My overall goal is to create a mobile and web app that allows for multiple identity providers (google, Facebook, email/password) and uses a google cloud endpoint (python) that preform a user authorization check. I am trying to figure out the best method of doing this.
Is it possible to use the google identity tool kit to preform the user authorization check within the endpoint that I want to secure? I cant seem to figure out how I would go about doing this. As far as I know I would not be able to call the endpoints.get_current_user() to validate the user as it will only work with google+ logins.
I am also open to other suggestions (not using identity tool kit)
Any help would be really appreciated
Thank you
You are correct that you cannot use the endpoints.get_current_user() method to validate an Identity Toolkit user.
To use Identity Toolkit with Cloud Endpoints, you should use the built in sessions to represent the user.
After Identity Toolkit authentication is complete at the client, you should send the ID token to a "login" endpoint, validate the token, then create a new session that you include on subsequent requests.
Related
I am trying to be sure that I understand it correctly:
Is OAuth a bridge for only third party authenticator those so common like Facebook, Google? And using it improves user experience in secure way but not adding extra secure layer to Django login framework? Or only Authorization Code grant type is like that? Can I take it like this?
What is OAuth?
According to RFC 6749:
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf.
Essentially, it is an authorization protocol used to share permissions between multiple applications.
If you decide to implement OAuth, your application will be the one to allow other services to programmatically view your users' data and act on their behalf, if needed.
Whenever an application requires access to another service that you use, it probably uses OAuth to perform those actions. (e.g. When games used to ask us to allow posting on Facebook on our behalf.)
What OAuth is not?
By looking at your question, I feel like there's a misunderstanding of OAuth.
OAuth is not a bridge for third-party authentication methods. If you are looking for this type of authentication mechanism, you should take a look into Single Sign-On (SSO). For Django, you can use django-simple-sso.
Does it enhance security?
Depending on the use case, yes, it can enhance security.
If your application needs to exchange information with other services, it is a good practice to limit what these third-party services are able to do in your app, feature and time-wise.
Let's say, for example, that your user needs to give permission to another application to gather information from yours:
If you were to use the old-fashioned e-mail and password combination method, these credentials would be exposed in case of this third-party service had a data breach.
Using OAuth on the other hand is much more secure, as the credentials stored in the server would not contain the user's password and have very specific roles, apart from being easily revoked.
If you have a Django app I would say that you don't have to implement OAuth - you should be fine with any login functionality Django offers.
OAuth is commonly used when different services talk to each other. These don't have to be third-party services, they can belong to the same party. For example, when you have a Single Page Application or a Mobile App that want to call your backend API to get some data. Then it's better to use OAuth as it is a standard and it helps you to implement authorization in a secure way.
When you think about "login with Google/Facebook", what you actually want is an SSO solution (Single Sign-On). That solution is very often implemented with OpenID Connect (OIDC), which is a protocol built on top of OAuth. Still, you can use just OIDC to log a user in with Google, get an ID Token, and then be able to authenticate the user to your Django app based on the ID Token from Google. You don't need OAuth for that (in the sense, that you don't need to get access tokens from Google, you don't need your own Authorization Server, and you can rely on cookie-based sessions).
I can successfully authenticate with the pattern outlined here:
https://developers.google.com/youtube/v3/docs/videos/list?apix=true
for a simple prototype in Google Colab. However I cannot for the life of me figure out how to authenticate in a Cloud Function as there is no user to complete the flow. I'm sure it's a standard pattern, however I'm more familiar with the GCP APIs and the googleapiclient is a new one for me.
I have set up service account credentials with the right access, but I'm not even sure whether it makes sense to use these in a Cloud Function (maybe stored on GCS), or whether there is (as I hope) a more elegant solution.
Any help would be hugely appreciated, thanks!
Not really familiar with Youtube Data API, however based on the API reference for some details you need to issue a call as a video owner (e.g. processingDetails). This means that you need to use three-legged OAuth2 flow. For that you can either:
Setup another function that will generate an authorization URL ->
present it to the user -> setup another function as redirect_uri to
obtain authorization code -> exchange it for access and refresh
tokens -> store refresh token someplace safe where original function
can fetch it.
Obtain refresh token outside of Cloud Functions and hardcode it.
Hardcoding credentials is generally not a good practice, hence a better option would be to have a service account make requests on behalf of a user, but this is only possible for GSuite users via domain-wide delegation. With this, after setup, you would use sub claim with the email address of the impersonated user. You can see more here (make sure to switch to HTTP/REST to understand how JWT is created or, if you're not interested in details, just select Python.
I am using Python on the Google App Engine. I have gotten sign-in with google to work to generate an OAuth token. Then, I can use that token to access the user's profile from datastore, but I can't seem to find anything on how to sign in with a username and password to generate an OAuth token. Is there a way to do this?
It looks like your question is 'How to I use my own username and password scheme to generate an OAuth token'. The short answer is that you can't, because Google OAuth only works with Google logins. The Google OAuth token is good for Google APIs, and there's no way to tell Google how to recognize your usernames for the purposes of authentication.
The longer answer is that you can use your own authentication scheme separately from Google sign-in if you want to give users that option. You could use any number of third party libraries to do this or roll your own. These users won't have access to Google's APIs that require authentication though (such as the Users API) so you'll have to devise a way to keep those user's data separate from each other, and use a service account or application default credentials to access any external Google APIs on behalf of those users.
This kind of question does seem to pop up sporadically on Stack Overflow which may provide some other suggestions for how to implement this.
On the client side I have Android users I wish to authenticate using Google Identity Toolkit. I'll mainly be using email/password authentication but i'm also looking into federated logins. I'm just not sure how to use the Identity Toolkit on Google cloud endpoints. So far the only thing i know for sure is i can't use get_current_user() method to validate a user.
I came across this user authentication API explorer demonstration on google's website which uses identity toolkit. This is what I want to do, but i don't know how to do it. I couldn't find a proper documentation that shows how to authenticate users on Cloud Endpoints using Google Identity Toolkit API.
A step by step guide would be great!
We could do it with this data:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-audiences: [PROJECT_ID]
x-google-issuer: https://identitytoolkit.google.com/
x-google-jwks_uri: https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
I'm trying to implement a secure google cloud endpoint in python for multi-clients (js / ios / android)
I want my users to be able to log by three ways loginForm / Google / Facebook.
I read a lot of docummentation about that but I didn't realy understood how I have to handle connection flow and session (or something else) to keep my users logged.
I'm also looking for a way to debug my endpoint by displaying objects like Request for exemple.
If someone know a good tutorial talking about that, it will be verry helpfull.
thank you
For request details, add 'HttpServletRequest' (java) to your API function parameter.
For Google authentication, add 'User' (java) to your API function parameter and integrate with Google login on client.
For twitter integration, use Google app-engine OpenID.
For facebook/loginForm, its all on you to develop a custom auth.