I am trying to add a page to a website that displays the analytics from a gapi analytics account. I have a google analytics account already, and have created a google service account to allow authentication without google sign in. After creating the account I was given a json key which contains the following information:
"type": "service_account",
"project_id": ".....",
"private_key_id": "....",
"private_key": "-----BEGIN PRIVATE KEY-----xxxx-----END PRIVATE KEY-----\n",
"client_email": "......",
"client_id": "......",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url"...."
Then I am atempting to authenticate the sign in using:
gapi.analytics.auth.authorize({
'serverAuth': {
'access_token': token
}
});
Does anyone know how I find the access token? Because it was not given in the json file with the other information. Thank you!
I think the first port of call would be the documentation, which has an example for Embed API Server-side Authorization (yes, this is a link-only answer, but if Google goes offline the OP is screwed in any case).
The example is in Python, however the same technique works with all the client libraries.
Related
I am writing a custom backend (nestjs) in which I want to verify if the token from firebase auth is valid and retrieve user information too.
I do not want to use the actual firebase auth so I ended up using firebase local emulator.
Now I want to test my endpoint written in nestjs using postman wherein I send the unsigned token from postman for nestjs to verify from local emulator. But I couldn't find a way to create an unsigned token without creating a UI for the same, I really do not want to spend time in creating a react application to just console.log a token. Is there any better way to do this that I might be missing ??
Thanks for the help.
Assuming your Authentication emulator runs on port 9099 and you have a user created, you should be able to make the following HTTP POST request to get a token. The token is in the idToken field of the response object.
http://localhost:9099/identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=any_key_you_want
Body (JSON):
{
"email": "your-user#mail.com",
"password": "some-password"
}
Response:
{
"kind": "identitytoolkit#VerifyPasswordResponse",
"registered": true,
"localId": "yourUserId",
"email": "your-user#mail.com",
"idToken": "someIdToken",
"refreshToken": "someRefreshToken",
"expiresIn": "3600"
}
I found this solution playing with a React application with the firebase (^9.6.2) package installed, setting connectAuthEmulator(auth, "http://localhost:9099");, and looking at the request it made when I logged in.
I'm having trouble logging in to my Node.js REST API with Google Sign-in. The login works fine when I'm using my Vue.js frontend with Axios. But it doesn't work when I'm using Postman, and this prevents me from testing it.
I've created my project in Firebase, enabled Authentication. I intend to use only email/password authentication. Firebase Console created the Firebase SDK Snippet:
const firebaseConfig = {
apiKey: "AIza...AA",
authDomain: "myproject-bcd3e.firebaseapp.com",
projectId: "myproject-bcd3e",
storageBucket: "myproject-bcd3e.appspot.com",
messagingSenderId: "13337141888",
appId: "1:13337141888:web:ace61d519026919f63c89d"
};
A service account has also been generated on Google Cloud Platform. It has a Client ID and a Client Secret key.
{
"web": {
"client_id": "667614098088-d3rbps7vc2f0p8b3rkvc86evpgcv98oa.apps.googleusercontent.com",
"project_id": "myproject-bcd3e",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "SUY-...-...FJ",
"redirect_uris": [
"https://myproject-bcd3e.firebaseapp.com/__/auth/handler", "http://localhost:3001", "https://localhost:3001", "https://oauth.pstmn.io/v1/callback"
],
"javascript_origins": ["http://localhost", "http://localhost:5000", "https://myproject-bcd3e.firebaseapp.com", "http://localhost:3001", "https://localhost:3001"]
}
}
In Postman I created a new OAuth2 Authorization Token with the following configuration:
Token Name: Google
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://oauth2.googleapis.com/token
Client ID: *client_id from the service account JSON*
Client Secret: *client_secret from the service account JSON*
Scope: openid
State: *random string*
Client Authentication: Send client credentials in body
When I click the Get New Access Token button in Postman, it opens the browser and loads the Google authentication screen. Problem: It's not a password login, and I don't see an option for that.
The sign-in process then finishes successfully and Postman collects a valid-looking ID token.
But when I pass this token to my backend, and it verifies it with auth().verifyIdToken(), the result is this error:
Unable to sign in: Firebase ID token has incorrect "aud" (audience) claim. Expected "myproject-bcd3e" but got "667614098088-d3rbps7vc2f0p8b3rkvc86evpgcv98oa.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
Apparently there's something about confusing the Client ID with the Project ID. What's wrong?
I am developing the backend for a mobile app using Google App Engine Standard Environment (Python) and Cloud Endpoints with Firebase for authentication. This backend needs to connect to a frontend created with Unity.
I am having trouble with Cloud Endpoints reading the authentication token being sent from the Unity frontend after logging in to Firebase. The App Engine logs state "No auth token is attached to the request" with each attempt at sending an authenticated request.
Here is the Cloud Endpoints declaration that includes Firebase as an issuer in my main Python file:
#endpoints.api(name='connected',
version='v4.4.0',
allowed_client_ids=["32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com "],
issuers={'firebase': endpoints.Issuer('https://securetoken.google.com/fleet-fortress-211105',
'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com')})
Here is the end of the swagger.yaml file that has the security definitions:
securityDefinitions:
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-issuer: 'https://securetoken.google.com/fleet-fortress-211105'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com'
x-google-audiences: "32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com"
security:
- firebase: []
I am sending the auth token that was received from Firebase to my Cloud Endpoints API in the Authorization header (e.g. Authorization:Bearer {token}).
Headers being sent:
request headers
Decoded JWT being sent in authorization header as Bearer:
{
"iss": "https://securetoken.google.com/fleet-fortress-211105",
"aud": "fleet-fortress-211105",
"auth_time": 1533831541,
"user_id": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"sub": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"iat": 1533831566,
"exp": 1533835166,
"email": "XXXX#gmail.com",
"email_verified": false,
"firebase": {
"identities": {
"email": [
"XXXX#gmail.com"
]
},
"sign_in_provider": "password"
}
}
Any help in getting my GAE Cloud Endpoints backend to read the authorization header for a JWT is greatly appreciated.
I don't know why that error is getting logged; the authorization header properly contains a Bearer token, which is what's required.
However, that error message shouldn't actually stop authentication from working. (The authentication system in the Python Frameworks is kind of a mess and there are two parallel mostly-working implementations.)
Instead, you need to call endpoints.get_current_user() in each method that you want to be protected.
I want to link Google AdWords account to Google Analytics one via API.
I have
Google AdWords Manager Account (with created some sub accounts)
Google Analytics Account with (with created account, property and some views)
To achive this i'm using this method https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtReference/management/webPropertyAdWordsLinks/insert
When i use "API Explorer" or doing it manually (via web interface) everything works fine, but when I'm trying example code from documentation all I receive is this error:
{"error":{"errors":[{"domain":"global","reason":"insufficientPermissions","message":"User does not have sufficient permissions for this web property."}],"code":403,"message":"User does not have sufficient permissions for this web property."}}
I'm using Google PHP Client Library. Google Analytics Account was created with the same email as for AdWords Manager Account.
What's up with these permission? Do i need more configuration?
UPDATE
For GA authentication i follow up these tutorial: https://developers.google.com/analytics/devguides/config/mgmt/v3/quickstart/service-php
So after visit: https://console.developers.google.com/flows/enableapi?apiid=analytics&credential=client_key
i have ended up with json file:
{
"type": "service_account",
"project_id": "....",
"private_key_id": "...",
"private_key": "..."
"client_email": "...#metal-hologram-.....iam.gserviceaccount.com",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/..."
}
client_email i've added in GA -> Admin -> User management -> add account (with full permissions)
AdWords authentication done here:
https://console.developers.google.com/apis/ -> credential -> OAuth - > Application type: Other -> OAuth
Refresh token generated by script: https://github.com/googleads/googleads-php-lib/blob/master/examples/Auth/GetRefreshToken.php
I'm a newbie so any help appreciated.
I've created an app/service using Google App Engine (node) that returns a simple 'hello world' response, see https://resumetemplatesconverter.appspot.com/
I've also got a Polymer web app that uses Firebase Authentication for sign up, sign in, sign out, etc.
Question is, what is the best way to configure the Google App Engine app/service so that only users authenticated with the Polymer web app can use it?
Thanks.
Firebase (Authorization Server) sends a token (Access Token) back to the client (browser).
The client now makes a request to your app engine service (Resource Server) with that token.
What you need to do is to check if the token is valid and if it is valid, return that secret data.
The OAuth 2.0 spec doesn't clearly define the interaction between a Resource Server and Authorization Server for access token validation:
Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.
So for each authentication service (Google, Facebook, GitHub, etc.) you use, you have to look up how to validate the Access Token.
Example:
Google
Request (from your app engine backend)
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
Response
{
// These six fields are included in all Google ID Tokens.
"iss": "https://accounts.google.com",
"sub": "110169484474386276334",
"azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"iat": "1433978353",
"exp": "1433981953",
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser#gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
You can make this plain request from your backend server but it would be better using one of the Google API Client Libraries
See here for more info regarding Authenticate with a backend server