The documentation google + domains api to create a post using the 'service' object, obtained here by this method. But in my project to authenticate via google and other sites I use the python social auth
and after authorization I have a ready access token.
The problem lies in the fact that I need a service object to work with api, but I can not figure out how to get it already having access token. Please help me and sorry for my english.
For the domains API, you typically will implement using a service account authorization flow - which is not retrieved in the same way as a user OAuth flow. This is because service accounts can be authorized for services that users typically should not be authorized for (e.g. retrieving domain-wide lists of user names).
The service account credentials, used to authorize your application, are created using the Google Developer Console and then are downloaded as a JSON or p12 file that is used to authenticate your Python client, as shown in this example.
That said, you still can do some actions with that access token which is why the auth flow you're seeing is doing this. Service credentials are how you should be authorizing for domains-related management features which may explain the behavior you're seeing.
Related
I don't know why I can't find confirmation in the docs, maybe I am not navigating them correctly, although MSAL seems to have options to fit it into any application. This is my first time integrating a SAML sso procedure into any of my web-apps. I am just looking for some clarity on the correct, and secure way to verify the person attempting to login, is actually logged in with the IDP.
I am confused at the part after confirmation of login is given to my redirect API, I currently have it all happening on the front-end, then submitting the response to my back-end. Which is a RESTful API built with Django, and postgres database. At this point, I am thinking I need to verify my accessToken for authenticity, but I am unsure if I should be creating another PublicClient instance in python, and then sending the same commands to the IDP.
To guess at this point, I'm thinking this is wrong, as I need to verify the token, rather than get another Access and Refresh token. I'm thinking I just need to verify there is a session open with the IDP, and that the Access Token matches. Can anyone shed some light on this, possibly provide even just some direction.
The client Python Django Web App uses the Microsoft Authentication Library (MSAL) to sign-in and obtain an Access Token from Azure AD.
The access token is used as a bearer token to authorize the user to call the Python Flask Web API protected by Azure AD.
The Python Flask Web API then receives a token for Azure Resource Management API using the On-Behalf-Of flow.
To learn more about handing access token validation at the API layer, look into this sample walkthrough: https://github.com/Azure-Samples/ms-identity-python-on-behalf-of#about-the-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
I am building a Python web API where I want to use Azure AD as authentication backend. On certain scenarios the clients needs to authenticate through the API to authorize to certain endpoints. The client itself is not able to authenticate to AD directly, so it needs to do it through the API using raw credentials (username, password). The API will then authenticate the user and receive the AD token and give it to the user.
So in short I am looking for a way to programmatically authenticate a user using username/password and receive the token using Python.
You can find the different authentication flows relevant for an application type and topology in this Azure AD article. The article links to the protocol overview for the authentication flows if you choose to implement.
There is also the ADAL Python auth library for Azure AD which you can use to do these flows.
Based on your scenario, you have a few options. If your client app can authenticate directly with Azure AD, you can take a look at the client credentials flow sample. If your application needs a user to authenticate and can have the user authenticate interactively, you can check out this auth code flow sample. Finally, if you must use the user's credentials to authenticate programmatically(without user interaction) in the app, you can refer to the resource owner password flow, but this is not encouraged as mentioned in the other answer.
What you are describing is the OAuth 2 Resource Owner Password Credentials Grant flow.
Note: using this one is in general a really bad idea and some other flow should be considered instead.
What you are doing here, is sending POST request containing user credentials in clear text directly to the authentication endpoint. Thus bypassing all possible added security that might be put in place.
Also, it will not work when
MFA is enabled for the user
User is federated or a MS account
This flow has no way to handle expired passwords
Consider some other authorization flow if possible, you got e.g.
Authorization code flow
Implicit grant flow
Client credentials flow
Device authentication flow
See this link to help you select which flow to use.
I have an Google Analytics Account that I want to automate some custom reports from, but I have some problems understanding what kind of Credentials I need. Most of the tutorials I have seen says I need to use OAuth client ID but the google developers console site says I need a Servide Account key.
What is the difference between the two? Using another Analytics Account I tried to setup a OAuth connection, and it worked, but I now got unsure about what kind of key I should use.
What I want to do is to just have a Python script set up to run at some times, and then to get the data I want to query for. The data is just the same as the one I can get from logging into the Google Analytics UI, so there is no need for any users to consent to giving me access to any personal data or what ever else the Consent form should be used for.
Can someone explain what the difference is between the two Credentials and what one would be the correct one to use for my project?
Both Service accounts and OAuth2 are used to access private user data. Private data is data that is accessible only by logging in. My posts on Google+ are public anyone can see them. The information in my Google Analytics is private owned by me only I can see it and those I grant access to it.
With Oauth2 access is granted at run time. The first time an application is run the user will be asked if your application can access their data. If the user accepts and grants your application access you will be given a refresh token. This refresh token can be then used to get an access token which is used to access the private user data. Access tokens are only good for about an hour. After the hour is up you use the refresh token to get access again. That's why I say access is granted at runtime. You only have to ask the user for access once to get the refresh token though.
Service accounts on the other hand are pre authenticated. Service accounts are like dummy users they have their own google drive account and google calendar account. Because if this it is possible to shire data with them like you would any other user. You take the service account email address and add it as a user under the admin section of google analytics at the ACCOUNT level it must be the ACCOUNT level. Then using the service account in your code, you will be able to access the data for that Google Analytics account without requesting authentication from a user the first time.
Service accounts are most often used by developers to grant others access to the data owned by the developer. Oauth2 on the other hand would be used to access data of your customers for whos accounts you the developer does not personally have access to.
Technically speaking you can use either for your project as long as you store the refresh token you could technically use Oauth2 for your project. However I would not recommend it refresh tokens can expire under certain circumstances, which I will not go into.
I would recommend using a service account in your case it will be much easer for you to administrate as you will only need to set it up once.
My tutorials on the subject:
Google Developer console service account
Google Developer Console Oauth2 credentials
I want to get the list of all the users for the domain on a GAE app (using python). When I hit this URL https://apps-apis.google.com/a/feeds/domain/user/2.0 . I get an authorization error. How can I authenticate for this GET hit.
You'll need to use the Provisioning API, and you'll need to authenticate via OAuth first
To expand on the answer from Chris, prepare for a bit of pain around authentication. You have four options for read-only access, and one if you need read/write:
Marketplace authorization: if your app is on the Google Marketplace and a domain admin added you to the domain, you can use your app's Google Marketplace keys to access the provisioning API in read-only mode.
Domain OAuth: if you can get the domain admin to make a configuration change for you, your app can use the domain-wide OAuth keys for read-only access.
3-legged OAuth: if you are dealing with a superadmin user, you can request that they grant you temporary right to access the API in read-only mode.
Programmatic Login: lastly, you can ask them to give you an admin account username and password to login into the provisioning API. This is the only mechanism that will give you the ability to change anything.
I'm using the Google AppEngine 1.3.4 SDK which offers to allow your application to act as a OAuth service provider (http://code.google.com/appengine/docs/python/oauth/). Setting up a standard application on my localhost and using the following:
Request URL /_ah/OAuthGetRequestToken
Authorize URL /_ah/OAuthAuthorizeToken
Access Token URL /_ah/OAuthGetAccessToken
The client application just gets sent to a page requesting to grant OAuth access even though no user is logged in. Clicking 'Grant access' results in a message saying 'OAuth access granted' with no tokens or anything exchange. Can't see how this could work when it's not even prompting for a login.
As this functionality is quite new I can't find much out there. I've created a OAuth provider before in Rails and know that you need a Consumer Key and Secret, something that seems to be lacking in GAE?
Any ideas on how to get OAuth working in a sample GAE project are most welcome.
I would hazard a guess that the SDK implementation simply grants access regardless. It's also possible you still have a dev_appserver login cookie. Either way, try it in production - it'll almost certainly request login in that case.