I'm trying to learn how to set up a web application using the Google App Engine Boilerplate that will restrict access to people logging in via our Google Apps domain.
I've downloaded the GAE Boilerplate, and it runs locally and on appspot. To limit login access, I did the following:
In Administration/Application Settings, I set Authentication Type to Google Apps Domain, and specified our domain name (xyz.com) as the Authentication Domain.
In config/production.py, which I've confirmed via app_name edits is being loaded properly by the server, I set 'enable_federated_login' : False,.
But when I push the app and load it, I see the following puzzling error:
You must enable Federated Login Before for this application.
Google App Engine Control Panel -> Administration -> Application Settings -> Authentication Options
This error is coming from boilerplate/lib/basehandler.py, and it appears I'm getting a NotAllowedError.
Could someone point me at the proper process for setting up this boilerplate to work with Google Apps authentication? Thanks!
Related
I'm using django-allauth plugin to provide Facebook login in my application.
The login works perfectly on my machine (localhost:8000) but it gives me this error when I try to login in the online version, deployed on Elastic Beanstalk (AWS):
Social Network Login Failure
An error occurred while attempting to login via your social network account.
I've tried to debug it to get more information following this instructions: Debugging django-allauth Social Network Login Failure,
but it gives no useful infromation:
{'provider': 'facebook', 'code': 'unknown', 'exception': None}
For the plugin configuration I've followed the guidelines provided by the documentation.
And I think that everything is correctly configured in the FB app settings
(app domain, site url, etc.)
A strange thing is that even though the app is configured to work with the online version (set app domain to my real domain and not localhost) it gives me this error when I try the log in from the online version, but it works correctly when I try it from localhost, without changing the FB app settings.
Been there, use aws cognito for social sign in.
Here are the steps
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
------------- or -------------------
you can python-social-auth (https://python-social-auth.readthedocs.io/en/latest/), just managed to configure using it. now i can login via facebook and google to my eb app
My (empty) django project deploys just fine, but when I switch to login: required and set the Authentication Type to Google Apps domain I get a 500.
Sadly there doesn't seem to be any debugging info on GAE. Nor can I reproduce the error locally. I checked the domain name I entered twice.
Any lucky guesses?
Ok, found the problem.
Looking into the AppEngine logs it discovered this:
Authentication for the Google Apps domain example.com can only be performed when requests are served from a subdomain of that domain or it has been approved through the Google Apps Control Panel. See https://developers.google.com/appengine/articles/auth
The solution is discribed here: https://developers.google.com/appengine/articles/auth#AppspotDomainAuth
I have used Steps to make wildcard sub-domain to work on Google app engine, Godaddy and amazon route. Its working nicely for application with the authentication type (found in application setting in appengine dashboard) is Google Accounts API.
But, when I change application authentication type as federated account, it stops supporting wildcard sub-domain. Any idea to make it work with federated type application.
As always your help is appreciated.
The issue found out was not related to application authentication type. But, there was problem with app.yaml file.
I have an application that needs to log into a singular Drive account and perform operations on the files automatically using a cron job. Initially, I tried to use the domain administrator login to do this, however I am unable to do any testing with the domain administrator as it seems that you cannot use the test server with a domain administrator account, which makes testing my application a bit impossible!
As such, I started looking at storing arbitray oauth tokens--especially the refresh token--to log into this account automatically after the initial setup. However, all of the APIs and documentation assume that multiple individual users are logging in manually, and I cannot find functionality in the oauth APIs that allow or account for logging into anything but the currently logged in user.
How can I achieve this in a way that I can test my code on a test domain? Can I do it without writing my own oauth library and doing the oauth requests by hand? Or is there a way to get the domain administrator authorization to work on a local test server?
You can load the credentials for a single account into your datastore using the Remote API, which can be enabled in your app.yaml file:
builtins:
- remote_api: on
By executing
remote_api_shell.py -s your_app_id.appspot.com
from the command line you'll have access to a shell which can execute in the environment of your application. Before doing this, make sure you have your application deployed (more on local development below) and make sure the source for google-api-python-client is included by pip-installing it and running enable-app-engine-project /path/to/project to add it to your App Engine project.
Once you are in the remote shell (after executing the remote command above), perform the following:
from oauth2client.appengine import CredentialsModel
from oauth2client.appengine import StorageByKeyName
from oauth2client.client import OAuth2WebServerFlow
from oauth2client.tools import run
KEY_NAME = 'your_choice_here'
CREDENTIALS_PROPERTY_NAME = 'credentials'
SCOPE = 'https://www.googleapis.com/auth/drive'
storage = StorageByKeyName(CredentialsModel, KEY_NAME, CREDENTIALS_PROPERTY_NAME)
flow = OAuth2WebServerFlow(
client_id=YOUR_CLIENT_ID,
client_secret=YOUR_CLIENT_SECRET,
scope=SCOPE)
run(flow, storage)
NOTE: If you have not deployed your application with the google-api-python-client code, this will fail, because your application won't know how to make the same imports you made on your local machine, e.g. from oauth2client.appengine import CredentialsModel.
When run is called, your web browser will open and prompt you to accept the OAuth access for the client you've specified with CLIENT_ID and CLIENT_SECRET and after successfully completing, it will save an instance of CredentialsModel in the datastore of the deployed application your_app_id.appspot.com and it will store it using the KEY_NAME your provided.
After doing this, any caller in your application -- including your cron jobs -- can access those credentials by executing
storage = StorageByKeyName(CredentialsModel, KEY_NAME, CREDENTIALS_PROPERTY_NAME)
credentials = storage.get()
Local Development:
If you'd like to test this locally, you can run your application locally via
dev_appserver.py --port=PORT /path/to/project
and you can execute the same commands using the remote API shell and pointing it at your local application:
remote_api_shell.py -s localhost:PORT
Once here, you can execute the same code you did in the remote api shell and similarly an instance of CredentialsModel will be stored in the datastore of your local development server.
As above, if you don't have the correct google-api-python-client modules included, this will fail.
EDIT: This used to recommend using the Interactive Console at:
http://localhost:PORT/_ah/admin/interactive
but it was discovered that this doesn't work because socket does not work properly in the App Engine local development sandbox.
This article explains how to interact with Google Drive on behalf of users of your domain by having the Domain Administrator delegate domain-wide authority to a Service Account
This other article explains how to interact with a Drive owned by your application using a Service Account.
Note that both methods use a JWT based Service Accounts and which currently need a modified version of the google-api-python-client in order to work on App Engine.
Unlike Google App Engine Service account, JWT based Service Accounts should work with the development server.
I just finished working on a GAE application in python to retrieve flight data and return the result to the calling URL.
I tested it in a browser at it works, but my Java ME application, which is able to retrieve data from other websites turns up nothing from the GAE app which is already hosted on GAE.
I know Google has some authentication issues, but does this apply to GAE apps as well, and what can I do?