In an AppEngine app, if the user tries to login with a wrong Google account (we check if he's in the database), we'd like to provide a URL so he can log in with another Google account. Without being loged out with the first one (if he has gMail open for example).
At the moment, the app requires the authentication, and if you pick the wrong account, you can never go back to the "login" page.
We use the Appengine Users API in python.
Thanks for helping
Related
I am trying to adapt to Google's change in smtp policy on 5.30.22 that prevents 3P apps to have access to gmail account. I want to give my web project hosted on heroku access to be able to login programatically to my gmail account. I checked out some posts including this one, but I'm just not seeing what is expected in my settings.
In that gmail account, I go to Security -> Less secure app access and confirmed it is, in fact, no longer available. I saw nothing else in Security that seemed relevant.
Then, I try Data & Privacy -> Data from apps and services you use -> Apps & Services -> Third-Party Apps With Account Access. Clicking on that takes me to
Apps with access to your account, where I see You haven’t given any apps or services permission to access your Google Account. Learn more (<-- link to https://support.google.com/accounts/answer/3466521?hl=en). That link brings me to Manage your account permissions -> Manage third-party apps & services with access to your account.
I then go to Review what a third party can access. Steps for that are:
Go to the Security section of your Google Account.
Under “Third-party apps with account access,” select Manage third-party access.
Select the app or service you want to review.
...but in step #2, there is no Third-party apps with account access or Manage third-party access link/section in my security page.
How do I add an app I'm working on to that list?
UPDATE - I saw https://support.google.com/accounts/answer/112802?hl=en&ref_topic=7188760, which is "Use your Google Account to sign in to other apps or services". Is this what I need? It says to:
Go to an app or service you trust.
On the sign in page, select Sign in with Google, Log in with Google, or Join with Google.
I go to my app (hosted on heroku), but the "Sign in with Google" option is not there.
Due to the removal of Less secure apps & your Google Account you can not use a users login and password to access googles smtp server.
You have two sevral options.
Switch to using the gmail api and authorize your application using Oauth2 and store a refresh token. Make sure to set your app to prodctuion or the refresh token will expire after seven days.
Use xoauth2 with your request to the smtp server. You will then need to use Oauth2 to authorize the application and store a refresh token. Make sure to set your app to production or the refresh token will expire after seven days.
If you have 2fa enabled on that account then you can create an apps password. Sign in with App Passwords Once you have created this password you can then use it in place of the actual password in your code.
I want to implement sso for multiple providers in my app.
Currently I am using flask-oauthlib for the authentication. For google authentication sso login works like a charm.
Since I will have multiple sso providers, I was wondering if I could simply have one text field on my landing page, and then redirect the user according to the email domain to the right sso provider while automatically initializing the handshake process.
The question is, to whether I can automatize the sso login, without having the user to select their account on Google's Choose an account page; thus saving an additional step?
I hope this makes sense, thank you!
According to OAuth2.0 standards, at the time of authorizing this is not possible to tell SSO provider like Google in advance which user account is going to be used. But still needs to check particularly with OAuth2 implementation of Google.
According to standards, user credentials like user name and password should only be challenged on SSO providers(IDP's) page.
I'm working on a Django application with users through Django's auth, on the other side there is an Oauth2.0 server that already has all users and their permissions registered. My goal now is to integrate the Django app with the Oauth2.0 server so we won't have to administrate the users ourselves. This would make it so the when the users want to log into our app they are redirected to the Oauth2.0 login site and then redirected to the home of our app once they login successfully.
I think I understand how Oauth2.0 works but I have a couple of questions I couldn't find anywhere else.
Is the scenario I'm describing possible? As in the users would no longer have to be registered in our app and a 3rd party Auth server would provide access to our app or not.
Once I get the access token after the user login where is it safe to keep the access token? I was thinking I could save to AT as a session variable so as to keep the end user's session linked to his account which is external to our Django app.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
I would suggest using a third-party application, like django-allauth. You can simply disable creating local accounts, and enable a single custom social provider that interacts with your OAuth2.0 authorization server.
As noted here, the process of creating your own custom OAuth provider isn't documented, but shouldn't be too difficult.
Once I get the access token after the user login where is it safe to keep the access token?
Allauth will store the access token in the database. If you want to put it in the session too, you can, but there's no point unless you want the client to make requests to the resource server directly.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
That's fine. If your authorization server has no way to invalidate issued access tokens, though, you can just assume that the access token is good up until the expiration date.
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
Just use the access token normally. If the resource server indicates that it's invalid, prompt the user to log in again. You will get a new access token for that user that reflects their current permissions.
I want to backup my python app and restore it to a different app on Appengine. In the Application Setting Page, under Duplicate Applications, I add a new application identifier.
When I click the Duplicate Application button, I get this error: "The developer does not own the app id being forked".
Further research indicates that this seems to be a bug, but that a workaround is to send an email invitation to the other email addresses in my Google account to add them.
I am able to send those emails from the Permissions screen by clicking a button and inserting the email address. When I click link in the email that is sent, it opens My Applications, listing all my apps, instead of a confirmation that my response. It appears to open the wrong page.
In the Permissions page, the email address still shows Pending after about 10 hours.
Is there a simple way to duplicate an application?
Do you have more than one google account? I have found that app engine does unexpected things when you are logged into more than one google account at a time.
I suggest logging into only a single google account and trying the operations again.
You could create a new application, use Datastore Admin to copy your entities to the new application's Datastore, then re-deploy your application. Is there anything else that needs duplicating?
I'm wondering how I'm supposed to prompt a user to login/connect to their google account from my app, so that I can then use their email and password to access their docs/drive. I have an application running on my desktop that connects to a google account's drive, and creates a spreadsheet, and later accesses it for information. Currently I have to hardcode the email and password.
I heard about gaema, but it didn't sound like the right thing. Also I don't know if it makes a difference, but this app is only on my laptop and not running on googles servers. Although it shouldn't... I think.
P.S. I'm new to google app engine and python, and even stackoverflow, so please don't hate my noob question :)
Asking the users for their usernames and passwords is by no way an acceptable solution, and I'm sure they won't be willing to give it to you. Instead, you need to use some sort of Authorization flow, typically OAuth 2.0.
A complete example application using Google Drive from GAE is explained in this article.
So AppEngine makes Google Account-related stuff very easy (surprise surprise :) ). Take a look at the documentation here https://developers.google.com/appengine/docs/python/users/overview. This explains the Users service where you can request that a user log in with their Google credentials. For example (straight from the docs):
from google.appengine.api import users
from google.appengine.ext import webapp
class MyHandler(webapp.RequestHandler):
def get(self):
user = users.get_current_user()
if user:
greeting = ("Welcome, %s! (sign out)" %
(user.nickname(), users.create_logout_url("/")))
else:
greeting = ("Sign in or register." %
users.create_login_url("/"))
self.response.out.write("<html><body>%s</body></html>" % greeting)
This checks to see if a user is logged in with their Google account and if not presents them with a login URL. The parts that do the 'magic' are users.create_logout_url('/') and users.create_login_url('/') methods. They create a link to a special URL where a user can log in (without you having to do any additional formatting/coding). They are then redirected back to your site ('/' sends them to your main page, but you can change however). Hope this helps!
EDIT:
As #Wooble points out, this will not grant your application access to the user data - it will simply provide you with some basic information about the user per what is available through the Users service. In order to allow your app to access Google Drive data, the link provided by #SebastianKreft shows a sample application that does the authentication. Additional general information about using OAuth with Drive can be found here. In short, a user needs to grant permission to your app to allow it to access their data, and it does this via an OAuth token (see the documentation for a much better explanation than I can give).