I have written thousands of lines of Apps Scripts in an internal enterprise setting, but have been wracking my brain on this without any success for some time. Here's the use case:
App Script #1 is run by users in our organization with Calendar read/write permissions. In order to operate correctly, however, it requires access to certain data that can only be accessed by a separate user with different permissions.
App Script #2 is run as this second user, and serves up an API endpoint via doPost() or doGet() that returns the requested information.
For security reasons it is not possible to grant user #1 the full permissions required for user #2, hence the desire for user #2 to expose an API that provides only a very specific set of information to user #1.
The most intuitive solution would appear to be for user #2 to deploy an Apps Script with the "execute the app as" field set to "me", and the "Who has access to the app" field set to the organization's GSuite domain (for security reasons this must be restricted to within the organization).
However if user #1 then tries to hit that endpoint using UrlFetchApp, the request will fail (I believe with an HTTP 403) since the request does include a session token to prove that the request originates from within the same GSuite organization. Google does not seem to provide a way to generate such a session token; attempting to set an "Authorization" header with the value "Bearer " + ScriptApp.getOAuthToken() does not work.
I have also tried using the Apps Script API to have user #1 execute the script which was deployed by user #2, however the Apps Script API makes it clear that scripts can only be executed in the context of the calling user.
I've also read separately that Google Apps Scripts do not play well with service accounts (https://issuetracker.google.com/issues/36763096).
Hopefully I'm missing something obvious. Any ideas?
Related
I'm unclear about how OAuth2 (or at least google's implementation of it) works for server applications as far as redirect_url is concerned.
I'm trying to achieve three use cases:
Case 1:
A user who has never logged in logs in through my web interface using the well-documented tools found in the google identity management API, which produces a token.
My javascript client sends the resulting token along with username (or anything else needed) to the server.
The server uses the token and additional information to make sure the user is authenticated and has access to some resource that is requested, for instance basic login.
Case 2:
A user has already logged via web page and their token is available as a cookie that has not expired, and the initial page forwards that to the same token checking mechanism as above.
The server uses the token to validate their session.
Case 3:
A user is accessing my server from an app (like Unity or some other compiled Qt application or even on a command line) and is prompted for credentials because no token can/should exist when cookies aren't a thing in this context.
If their credentials are no good, the application says so, and asks for new ones.
If the credentials are good, a token is generated but is probably not used except if the token needs to be refreshed at some time interval, because we assume that re-running the app or command line is effectively a new session.
None one of these cases requires my server to use the redirect_url (except maybe the case of #2 where the token is expired), because:
Case 1, the user would have been unable to pass a token in the first place if they can't log in, and would have been redirected before that.
Case 2, the server accepts the token and doesn't redirect, or rejects the token and only then may redirect them back to the initial state of Case 1, but the server already wants to redirect them because the token is invalid, so I don't need/want the redirect_url from oauth.
Case 3, we are assuming there is no browser and don't care about redirect_url in any case no matter what.
As my code works now, using: https://developers.google.com/identity/protocols/oauth2/web-server there is always this redirect_url field which I don't know what to do with, and when I execute REST commands I'm getting raw html back which includes self-submitting javascript instead of useful headers.
I can see a case for exposing some URL on my server to validate an oauth2 session/token from google during authentication, for instance, but that would be a validation url, not a redirect_url, because the user/server doesn't "go" to that url at that point in the process.
So, I don't know what to do with redirect_url because when I leave it out, things don't seem to work.
There's a lot going on in this question, so I don't really know the type of answer you're looking for. I wrote our code for authenticating our Qt app with Google SSO, and wrote the linked post discussing the problems we faced.
One thing I found confusing in the documentation and provided examples is that when defining an app in the Google console, if your client is a desktop one, there's no field for redirection URLs. Instead, the client specifies it when initiating the authentication flow, and then it's expected to open a transient server that listens for the return connection from the Google side. There's no point declaring it on the Google console because it cannot be validated unless the client app is running at the moment, and even then, it's typically a hardcoded URL like http://127.0.0.1:1234/ as you would expect.
GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.
Good morning I am using internal mulesoft Access Management APIs API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users), receiving a Not authorized error. Let me explain the context. We are running on a federated platform, so we can't manage the users registration from the console, but need to wait until they login through SSO the first time to grant access to the correspondent business group and role. There is a complain as the users need to send the admin a note letting know of their successful first login, and afterwards wait to receive the access to the business group. After they login for the first time, their profiles are created in the root org. You can see them only when you are in the master organization. However, you can't get their new user id when you request a list of users of this master organization (/api/organizations/{orgId}/users). We are looking to execute this /api/users in a batch app that runs periodically and do a cross verification to get the users not associated to any orgid or role. This way we can avoid the requirement of the user sending a note to the admin. When I execute the /accounts/api/users, (API Call), we receive a 401 Unauthorized response, despite the token is correct as it is working fine with the others APIs. there is no mention of any other parameter or requirement in the API reference.
Please advise what can be done to solve this authorization error and complete our app. Thank you in advance.
Had the same issue but figured it out.
Instead of calling /api/users, you should be calling
https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members
to get a list of users
For my application I want the user to be able to store files on Google Drive and for my service to have access to these same files created with the application.
I created a Client ID for web application and was able to upload/list/download files from JavaScript (client side) with drive.appfolder scope. This is good, this is half of what I want to do.
Now I want to access the same files from Node.js (server side). I am lost as to how to do this. Do I create a new Client ID for the server? (if so, how will the user authenticate?) Do I pass the AuthToken my user got client-side and try to use that on the server? I don't think this will work as the AuthToke is time-sensitive (and probably not intended to be used from multiple IPs).
Any direction or example server-side code will be helpful. Again, all I want is to access these same files the user created with my application, not any other files in the user's Google Drive.
CLARIFICATION: I think my question boils down to: "Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Do I create a new Client ID for the server?
Up to you. You don't need to, but you can. See below.
if so, how will the user authenticate?
Up to you. OAuth is about authorisation, not authentication.
Just in case you meant authorisation, the user authorises the Project, which may contain multiple client IDs.
Do I pass the AuthToken my user got client-side and try to use that on the server?
You can do, but not a good idea for the reason you state. The preferred approach is to have a separate server Client ID, and use that to request offline access, which returns (eventually) a Refresh Token, which you store in your server. You then use that Refresh Token to request Access Tokens whenever you need them.
AuthToken is ... (and probably not intended to be used from multiple IPs).
It is not bound to a specific IP address
Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Yes
Most of what you need is at https://developers.google.com/accounts/docs/OAuth2WebServer
I've been reading lots of documentation about Google API access and OAuth flow using it but I don't seem to get it working in my mind, so I want to get some help first in order to have a clear idea about how it works then I can code it using the corresponding API.
What I want to achieve is feed a Java application running in a PC with specific Google user data, like localization through Google Latitude API. In order to get this, OAuth must be used, so I need getting the user consent, then access the user data from the application running in my computer, and I don't know how to manage this.
I've already registered my application with the Google APIs Console and enabled the Google Latitude module. I've also tried the Latitude console application here and it works properly (a browser tab opened asking for a Google user; I entered it and I got the location data), but I'm having problems when trying to adapt the program flow to my needs.
In my application, the 'remote' user is supposed to send a request (a custom JSON message) to the server asking for service enable/disable, like allowing the server to track his/her position through Latitude. Then, AFAIK, the server should send to the user a URL so the user can give the consent, but I don't know how to get this URL and how the server realizes about this consent and gets the token (automatically? Google tracks this authorization process?). Once my server gets the specific user token, then I should be ready to get service data for that user using the received token.
As I said before, I've tried according to different references, but as the documentation seems to be really scattered and much of it is already deprecated, I've been unable to get it working.
Judging from your description, the installed app OAuth2 flow seems to be the right one for you.
At some point, presumably when a user is installing your desktop app, you should fire up a browser - either embedded one in your app or the default browser - and sent them to this Google OAuth2 endpoint. In your request, fill out all the parameters as required by the doc: Latitude API scope, client_id, etc. Google, as an authorization server, will take care of user authentication, session selection, and user consent. If the user grants access to her data to your API, you will receive an authorization code either in the title of the browser window or at a localhost port.
Once you have the code, you can exchange it for an access token and a refresh token. The access token is what you need to call the API and access the user's data. It is short lived though - check the expired_in parameter in the response, I believe it is 3600 sec. - so you will need to periodically ping the token endpoint with your long lived refresh token and exchange it for an access token.
You can find a more thoroough description of this flow in the doc linked above.