I'm trying to implement a secure google cloud endpoint in python for multi-clients (js / ios / android)
I want my users to be able to log by three ways loginForm / Google / Facebook.
I read a lot of docummentation about that but I didn't realy understood how I have to handle connection flow and session (or something else) to keep my users logged.
I'm also looking for a way to debug my endpoint by displaying objects like Request for exemple.
If someone know a good tutorial talking about that, it will be verry helpfull.
thank you
For request details, add 'HttpServletRequest' (java) to your API function parameter.
For Google authentication, add 'User' (java) to your API function parameter and integrate with Google login on client.
For twitter integration, use Google app-engine OpenID.
For facebook/loginForm, its all on you to develop a custom auth.
Related
On the client side I have Android users I wish to authenticate using Google Identity Toolkit. I'll mainly be using email/password authentication but i'm also looking into federated logins. I'm just not sure how to use the Identity Toolkit on Google cloud endpoints. So far the only thing i know for sure is i can't use get_current_user() method to validate a user.
I came across this user authentication API explorer demonstration on google's website which uses identity toolkit. This is what I want to do, but i don't know how to do it. I couldn't find a proper documentation that shows how to authenticate users on Cloud Endpoints using Google Identity Toolkit API.
A step by step guide would be great!
We could do it with this data:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-audiences: [PROJECT_ID]
x-google-issuer: https://identitytoolkit.google.com/
x-google-jwks_uri: https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
My overall goal is to create a mobile and web app that allows for multiple identity providers (google, Facebook, email/password) and uses a google cloud endpoint (python) that preform a user authorization check. I am trying to figure out the best method of doing this.
Is it possible to use the google identity tool kit to preform the user authorization check within the endpoint that I want to secure? I cant seem to figure out how I would go about doing this. As far as I know I would not be able to call the endpoints.get_current_user() to validate the user as it will only work with google+ logins.
I am also open to other suggestions (not using identity tool kit)
Any help would be really appreciated
Thank you
You are correct that you cannot use the endpoints.get_current_user() method to validate an Identity Toolkit user.
To use Identity Toolkit with Cloud Endpoints, you should use the built in sessions to represent the user.
After Identity Toolkit authentication is complete at the client, you should send the ID token to a "login" endpoint, validate the token, then create a new session that you include on subsequent requests.
I have a website and I need to test it with 250 users. However, I am using google login via OAuth2. The website is hosted on Google App Engine.
I am stuck at this login part. After we log in we get and access token from Google that is passed to Google APIs via the Authorization: Bearer header. We use the access token in the application to get user details and access other google apps for that user. I don't know how to get that access token using my external script.
One option is to mock / stub this part of your application out during testing. For instance, you can provide a certain header that tells your application that you're in test mode and instead of calling the real google APIs, it calls a mock API instead. If your application is setup for dependency injection this could be trivial, otherwise, it may involve monkey-patching or similar.
Another option is to use an OAuth2 Service Account and acquire access tokens for a bunch of users in a test Google Apps domain. Your test script can do this and then just pass the access tokens just as a client normally would.
I am developing an Android application with a GAE backend, for sessions etc.
I want to use Google Cloud Endpoint and develop an API with custom authentication user model. I dont want to use the google's oauth. I want to implement a simple email/pass user authentication model with a session based token. I have no experience on GAE whatsoever. I have worked in python and it's frameworks(django, flask, etc).
I have looked for a sample project of this kind for past week(with no luck).
Can someone please provide me with sample code/resource on how to implement such an endpoint with session management and csrf protection along with ssl?
Ps: If you think cloud endpoints is not a good approach for my application(server backend) then please direct me to a source that may aid me in creating my own RESTful api with JSON encoding + crsf-protection and session management.
I have already seen the following but none of them have a detailed solution:
Custom Authentication for Google Cloud Endpoints (instead of OAuth2)
Google App Engine: Endpoints authentication when custom auth or Open ID is used
AppEngine Cloud Endpoints and custom Users service
You're in for a ride. It's not a simple process, but I've managed to do just what you're looking for--albeit in a slightly hackish way.
First, there's a boilerplate project for GAE (in Python) that implements a custom email/pwd login system using webapp2's extras: http://appengine.beecoss.com/
It follows the guidelines for setting up custom authentication detailed in this blog post: http://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
This project will set things up so that your user will start a session upon login. Now, in order to access the user information on this session in your endpoints, you'll follow the instructions to that first StackOverflow link you posted.
The key, after following the previous steps, is to match the session key in your endpoints to the session key in the config file of the boilerplate code. Then, you'll be able to get which user made the request and follow through with the endpoint call if they're validated:
self.get_user_from_cookie()
if not self.user:
raise endpoints.UnauthorizedException('Invalid token.')
It is incredibly ridiculous that this is how it works for custom authentication, so if you're used to Django and would like to implement your app that way, DO IT. It was "too late to turn back now" for me, and I despise Google for only documenting authentication schemes that work for Google account holders only.
OP, just use Django on GAE and save yourself the frustration. I'm sure there's plenty of quick integration with mobile apps that the Django community can provide.
No one wants to force their app users to have Google accounts in order to log in, Google. Stop it.
I would like to display on my GAE website a number of daily users of my android application (tracked with Google Analytics), both are under the same account. I wanted to use Analytics API for this. I am reading Hello Analytics API tutorial and looks like I need OAuth to authorize my app to get the data from Analytics. It looks quite complex, is there any easy way (like getting some token and using it)?
Looks like I need service account (for server to server applications), but I don't understand how to modify starter application (taken there) to use it.
Since you only want to access data that you own, using a service account is a good idea.
How ever the starter application you linked is for working with a normal OAuth2 and its not the same as the code for a service account.
I haven't done this in python myself before, but i found an example that should get you started. You will need to change it slightly because the scopes are for Google+ not Google analytics. create the service in python on GAE
If you have any problems changing it to work with Google Analtyics let me know i should be able to help with that. Even if i cant test the python code myself.
There is much simpler way to pass authorization - see App Identity doc. See also Java example how to access Analytics data from the GAE.
Another useful link is here.