Box.com supports different authentication method, OAuth2 and JWT. I'm currently using OAuth2 with develop tokens, which works just fine. The developer tokens expires within an hour so I can't use this in our production.
I'm using the python SDK to upload files to box, and there is no user interaction here at all. It seems like I can't use the OAuth2 authentication method since there is no users uploading (automatic script), am I right?
The JWT authentication method requires an enterprise id, which I can't find. I used this page as reference: https://box-content.readme.io/docs/box-platform
I've logged in as an co-admin in box, but can't find the enterprise id or Custom apps under the APPS menu.
Is there anything I have missed?
You have to use JWT to make server to server api call. you can find your enterprise ID in you Admin Console-->Enterprise Setting--> Account Info-->Enterprise ID.
Related
I worked with firebase connectivity from application and from backend server using admin SDK.
Firebase admin SDK used Service account key to connect to firebase backend.
Here my use case is: i have a python package which will get used by client, here i do not want to use Service account key and admin SDK. I wanted to use API key and if user enters valid username and password of application (assuming user is already signed up) , user will get access to firebase backend. (Obviously as per security rules)
I am not able to find a method to access firebase backend using API key and applications username/Password from python script. If anyone knows it please help me on this.
The Admin SDK that Firebase provides for Python is only meant to be used in trusted environments, and doesn't allow signing in with username/password. All code using the Admin SDK is accessing Firebase using administrative privileges, so it is not suitable for your use-case. Firebase itself doesn't provide a SDK for client-side access using Python. So the only option remaining that Firebase provides is to call the REST API from your code.
There is a third party library called Pyrebase that allows you to sign in users (by wrapping the REST API mentioned above):
# Get a reference to the auth service
auth = firebase.auth()
# Log the user in
user = auth.sign_in_with_email_and_password(email, password)
IF you want to control the backend access with an API key - you can't.
Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules (to control which users can access resources) and App Check (to control which apps can access resources).
as per docs
We have
An existing Django backend with Python social auth for signing in with Google, providing web-based application and an API for the mobile app.
An iOS mobile app with GoogleSignIn pod.
Now we would like to allow mobile app users to sign in with Google inside the app, and then authenticate them on the backend, so that they can access their personal data via the app.
So my idea of the algorithm is:
App uses the GoogleSignIn and finally receives access_token.
App sends this access_token to the Backend.
Backend verifies this access_token, fetches/creates the user, returns some sessionid to the App.
App uses this sessionid for further requests.
The problem is with the third step: token verification. I found two ways of verifying:
1. Python social auth flow
As described in the docs:
token = request.GET.get('access_token')
user = request.backend.do_auth(token)
if user:
login(request, user)
return 'OK'
else:
return 'ERROR'
This would be a preferred flow, since it already has all the required steps and is working perfectly with the web app (like, accounts creation, defaults for newly created users, analytics collection, etc.).
But the problem is that the backend and the app use different CLIENT_IDs for the auth. This is due to the limitations in the Google Developers Console: when creating credentials, you need to select whether it will be a web app or an iOS app, and it cannot be both.
I tried to use different client ids (then backend cannot verify), tried to use web id inside the app (then the pod does not work), and tried to use app id inside the web (then the backend cannot verify again).
2. Google API Client Library
Another option is to utilize the way from the Google Sign-In for iOS documentation:
from google.oauth2 import id_token
from google.auth.transport import requests
try:
idinfo = id_token.verify_oauth2_token(token, requests.Request(), CLIENT_ID)
userid = idinfo['sub']
except ValueError:
# Invalid token
pass
It worked, but here we're missing all the pipeline provided by social auth (e.g. we need to create a user somehow), and I could not find a proper way of starting the pipeline from the middle, and I'm afraid it would be quite fragile and bug-prone code.
Another problem with this solution is that in reality we also have Signed in with Apple and Sign in with Facebook, and this solution will demand ad-hoc coding for each of these backends, which also bring more mess and unreliability.
3. Webview
Third option would be not to use SDKs in the Swift and just use a web view with the web application, as in the browser.
This solves the problem with the pipeline and client ids.
But it doesn't look native, and some users may suspect phishing attempts (how does it differ from a malicious app trying to steal Google identity by crafting the same-looking form?). Also, I'm not sure it will play nicely with the accounts configured on the device. And it also will require us to open a browser even for signing in with Apple, which looks somewhat awkward. And we're not sure such an app will pass the review.
But, maybe, these all are minor concerns?
⁂
So, what do you think? Is there a fourth option? Or maybe improvements to the options above? How is it solved in your app?
Is it possible to control access to a request handler entirely or some parts therein based on what GSuite for Education/Business group a user belongs to?
It is possible to have code check the GSuite group membership using the Directory API from the Google Apps Admin SDK. You'd probably be interested in one of:
retrieve all groups for a member
retrieve a group's member (if just one or a few groups are to be checked).
You'll need to
Enable the API access in the G Suite Admin console:
G Suite administrators have access to the Admin SDK–a collection
of Application Programming Interfaces (APIs). With these APIs, you can
build customized administrative tools for your G Suite products.
Before you can use the Admin SDK, you need to enable API access in the
Google Admin console.
You must be signed in as a super administrator for this task.
Enable API access
To verify that API access is enabled:
Sign in to your Google Admin console.
Sign in using an administrator account, not your current account some_user#gmail.com.
From the Admin console dashboard, go to Security > API reference.
To see Security on the dashboard, you might have to click More controls at the bottom.
Make sure the Enable API access box is checked.
At the bottom, click Save.
enable the Admin SDK API from the Google Apps APIs group in for your GAE app's API Manager page
install the Google API Client Library in your GAE app (if not already done)
address authentication, posibly using your GAE app's service account. See Google API Client Libraries Authentication Overview. And maybe related App Engine OAuth2.0 authorized cron job to analyze Google Sheet.
(if you want to) restrict app access to only your GSuite domain, see Restrict App Engine access to G Suite accounts on custom domain
code your access control logic using the directory api to obtain group membership info
I have activated the Google Gmail API within my account and recieved the api key. If i want to access other#gmail.com, do i need to set up the app from that email? Or can i access it from my application using api keys created from the developer console within myemail#gmail.com?
My app is written in python if that matters. Will be running off a CentOS server
Based on your description, I assume API key means you are referring to public API keys.
API keys do not grant access to any account information, and are not used for authorization. If you want to access other users information(like gmail,calendar(which are not public) etc) then you have to go with OAUTH 2.0.
When you use OAuth 2.0 for authentication, your users are authenticated after they agree to terms presented to them on a user consent screen. Here is the link for gmail OAUTH 2.0
Let me know if you have any questions.
I have a website and I need to test it with 250 users. However, I am using google login via OAuth2. The website is hosted on Google App Engine.
I am stuck at this login part. After we log in we get and access token from Google that is passed to Google APIs via the Authorization: Bearer header. We use the access token in the application to get user details and access other google apps for that user. I don't know how to get that access token using my external script.
One option is to mock / stub this part of your application out during testing. For instance, you can provide a certain header that tells your application that you're in test mode and instead of calling the real google APIs, it calls a mock API instead. If your application is setup for dependency injection this could be trivial, otherwise, it may involve monkey-patching or similar.
Another option is to use an OAuth2 Service Account and acquire access tokens for a bunch of users in a test Google Apps domain. Your test script can do this and then just pass the access tokens just as a client normally would.