I worked with firebase connectivity from application and from backend server using admin SDK.
Firebase admin SDK used Service account key to connect to firebase backend.
Here my use case is: i have a python package which will get used by client, here i do not want to use Service account key and admin SDK. I wanted to use API key and if user enters valid username and password of application (assuming user is already signed up) , user will get access to firebase backend. (Obviously as per security rules)
I am not able to find a method to access firebase backend using API key and applications username/Password from python script. If anyone knows it please help me on this.
The Admin SDK that Firebase provides for Python is only meant to be used in trusted environments, and doesn't allow signing in with username/password. All code using the Admin SDK is accessing Firebase using administrative privileges, so it is not suitable for your use-case. Firebase itself doesn't provide a SDK for client-side access using Python. So the only option remaining that Firebase provides is to call the REST API from your code.
There is a third party library called Pyrebase that allows you to sign in users (by wrapping the REST API mentioned above):
# Get a reference to the auth service
auth = firebase.auth()
# Log the user in
user = auth.sign_in_with_email_and_password(email, password)
IF you want to control the backend access with an API key - you can't.
Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules (to control which users can access resources) and App Check (to control which apps can access resources).
as per docs
Related
Currently I have email authenticated users on my firebase account using the new authentication api. Currently I am not using the real time database to store my users I am using the default email and password to authentication store user information. There is no admin sdk for python that allows me to delete users in firebase that aren't in the real time database. My question is how to delete the users that appear in only the authentication part of firebase using the libraries in python so I can manage users on the server side.
User Management outside of the console now supports python, go, and java.
How to delete a user with python:
from firebase_admin import auth
auth.delete_user(uid)
Here's the API:
https://firebase.google.com/docs/auth/admin/manage-users#delete_a_user
Box.com supports different authentication method, OAuth2 and JWT. I'm currently using OAuth2 with develop tokens, which works just fine. The developer tokens expires within an hour so I can't use this in our production.
I'm using the python SDK to upload files to box, and there is no user interaction here at all. It seems like I can't use the OAuth2 authentication method since there is no users uploading (automatic script), am I right?
The JWT authentication method requires an enterprise id, which I can't find. I used this page as reference: https://box-content.readme.io/docs/box-platform
I've logged in as an co-admin in box, but can't find the enterprise id or Custom apps under the APPS menu.
Is there anything I have missed?
You have to use JWT to make server to server api call. you can find your enterprise ID in you Admin Console-->Enterprise Setting--> Account Info-->Enterprise ID.
Is there any way to login via web application or web api to Azure Active Directory (with AD credentials) using my own username and password page which is hosted outside of Azure?
From my investigation it seems there is no programmatic way to send username and password to authenticate users with Azure AD (if you hosted an app outside of Azure)
Not sure if they consider this to be a security hole of some sort (i dont think it is it https is enforced?)
Seems like you can only authenticate users by going through the code grant (which means popping out of our application to sign on to an external site).
Ultimately I want to create a python flask api that can authenticate against Azure AD directly if possible.
I have done this in the past (with other auth systems) with the Oauth grant_type=password to send username and pass, but dont think this is supported in Azure AD (correct me if im wrong?)
I know grant_type=client_credentials is supported, but that seems like its service to service auth, which is not quite what im after
http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If its not possible to have a login page hosted outside of Azure for this, is it even possible to have one inside of Azure, seems like from examples here:
http://msdn.microsoft.com/en-us/library/azure/bc8af4ff-66e7-4d5b-b3d4-c33d2c55d270#BKMK_Browser
There is no custom login page with a password field .. (only open id logins it seems)
The Resource Owner Password Credentials Grant (grant_type=password) flow is supported by Azure Active Directory. However, before using it, consider if it is truly required. As it says in the OAuth 2.0 RFC:
The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).
If you have determined that the other supported flows will definitely not work for your scenario, then also be sure to follow the second bit of advice in the RFC:
Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.
(Emphasis added in both cases.)
There's a .NET and ADAL sample on GitHub that uses this flow, and it should be simple enough to implement in Python: https://github.com/AzureADSamples/NativeClient-Headless-DotNet
Edit: You can host your application anywhere you want, it doesn't need to be on Azure. This applies to all flows.
I am trying to use the Google Contacts API to connect to a user's contact information, on my Google apps domain.
Generating an access_token using the gdata api's ContactsService clientlogin function while using the API key for my project works fine, but I would prefer to not store the user's credentials, and from the information I have found that method uses OAuth1.0
So, to use OAuth2.0 I have:
Generated a Service Account in the developer's console for my project
Granted access to the service account for the scope of https://www.google.com/m8/feeds/ in the Google apps domain admin panel
Attempted to generate credentials using SignedJwtAssertionCredentials:
credentials = SignedJwtAssertionCredentials(
service_account_name=service_account_email,
private_key=key_from_p12_file,
scope='https://www.google.com/m8/feeds/',
sub=user_email')
The problem I am running into is that attempting to generate an access token using this method fails. It succeeds in generating the token when I remove the sub parameter, but then that token fails when I try to fetch the user's contacts.
Does anyone know why this might be happening?
I have been reading a lot about this google endpoints and I have trying to something that is not quite easy to guess. After you create a google cloud endpoint server and you deploy it is open to any HTTP request (unauthenticated). In the cloud endpoint documentation (referring to using authentication) you can read about setting OAuth2.0 to authenticate users with google account but there is no documentation about restrict the endpoint service to a specific mobile app (android or ios) and discard all other HTTP requests. So the question is how to authenticate mobile apps (no users) and prevent HTTP request (unauthenticated)? I'am building my server API(enpoints) based on Python.
Thank you.
In order to restrict your Endpoint to a specific application you can use OAuth2. This is because the OAuth2 flow does user authentication and in-turn the OAuth2 flow inherently authenticates the application requesting the OAuth2 access.
These two client samples detail how to enable authenticated calls on the client side. You have to register your apps in the Developer Console at http://cloud.google.com/console/ .
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-android (Starting after the Note in the readme)
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-ios/ (Step 8 in README)
authedGreeting is the authenticated call and you would check the User object in the method's backend project for null. If empty then you can immediately throw an unauthorized exception.
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-java-maven
Specifically, optional Step 2 in the README tells Cloud Endpoints to start looking for OAuth2 tokens in the request. If the Endpoints exposed method has a User parameter. It will populate it with a user instance only if an OAuth2 token was found, was generally valid, and the token was issued to a client ID defined in the API annotation on the service class.
During the setup of your endpoints API, in clientIds list you provide your WEB_CLIENT_ID, ANDROID_CLIENT_ID, and IOS_CLIENT_ID for example. These values tell the Google App Engine that your application will respond to HTTPS requests from web browsers and Android/iOS installed applications.
When your clients first connect your server, they must obtain an OAuth 2.0 token in order to the communication be secure and that is the reason why you use the WEB_CLIENT_ID in your installed client application. This WEB_CLIENT_ID is unique to your Google Cloud app and through it your client becomes capable of obtain an access_token and a renew_token to communicate with your backend server and your server only. This is a cross-client authorization.
So, if you need only the WEB_CLIENT_ID to obtain the access_token and the renew_token, why you need the ANDROID_CLIENT_ID and IOS_CLIENT_ID? For security reasons.
The ANDROID_CLIENT_ID is linked to a RSA signature key through the SHA1 informed at backend setup. Thus your GAE app will grant (access_token, renew_token) only installed apps signed with the same key listed at your application console (and of course in your clientIds list)
Finally Android apps signed with different or not signed will not receive any access_token, being unable to establish the secure communication channel or even communicate with your server.