I set up a cloud identity IDP for my workspace identity using the below document:
https://developers.google.com/identity/protocols/oauth2/openid-connect
I want to add custom claims. How to do this or if this supported?
I was looking at https://cloud.google.com/identity-platform/docs/how-to-configure-custom-claims and realized it is for google identity platform and not google cloud identity.
Related
We have a SPA web application that supports OpenID Connect login from external Identity providers. Our application supports different user types (roles). We want to support Sign in with Google using Google Identity service (https://developers.google.com/identity/protocols/oauth2/openid-connect) but the Access Token seems to be for Google APIs only (we want to protect our own APIs). The ID Token is a JWT we can validate, but there is nothing in the claims we can use for Authorization.
Is it possible to add custom claims to the Google ID token that we can use for Authorization?
From the link above...
This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified
I guess this means they ONLY support Authentication and not Authorization? Is this true? Or is there some other Google service we need to use to get user roles (Google Cloud IAM, etc.)?
How does Google expect us to Authorize users they Authenticate?
To get control over what the tokens contains, then my recommendation is to add a separate identity provider in-between your applications and Google. In this way, your applications only need to trust your local provider and it can provide the tokens that you need and you can add additional user information/claims to the tokens.
Just like this picture tries to show:
Federation identity are like sign up with Google, or sign up with Facebook. I want to migrate from Auth0 to Azure, but the problem is I can't find any proper documentation that explains what happen to those users who signed up using their Google or Facebook account.
There are good documentation for username and password users, but there is not anything special for federation identity users.
Does anyone know how to migrate them?
I have the same question for Amazon Cognito and other alternative services
This is not always straightforward, because some IdPs issue a different UUID per Application Registration. If you can re-use the exact same Application Registration at Facebook, for example, with AAD B2C, then this can be fairly easy.
There is an example here:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
All you need to do is pre-create the Local accounts in AAD B2C, and provide the expected UUID from the federated IdPs token to the Local account user object in AAD B2C. AAD B2C can then link the account when the user comes in with that Facebook account.
I have experience in integrating AWS cognito with Azure AD (SSO). But I don't know how to implement similar authentication in GCP.
I want to authenticate the users in Azure AD to use the custom web app deployed in Google cloud run.
I see three options in GCP, but I couldn't find any resource to implement.
Google cloud identity
Google cloud identity platform
Firebase Authentication
This custom web app should only authenticate the Azure AD users in our organization.
Google Cloud Identity Platform and Firebase Authentication are effectively the same thing. There are a few additional features in GCIP.
To set up GCIP for Microsoft user, here's a link to the docs.
If you're using Cloud Function for Firebase, you can use a Callable Function to get the authenticated user, then handle your own authorisation.
If you want to use Cloud Run, then you can use the Firebase Admin SDK (even with GCIP) to verify the token and get the user ID (which you can then use to authorise the user via a database or with Custom Claims).
In our organisation we use the Google Kubernetes Engine (GKE) to implement a micro-service architecture. As we are also G-Suite users, everyone in the organisation is guaranteed to have a Google account. In consequence we would like to use those accounts to manage authentication and authorization of micro services.
We have prototyped login using the angularfire2 client to authenticate against the Google Identity Platform. We also have Google Cloud Endpoints configured to control access to relevant services.
The piece we are missing is how to get from the identity in Google to an access token we can use on our services -- the access token coming back using the Firebase API has no claims in it, and the documentation on custom claims seems to make it quite clear that these go into the identity token.
My expectation would be to have JWTs with the appropriate audience (our backend), containing a sufficient set of claims to implement role based access control within the services. Ideally the infrastructure could validate a claim already -- some of our services are small enough to require only one role, which could be enforced outside the service. Or we could annotate our endpoints (Protobuf) with the required claims.
In the GCP environment, what is the standard process of creating access tokens to be used for accessing GKE services? Is there anything that supports this?
The piece we are missing is how to get from the identity in Google to
an access token we can use on our services -- the access token coming
back using the Firebase API has no claims in it, and the documentation
on custom claims seems to make it quite clear that these go into the
identity token.
Google OAuth Access Tokens do not have an identity in the sense that you want to use it. Identity is stored in the Identity Token. Add the scope "email" when authenticating the user. Google will return an ID Token. For some frameworks, you can request custom claims for the Identity Token.
In the GCP environment, what is the standard process of creating
access tokens to be used for accessing GKE services? Is there anything
that supports this?
There are two types of access excluding methods such as API keys. User Accounts and Service Accounts. Service-to-service typically uses service account Access Tokens (RBAC) or service account Identity Tokens (IBAC). In your case, you want to use Identity Platform which means User Accounts.
If I was designing this system, I would use User Accounts to authenticate with the system - Firebase is great for this purpose. I would look up what roles this identity supports/allows from my database (Firestore) and create a service account Access Token with the required scopes for GCP services. I would then use this Access Token for GCP service-to-service authorization. If I also required custom roles for my own services, I would create a custom Identity Token with my custom roles and include that as a custom HTTP header and include the Google Access Token in the standard HTTP "authorization: bearer" header. I would use the service account private key to sign my custom Identity Token or use a GCP IAM API to sign for me so that the other end can verify with the service account's public key. This method prevents data leakage at the client, no private keys are distributed, scopes/roles are not disclosed, etc.
I would suggest you follow this doc of authentication between services by using service account files.
This was hard to find so I'll add it here in case anyone needs it.
When adding google sign in as a cognito authentication provider for both Android and iOS I need to use the OpenID rather than Google+, but when adding in google as an OpenID I couldn't find the provider URL in google's documentation
The provider URL is hardcoded accounts.google.com for any credential you create, and add all the clientIDs under Audience.
To add google sign in to Cognito for both iOS and Android:
Go to IAM -> Identity providers
Create a provider
Choose OpenID Connect
In the provider url write https://accounts.google.com
In Audience write one of the app's client_id that you can get from the credentials console
Go back to Cognito:
Under authentication providers go to OpenID
Select accounts.google.com