I'm developing an android application and i've been stuck in this for a few days. OAUTH 2.0 + google accounts is great and all that, but i do not want to tightly couple my application to work only with google accounts.
How do I implement custom authentication?
This Q&A has a pointer to Google Identity Platform guide for choosing between various Google identity solutions: What is the difference between Google identity toolkit, Google OAauth and Google+ sign in
Related
I'd like to launch a Flask-based web app on Google Cloud Platform's App Engine, which has the ability to call a Cloud Function, written in python. References to do these things independently below:
https://cloud.google.com/appengine/docs/standard/python3/building-app/writing-web-service
https://cloud.google.com/functions/docs/first-python
However, calling a cloud function from a (python) web app hosted on App Engine seems to be under documented. Could anyone link a resource that has accomplished this effect?
In this answer, I will list example documents to understand authorization in Google Cloud and how to call Cloud Functions from App Engine. Read these links/documents and understand how everything works and is connected together. Once you understand the basics, authorization in Google Cloud is very easy to implement and secure.
Step 1 - Understand Authorization in Google Cloud
Google Cloud uses OAuth for most services and APIs. Some services still support API Keys. Read this article to get a foundation of Server/Service to Server/Service Authorization:
Using OAuth 2.0 for Server to Server Applications
Key points to understand are Access Tokens and Identity Tokens. Another token type is the Refresh Token which is primarily used to refresh OAuth tokens created from user credentials.
Step 2 - Understand the JWTs used for Authorization
This article is written for IoT devices but the details are the same/similar for all Google Cloud services. This link includes sample code.
Using JSON Web Tokens (JWTs)
Step 3 - Understand Cloud Functions Authorization
Cloud Functions uses OAuth Identity Tokens to authorize requests from other services and users. An OAuth Identity Token is a signed JWT that asserts the identity of the caller. Identity Tokens are signed by a Google owned or managed private key and verified by Google before granting access to the called Cloud Function.
Authenticating Developers, Functions, and End-users
Step 4 - Understand how to call another service from App Engine Standard
Now that you understand how authorization is performed in Google Cloud, you need to understand how to create the token used for authorized calls to your Cloud Function. This article discusses App Identity in Python and how to assert an identity to call Cloud Functions or any Google API/Service from App Engine Standard.
App Identity Python API Overview
I have a python/Flask application, on our intranet, and I want people to authenticate to it using their Azure AD credentials. Pretty much every hit on Google/Bing/etc is about how to use AD to authenticate so you can subsequently use Microsoft APIs, such as Graph or Data Lake, or they are for .NET applications, or they are for stuff running on the Azure cloud.
The closest I've come to what I need is https://github.com/cicorias/python-flask-aad-v2, and the instructions refer to some older version of Azure. It would also be nice if I could specify whether an authenticated user should have access to this app, but I can live without it and simply have a list of allowed IDs in the app's back-end.
This cannot be that hard; I've done this in the past for both GCP and AWS, but I've hit the proverbial brick wall when it came to Azure. While this is not my first overall rodeo, it is my first Azure/AD rodeo, so to speak. I'm sure that part of my problem is that, being an Azure noob, I may not even be using the right search keywords.
Help?
Do not think in terms of the providers but in terms of the Authentication standards. Since you have integrated Google Login in your app in the past then you must have used something called OAuth as the auth standard. Azure AD also supports OAuth. You can use a python package called flask-azure-oauth to integrate it in your flask app.
You can refer to below code samples available in Microsoft Identity Platform documentation (https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#web-applications)
Sign in users - https://github.com/Azure-Samples/ms-identity-python-flask-tutorial
Sign in users and call Microsoft Graph - https://github.com/Azure-Samples/ms-identity-python-webapp
These links are for Python (Flask). You can get code samples for other languages or scenario from Microsoft Identity Platform documentation (https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#web-applications)
On the client side I have Android users I wish to authenticate using Google Identity Toolkit. I'll mainly be using email/password authentication but i'm also looking into federated logins. I'm just not sure how to use the Identity Toolkit on Google cloud endpoints. So far the only thing i know for sure is i can't use get_current_user() method to validate a user.
I came across this user authentication API explorer demonstration on google's website which uses identity toolkit. This is what I want to do, but i don't know how to do it. I couldn't find a proper documentation that shows how to authenticate users on Cloud Endpoints using Google Identity Toolkit API.
A step by step guide would be great!
We could do it with this data:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-audiences: [PROJECT_ID]
x-google-issuer: https://identitytoolkit.google.com/
x-google-jwks_uri: https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
All i wanted to do is to implement Single Sign On, for users with google apps on custom domain. Eg. startup.com has configured their domain, by purchasing google apps for business for their domain. They have gmail address configured at users#startup.com.
I have a django app.
Now in case i want to implement SSO for custom google apps domain, i have couple of options:
Hybrid Open ID + OAuth + SSO
Custom OAuth + SSO.
The documentation for 1. is quite ample and they have shown it.
How about going 2nd way, since i just wanted to log the users with their email ids. I could do it with OAuth as well. How good is it to implement SSO + OAuth together?
Are there any good libraries that help me doing it?
This takes care of what you are looking for: https://github.com/simul14/django-googleappsauth
Take a look at django-social-auth it allows you to use both OpenID and OAuth with Google which should help with you issue.
Appengine supports federated login in which arbitrary OpenID providers can be added to the list of parties who can authenticate a user. However, some organizations - notably facebook - don't support OpenID. How is it possible to combine the OpenID support provided with GAE with mechanisms that can support OAuth or other login mechanisms?
More details (GAE Python assumed)...
My understanding of the way the OpenID mechanism is intended to work is as follows:
I choose Federated Login from my app's configuration options
This allows me to easily add OpenID providers through the
create_login_url mechanism
There is some Google session management used to track the authenticated
user
I control access to resources using login: required in my
app.yaml
The session management will check if the user is authenticated
before allowing access to these resources
The issue that I have is that I can't see how this approach fits with facebook's OAuth - if the resources are access controlled by Google (per app.yaml), where is it possible to insert facebook authentication?
Notes:
I know that OpenID and OAuth are different - I am only interested in using facebook for authentication right now
I'm sure there are quite a few different ways to deal with this - I'm just wondering if there is some standard approach/best practice
I've done a little bit of digging on this and my conclusion is that it is not possible to integrate the standard Appengine authentication mechanisms (ie those provided 'for free' with Appengine) with facebook's OAuth. More specifically, the app.yaml login controls can only relate to Google's standard mechanisms and there is no way to extend them to incorporate facebook OAuth. The reason for this is that Google's standard mechanisms control the sessions and there is no mechanism to add new session controls which are recognized by the app.yaml login controls.
It is, of course, possible to integrate Google Accounts and other login mechanisms with facebook's OAuth on Appengine, but to do this you need to replicate some of the functionality that Google provide in their standard authentication mechanisms (session mgmt specifically).
I've put up a more general question comparing the different social authentication options possible with Appengine as I think it's interesting/useful, but slightly out of scope in this question: it's here
You could have a look at the Tipfy framework which has a Facebook authentication extension that would allow your users to use their Facebook login to authenticate.