I'm using GAE remote api to access the data store of my app. The authentication to GAE is made using remote_api_stub.ConfigureRemoteApi with an authentication function that returns a user name and a password.
Is there a way for authenticating using an access_token, for example OAuth or OAuth 2.0?
There is a solution for Google accounts configured to use 2-Step Verification.
At the moment, you are probably seeing a “BadAuthentication InvalidSecondFactor" error thrown, as you are not able to properly login from the shell.
In order to solve this, you will need an App Password that authorizes the app to access your account resources. Follow the tutorial and use the generated password and the username of an admin of the target App Engine app as the credentials for Remote API.
UPDATE:
Additionally, you can take a look at the remote_api_stub.py file from the AppEngine SDK. You'll find a family of methods called _ConfigureRemoteApiWith* (note the leading underscore), such as:
_ConfigureRemoteApiWithKeyFile
_ConfigureRemoteApiWithComputeEngineCredential
_ConfigureRemoteApiWithOAuthCredentials
Methods themselves are well documented, please take a look at their docstrings. They'll let you authenticate with safer methods than usual ASP provided by remote_api_stub.ConfigureRemoteApi().
You can't use OAuth2 to connect to your app with remote_api_stub/shell. This option is not provided.
Related
I am creating a web app for my company.I don't want to add a new sign up process and store the creds for our employees. We already use openshift and every one having openshift creds can login into our openshift cluster. I want to re use that creds to login into my web app.
I came to knew that openshift supports oauth 2.0 and but most of the methods available in internet is using other identity providers like google as auth in openshift. No one guides in using openshift as identity provider in a web app. Any leads will be appreciated.
Based on what I'm seeing in OpenShift 4.1's documentation on Configuring the internal OAuth Server it looks like it may be possible to use the /oauth/authorize endpoint of the control-plane api.
The OpenShift Container Platform master includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.
When a person requests a new OAuth token, the OAuth server uses the configured identity provider to determine the identity of the person making the request.
It then determines what user that identity maps to, creates an access token for that user, and returns the token for use.
The intention of this endpoint is to grant OAuth tokens specifically for use with the OpenShift cluster, not for third party applications.
Even if it ends up being possible, you'll still probably want to use the OAuth/OIDC mechanisms directly in the upstream authentication provider OpenShift is using if possible as that will provide better support and be more intuitive from an application architecture standpoint.
You can use the openshift user api to access the identity of the user which requested an access token.
The api to call is <api_root>/apis/user.openshift.io/v1/users/~ with a Authorization: Bearer <token> header.
This will give you the k8s user object containing the username and groups of the user.
You can also do this from within an openshift pod using https://kubernetes.default.svc as api_root, this requires you to add the ca in the pod to setup a secure connection.
The ca is mounted in any pod at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
You can use the oauth mechanism provided by openshift to retrieve an access token using code grant.
The documentation for the openshift oauth internals is sketchy at best, I found it helpful to find the correct urls and parameters in the dex openshift connector source code: here and here
I want to get the list of all the users for the domain on a GAE app (using python). When I hit this URL https://apps-apis.google.com/a/feeds/domain/user/2.0 . I get an authorization error. How can I authenticate for this GET hit.
You'll need to use the Provisioning API, and you'll need to authenticate via OAuth first
To expand on the answer from Chris, prepare for a bit of pain around authentication. You have four options for read-only access, and one if you need read/write:
Marketplace authorization: if your app is on the Google Marketplace and a domain admin added you to the domain, you can use your app's Google Marketplace keys to access the provisioning API in read-only mode.
Domain OAuth: if you can get the domain admin to make a configuration change for you, your app can use the domain-wide OAuth keys for read-only access.
3-legged OAuth: if you are dealing with a superadmin user, you can request that they grant you temporary right to access the API in read-only mode.
Programmatic Login: lastly, you can ask them to give you an admin account username and password to login into the provisioning API. This is the only mechanism that will give you the ability to change anything.
I have a Python App Engine application where a user can log in using foursquare, then they must log in using Hunch. This all works fine but now I am trying to allow the user to authenticate on the android device. I don't want the user to have to log in to both 4sq & hunch on the phone so I want them to be able to authenticate with my backend and from there this would log on on their behalf. Is there anywhere where I could find tutorials on something like this? Should I create a custom authentication on my app or allow the user to sign on using their Google Account?
If they've already authenticated with your app, and set up oauth tokens with foursquare and Hunch, you can use this pattern to authenticate with your app.
There's no way to authenticate 'on their behalf' with your app short of asking the user for their credentials. If there were, any app would be able to impersonate you to any service you use.
I'm using the Google AppEngine 1.3.4 SDK which offers to allow your application to act as a OAuth service provider (http://code.google.com/appengine/docs/python/oauth/). Setting up a standard application on my localhost and using the following:
Request URL /_ah/OAuthGetRequestToken
Authorize URL /_ah/OAuthAuthorizeToken
Access Token URL /_ah/OAuthGetAccessToken
The client application just gets sent to a page requesting to grant OAuth access even though no user is logged in. Clicking 'Grant access' results in a message saying 'OAuth access granted' with no tokens or anything exchange. Can't see how this could work when it's not even prompting for a login.
As this functionality is quite new I can't find much out there. I've created a OAuth provider before in Rails and know that you need a Consumer Key and Secret, something that seems to be lacking in GAE?
Any ideas on how to get OAuth working in a sample GAE project are most welcome.
I would hazard a guess that the SDK implementation simply grants access regardless. It's also possible you still have a dev_appserver login cookie. Either way, try it in production - it'll almost certainly request login in that case.
I'm currently building a Python webapp on the Google App Engine and I want to expose various parts of my application via a JSON API. This API may be used in the form of a mobile client, or (for the purposes of testing) a headless Python script.
I need to be able to authenticate users before they perform operations on the API. I notice that the Users API does not support simple authentication [in the form of authenticate(username, password)] so merely sending the username/password to a URL and then later using some given token would not work.
Ultimately, I would like the application to use Facebook Connect in addition to its own logins.
Could somebody please suggest how is the best way to authenticate users in this situation, using a remote JSON API and the Google App Engine?
Cheers
You might want to check out the recently released oauth support. Failing that, you can implement your own authentication, for example by using simple or digest authentication.
Just for the record, I ended up going with the wonderful Tipfy framework in the end.