receiving this response:
{
"error": {
"code": 403,
"message": "Access Not Configured. Please use Google Developers Console to activate the API for your project.",
"errors": [
{
"domain": "usageLimits",
"message": "Access Not Configured. Please use Google Developers Console to activate the API for your project.",
"reason": "accessNotConfigured"
}
]
}
}
on the authorization tab I requested access to all yoututbe v3 api scopes and I granted access upon request. I'm assuming I'm forming the query parameters wrong perhaps? I'm new to oauth and how anything about it works.
I believe you need to use your own oauth clientID and secret for this particular API in the playground. If you click on the gear button on the right top corner and click the check mark on "Use your own credential" in the playground, you should be able to enter yours.
You can get your own OAuth credential by following the instruction here: https://developers.google.com/youtube/registering_an_application
Oh make sure you name your application and provide email under the APIS & AUTH ->Consent screen in the Developer console when you first create you OAuth credential for your project.
And there is one thing missing in your query as well... you need specify a filter as well. See if you can at least get this one working:
GET https://www.googleapis.com/youtube/v3/activities?part=snippet&home=true
I had the same issue, and before I found your question I had posted mine
Apparently Google hadn't enabled the Youtube Analytics API for the default/demo credentials in the oAuthPlayground, which is now enabled, see the accepted answer in the link
https://stackoverflow.com/a/33462959/2473413