I'm having a strange google video intelligence api request error when I run a test with python vcr. I was wondering if anyone else has seen this error, and if so, why we have this and how to solve it?
I use VCR to mock the request to video intelligence api.
I use pytest to run my test.
If I delete the VCR and rerun it runs fine, and if I try running it again after vcr is created it also runs fine. However after a while, (not currently sure if this is hours or days, I will get the error below from running the vcr).
The error is below:-
"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential.
This is the VCR error
E google.api_core.exceptions.Unauthenticated: 401 Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
<string>:3: Unauthenticated
Assertion failed
Google Vision Intelligence just like other google service, use gRPC to communicate with service backend. Unfortunately, VCR does not support gRPC yet.
The only thing VCR recorded during test is OAuth token (checked the cassettes file VCR generated). When it expired, it will cause the Unauthenticated Error
reference:
Feature request about gRPC support
https://github.com/kevin1024/vcrpy/issues/560
VCR for gRPC (Ruby) https://github.com/btoews/gcr
The error seems to point towards invalid authentication credentials.
There might be two possible scenarios behind this error -
You can follow the below mentioned steps to verify the initial setup configuration you have made :
Solution1- For Custom Service account i.e user-managed service accounts:
If you have created a service account of your own then you will need to generate the keys for that service account.
You also need to set the Environment variables using:
“export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH”
Solution2- Application Default Credentials are not available:
For Default Service accounts ( projects which have enabled the Compute Engine API will have a Compute Engine default service account which will use the Application Default Credentials ), you can follow the below mentioned steps:
You need to log in using the command : gcloud auth application-default login
If you want to make sure that the authentication process went well then run : gcloud auth application-default print-access-token. You should be able to see an access token.
Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
Basically gcloud auth application-default login acquires credentials to make them available to the applications in your local machine to use when they are configured to use Application Default Credentials.
Related
I don't know why I can't find confirmation in the docs, maybe I am not navigating them correctly, although MSAL seems to have options to fit it into any application. This is my first time integrating a SAML sso procedure into any of my web-apps. I am just looking for some clarity on the correct, and secure way to verify the person attempting to login, is actually logged in with the IDP.
I am confused at the part after confirmation of login is given to my redirect API, I currently have it all happening on the front-end, then submitting the response to my back-end. Which is a RESTful API built with Django, and postgres database. At this point, I am thinking I need to verify my accessToken for authenticity, but I am unsure if I should be creating another PublicClient instance in python, and then sending the same commands to the IDP.
To guess at this point, I'm thinking this is wrong, as I need to verify the token, rather than get another Access and Refresh token. I'm thinking I just need to verify there is a session open with the IDP, and that the Access Token matches. Can anyone shed some light on this, possibly provide even just some direction.
The client Python Django Web App uses the Microsoft Authentication Library (MSAL) to sign-in and obtain an Access Token from Azure AD.
The access token is used as a bearer token to authorize the user to call the Python Flask Web API protected by Azure AD.
The Python Flask Web API then receives a token for Azure Resource Management API using the On-Behalf-Of flow.
To learn more about handing access token validation at the API layer, look into this sample walkthrough: https://github.com/Azure-Samples/ms-identity-python-on-behalf-of#about-the-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
We have created a Flutter Web app that fetches bigquery data through bigquery API from Cloud Function. We were using a service account for authentication but as we want to make our application public, we need to use OAuth for end-user and use OAuth credentials.
I have tried to deploy the code from this link for testing on cloud function but the cloud function keeps on running and shuts down because of timeout. I then checked the logs and found that, the reason was the cloud function doesn't allow the browser to open for authentication as it would do when run locally.
Logs:
Function execution started
Please visit this URL to authorize this application: https://accounts.google.com/o/oauth2 /auth?response_type=code&client_id=XXXXXXXXXXXXXXXX&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbigquery&state=IXYIkeZUTaisTMGUGkVbgnohlor7Jx&access_type=offline.
Function execution took 180003 ms, finished with status: 'timeout'
I am confused as to how can I now authenticate and authorize a user once and have that credentials for every other bigquery API used in our web app.
I think you are missing the point of the use of Cloud Functions. The documentation you shared clearly states:
This guide explains how to authenticate by using user accounts for access to the BigQuery API when your app is installed onto users' machines.
This is never the case for a Cloud Function, since it is hosted in a Google Cloud Server and available for you to use via an HTTP request or a background process.
Because of that, Cloud Function will interact with other GCP products by using Service Accounts and if you want to setup authentication you will have to set it up in the Cloud Function layer, for which I recommend you to take a look at this documentation which explains the principles of authentication with Cloud Functions
Hi I have our website running on appengine with flask as backend framework and we have built our authentication and session management using libraries Flask-OAuth, Flask-Login.
But now I have a requirement to use firebase for authentication.
I am able create sample applications following firebase tutorials but I do no how to integrate with existing application.
In Firenotes samples provided by firebase team they are using two separate services frontend and backend.
I thought of using firebase code in login.html page and once client authenticated pass the info to /profile url -> log the user_id in database and login-user using Flask-Login.
I am not sure whether the above flow is correct and I am not to ensure that it is correct one without any problems in future.
Please help with any ideas as I need to implement it very soon!!
Flask-Login uses session based authentication. Clients login using an authentication scheme. Since you are using Flask-OAuth, it's the oauth flow. If the user successfully authenticates, Flask-Login sends a response during the token exchange step setting an HTTP only cookie (meaning javascript can't access it) with a token unique to the user session. The client then authenticates future requests for the duration of the session with that token. The server can invalidate the session at any time, forcing the client to log in again.
Meanwhile, firebase authentication is JSON Web Token (JWT) authentication scheme. After completing the login flow, the firebase API retrieves a JWT from google's application servers.
To authenticate requests, you need to transmit that JWT on EVERY request. Your server MUST also validate the JWT to ensure that it is both valid and unexpired.
You'll note that the manner by which the JWT arrives at the server is unspecified by the firebase SDK and libraries. I recommend using a Authentication: JWT <google's jwt> header.
One way to resolve your question would be to use the JWT to complete the initial login flow, and then rely on session based auth from there. You'd set up a login endpoint that expects and validates a JWT, and responds with the set cookie header. From that point forward you continue using your flask-login provided session based auth.
Google actually has an example of this in their documentation: https://firebase.google.com/docs/auth/admin/manage-cookies
The documentation google + domains api to create a post using the 'service' object, obtained here by this method. But in my project to authenticate via google and other sites I use the python social auth
and after authorization I have a ready access token.
The problem lies in the fact that I need a service object to work with api, but I can not figure out how to get it already having access token. Please help me and sorry for my english.
For the domains API, you typically will implement using a service account authorization flow - which is not retrieved in the same way as a user OAuth flow. This is because service accounts can be authorized for services that users typically should not be authorized for (e.g. retrieving domain-wide lists of user names).
The service account credentials, used to authorize your application, are created using the Google Developer Console and then are downloaded as a JSON or p12 file that is used to authenticate your Python client, as shown in this example.
That said, you still can do some actions with that access token which is why the auth flow you're seeing is doing this. Service credentials are how you should be authorizing for domains-related management features which may explain the behavior you're seeing.
I'm using the Google AppEngine 1.3.4 SDK which offers to allow your application to act as a OAuth service provider (http://code.google.com/appengine/docs/python/oauth/). Setting up a standard application on my localhost and using the following:
Request URL /_ah/OAuthGetRequestToken
Authorize URL /_ah/OAuthAuthorizeToken
Access Token URL /_ah/OAuthGetAccessToken
The client application just gets sent to a page requesting to grant OAuth access even though no user is logged in. Clicking 'Grant access' results in a message saying 'OAuth access granted' with no tokens or anything exchange. Can't see how this could work when it's not even prompting for a login.
As this functionality is quite new I can't find much out there. I've created a OAuth provider before in Rails and know that you need a Consumer Key and Secret, something that seems to be lacking in GAE?
Any ideas on how to get OAuth working in a sample GAE project are most welcome.
I would hazard a guess that the SDK implementation simply grants access regardless. It's also possible you still have a dev_appserver login cookie. Either way, try it in production - it'll almost certainly request login in that case.