GAE Python: Control access based on GSuite group - python

Is it possible to control access to a request handler entirely or some parts therein based on what GSuite for Education/Business group a user belongs to?

It is possible to have code check the GSuite group membership using the Directory API from the Google Apps Admin SDK. You'd probably be interested in one of:
retrieve all groups for a member
retrieve a group's member (if just one or a few groups are to be checked).
You'll need to
Enable the API access in the G Suite Admin console:
G Suite administrators have access to the Admin SDK–a collection
of Application Programming Interfaces (APIs). With these APIs, you can
build customized administrative tools for your G Suite products.
Before you can use the Admin SDK, you need to enable API access in the
Google Admin console.
You must be signed in as a super administrator for this task.
Enable API access
To verify that API access is enabled:
Sign in to your Google Admin console.
Sign in using an administrator account, not your current account some_user#gmail.com.
From the Admin console dashboard, go to Security > API reference.
To see Security on the dashboard, you might have to click More controls at the bottom.
Make sure the Enable API access box is checked.
At the bottom, click Save.
enable the Admin SDK API from the Google Apps APIs group in for your GAE app's API Manager page
install the Google API Client Library in your GAE app (if not already done)
address authentication, posibly using your GAE app's service account. See Google API Client Libraries Authentication Overview. And maybe related App Engine OAuth2.0 authorized cron job to analyze Google Sheet.
(if you want to) restrict app access to only your GSuite domain, see Restrict App Engine access to G Suite accounts on custom domain
code your access control logic using the directory api to obtain group membership info

Related

How do I to give my web project access to my Gmail account?

I am trying to adapt to Google's change in smtp policy on 5.30.22 that prevents 3P apps to have access to gmail account. I want to give my web project hosted on heroku access to be able to login programatically to my gmail account. I checked out some posts including this one, but I'm just not seeing what is expected in my settings.
In that gmail account, I go to Security -> Less secure app access and confirmed it is, in fact, no longer available. I saw nothing else in Security that seemed relevant.
Then, I try Data & Privacy -> Data from apps and services you use -> Apps & Services -> Third-Party Apps With Account Access. Clicking on that takes me to
Apps with access to your account, where I see You haven’t given any apps or services permission to access your Google Account. Learn more (<-- link to https://support.google.com/accounts/answer/3466521?hl=en). That link brings me to Manage your account permissions -> Manage third-party apps & services with access to your account.
I then go to Review what a third party can access. Steps for that are:
Go to the Security section of your Google Account.
Under “Third-party apps with account access,” select Manage third-party access.
Select the app or service you want to review.
...but in step #2, there is no Third-party apps with account access or Manage third-party access link/section in my security page.
How do I add an app I'm working on to that list?
UPDATE - I saw https://support.google.com/accounts/answer/112802?hl=en&ref_topic=7188760, which is "Use your Google Account to sign in to other apps or services". Is this what I need? It says to:
Go to an app or service you trust.
On the sign in page, select Sign in with Google, Log in with Google, or Join with Google.
I go to my app (hosted on heroku), but the "Sign in with Google" option is not there.
Due to the removal of Less secure apps & your Google Account you can not use a users login and password to access googles smtp server.
You have two sevral options.
Switch to using the gmail api and authorize your application using Oauth2 and store a refresh token. Make sure to set your app to prodctuion or the refresh token will expire after seven days.
Use xoauth2 with your request to the smtp server. You will then need to use Oauth2 to authorize the application and store a refresh token. Make sure to set your app to production or the refresh token will expire after seven days.
If you have 2fa enabled on that account then you can create an apps password. Sign in with App Passwords Once you have created this password you can then use it in place of the actual password in your code.

How to enable the POST permission on Twitter Developer App?

In order to post a tweet on Twitter using Python's tweepy, it requires us to enable POST permission(read and write permission) for our app. How to enable that permission on the developer portal for our app?
(note, this answer applies at the time of writing Jan 2022; user interfaces may change)
You have a choice of using OAuth 1.0A or OAuth 2.0. The latter is new and may not yet be supported by all code libraries.
In the developer portal:
select app name in sidebar -> app Settings page
User authentication settings -> Set up button
toggle on OAuth 1.0a
set Read and write App permissions permissions
specific URLs in general auth settings section. If you are not going to build a full sign-in with Twitter flow, you can use e.g. http://localhost here.
Save button
You will now need to select the Keys and tokens tab under the app settings, and Generate Access token and Secret, in order for them to have the new permissions.
You may also use OAuth 2.0 for this, and select the user scopes (permissions) within your code. Check the Twitter documentation for more details.

Microsoft Graph API: Limiting MSAL Python Daemon app to individual user access

I am building a Python Daemon app to download files which are accessible to an individual O365 user via Graph API. I am trying to use ConfidentialClientApplication class in MSAL for authorization.
In my understanding - this expects “Application Permissions” (the API permission in Azure AD) and not “Delegated permissions” for which, admin has to consent Files.Read.All.
So the questions I have are:
Does this mean, my app will have access to all the files in the organization after the admin consent?
How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
Thanks!
Does this mean, my app will have access to all the files in the organization after the admin consent?
Yes, it is the downside of application permissions usually.
How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
I'm pretty sure you can't limit a daemon app's OneDrive access. You can for example limit Exchange access for a daemon app.
Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
It would certainly allow you to limit the access to a specific user. In general I recommend that you do not use username+password (ROPC); it won't work any way if your account has e.g. MFA. The more secure approach would be that you need to initialize the daemon app once with Authorization Code flow. This gives your app a refresh token that it can then use to get an access token for the user when needed (and a new refresh token). Note it is possible for refresh tokens to expire, in which case the user needs to initialize the app again.
You can limit the Application (Admin approved) permissions to specific resources (at least for some resources - e.g. mailboxes, calendars, SharePoint sites, ...)
Using Application Access Policy
An example for using this to restrict mailbox access to one or more users is:
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access#configure-applicationaccesspolicy
This approach isn't possible to set currently in the MSGraph Application definition. Your admin has to use Powershell to associate an Access Policy to an Application definition.
SharePoint sites restriction
For SharePoint sites, you can use the MS Graph Sites.Selected Application permission to have Admin approved access to specific SharePoint sites.
https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/

Authenticate automatically against box.com to get api access

Box.com supports different authentication method, OAuth2 and JWT. I'm currently using OAuth2 with develop tokens, which works just fine. The developer tokens expires within an hour so I can't use this in our production.
I'm using the python SDK to upload files to box, and there is no user interaction here at all. It seems like I can't use the OAuth2 authentication method since there is no users uploading (automatic script), am I right?
The JWT authentication method requires an enterprise id, which I can't find. I used this page as reference: https://box-content.readme.io/docs/box-platform
I've logged in as an co-admin in box, but can't find the enterprise id or Custom apps under the APPS menu.
Is there anything I have missed?
You have to use JWT to make server to server api call. you can find your enterprise ID in you Admin Console-->Enterprise Setting--> Account Info-->Enterprise ID.

How to test a website for performance testing having google oauth login?

I have a website and I need to test it with 250 users. However, I am using google login via OAuth2. The website is hosted on Google App Engine.
I am stuck at this login part. After we log in we get and access token from Google that is passed to Google APIs via the Authorization: Bearer header. We use the access token in the application to get user details and access other google apps for that user. I don't know how to get that access token using my external script.
One option is to mock / stub this part of your application out during testing. For instance, you can provide a certain header that tells your application that you're in test mode and instead of calling the real google APIs, it calls a mock API instead. If your application is setup for dependency injection this could be trivial, otherwise, it may involve monkey-patching or similar.
Another option is to use an OAuth2 Service Account and acquire access tokens for a bunch of users in a test Google Apps domain. Your test script can do this and then just pass the access tokens just as a client normally would.

Categories