How does one authenticate to a ProtoRPC service?
It seems like a web services infrastructure, but designed for non-browser clients, so how do we authenticate the service's end user?
Thanks!
First of all, ProtoRPC can be used by browser clients, usually through AJAX requests.
Now for authentication on App Engine, there are a few possibilities:
You can use the built in user authentication app engine provides
You can build an authentication mechanism of your own
For the first one there is the regular Google accounts API, openID and OAuth.
If you have users with google accounts, and you don't need to perform actions on user's behalf (which is what OAuth is for), then you can use the regular google authentication.
This requires the client to have a google cookie. If the user is on browser, he can login to google and then he can access your app. If the user is on a mobile client, then for android there is the AccountManager API which gets you a Google token which the client uses to get an App Engine cookie, as explained here http://blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app
I'm not sure if iOS has something similar to AccountManager. If the OS doesn't have the user's credentials then AFAIK you might have to go through some sort of browser authentication.
Related
I'm currently developing a REST API with DRF for a web application. So I decided to use OAuth2 authentication system. After a little research, I understood that OAuth mostly used for authenticating third-party apps and what I want is simply authenticate the user to my website, not with Facebook or Google accounts. So token authentication seems to be the most secure way to do it and with OAuth is being too confusing and not suitable to me which authentication method should I follow? Is django's built-in TokenAuthentication secure to make a web-app? Should I use OpenId connect?
OAuth2 is a protocol to allow your website to access some API on behalf of the user whose data your trying to access (delegated authorization).
If you just want to know who your user is on your site (authentication), OpenID Connect is a protocol built on top of OAuth2 that gives you that information. It will give you a JWT id_token that has claims about the authenticated user.
Box.com supports different authentication method, OAuth2 and JWT. I'm currently using OAuth2 with develop tokens, which works just fine. The developer tokens expires within an hour so I can't use this in our production.
I'm using the python SDK to upload files to box, and there is no user interaction here at all. It seems like I can't use the OAuth2 authentication method since there is no users uploading (automatic script), am I right?
The JWT authentication method requires an enterprise id, which I can't find. I used this page as reference: https://box-content.readme.io/docs/box-platform
I've logged in as an co-admin in box, but can't find the enterprise id or Custom apps under the APPS menu.
Is there anything I have missed?
You have to use JWT to make server to server api call. you can find your enterprise ID in you Admin Console-->Enterprise Setting--> Account Info-->Enterprise ID.
I have been reading a lot about this google endpoints and I have trying to something that is not quite easy to guess. After you create a google cloud endpoint server and you deploy it is open to any HTTP request (unauthenticated). In the cloud endpoint documentation (referring to using authentication) you can read about setting OAuth2.0 to authenticate users with google account but there is no documentation about restrict the endpoint service to a specific mobile app (android or ios) and discard all other HTTP requests. So the question is how to authenticate mobile apps (no users) and prevent HTTP request (unauthenticated)? I'am building my server API(enpoints) based on Python.
Thank you.
In order to restrict your Endpoint to a specific application you can use OAuth2. This is because the OAuth2 flow does user authentication and in-turn the OAuth2 flow inherently authenticates the application requesting the OAuth2 access.
These two client samples detail how to enable authenticated calls on the client side. You have to register your apps in the Developer Console at http://cloud.google.com/console/ .
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-android (Starting after the Note in the readme)
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-ios/ (Step 8 in README)
authedGreeting is the authenticated call and you would check the User object in the method's backend project for null. If empty then you can immediately throw an unauthorized exception.
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-java-maven
Specifically, optional Step 2 in the README tells Cloud Endpoints to start looking for OAuth2 tokens in the request. If the Endpoints exposed method has a User parameter. It will populate it with a user instance only if an OAuth2 token was found, was generally valid, and the token was issued to a client ID defined in the API annotation on the service class.
During the setup of your endpoints API, in clientIds list you provide your WEB_CLIENT_ID, ANDROID_CLIENT_ID, and IOS_CLIENT_ID for example. These values tell the Google App Engine that your application will respond to HTTPS requests from web browsers and Android/iOS installed applications.
When your clients first connect your server, they must obtain an OAuth 2.0 token in order to the communication be secure and that is the reason why you use the WEB_CLIENT_ID in your installed client application. This WEB_CLIENT_ID is unique to your Google Cloud app and through it your client becomes capable of obtain an access_token and a renew_token to communicate with your backend server and your server only. This is a cross-client authorization.
So, if you need only the WEB_CLIENT_ID to obtain the access_token and the renew_token, why you need the ANDROID_CLIENT_ID and IOS_CLIENT_ID? For security reasons.
The ANDROID_CLIENT_ID is linked to a RSA signature key through the SHA1 informed at backend setup. Thus your GAE app will grant (access_token, renew_token) only installed apps signed with the same key listed at your application console (and of course in your clientIds list)
Finally Android apps signed with different or not signed will not receive any access_token, being unable to establish the secure communication channel or even communicate with your server.
I am trying to access my app engine applications pull queue from a separate python application. Here's what I know:
I need to use oauth to authenticate
I need to use Google's rest api
I need to define a pull queue in my app engine project that has an acl list which specifies which account is granted access to the queue
I'm able to make a request to get a task from the pull queue, but it gives me an error saying Login Required because I haven't authenticated. I have looked through the documentation (rest api doc, pull queue doc), but i can't figure out how to pass in my username and password to authenticate with oauth.
Use the google-api-python-client library.
It has a sample to access the TaskQueue APIs through Oauth2 authentication.
Have you read the OAuth for Python overview for AppEngine? It goes over how to do the OAuth login for App Engine.
I was wondering what is the best way to authenticate a Google Apps user in an internal web application?
I do not need to access their data like the two-legged authorization seam to do.
I just want a user to use an internal application using their Google Apps credential.
You can use Google Apps as an OpenID provider and the hosted accounts for identity by using OpenID API. This is also known as federated login. Your internal application then becomes an OpenID relying party.
You need to first enable OpenID from your Google Apps control panel -
http://www.google.com/a/cpanel/your-domain/SetupIdp
More details here -
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html