I want to enable G Suite Domain-Wide Delegation of Authority for a new service account. I already had enabled it for one service account a few weeks back. While creating the new service account, I no longer see the option to Enable Google Apps Domain-wide Delegation. I am following these steps: https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account.
I can't even see that option for the older service account when I click on Edit for that service account
I was already able to do it for one service account, although I no longer see the option to disable/enable it when I click on Edit
If you don't see the checkbox, it means you don't need to enable it. You can get the client ID from the UI or by looking at the JSON private key you downloaded, and use that to authorize your scopes in the Admin console.
Related
When I make a GCP cloud run instance anyone can to that link. I am using it for an API for my website. I do not want joe blow opening F12 and following the HTTP requests to my API. I use API keys and stuff however I want my link to be protected to only certain IP addresses or at least lock it behind a username and password. How can I do this with cloud run on GCP?
Cloud Run exposes a public URL by default. You can make it public (let allUsers invoke your endpoint) or restricted (only authorized user can invoke)
The problem with the second solution is that only the Google accounts (Workspace or Gmail) can be added and so restrict your user to use that type of credentials.
So, the solution is to make your API public. You can implement security mechanism in it to software control the authN and authZ of your user, but you aren't protected against DDOS attacks.
Therefore, Cloud Armor enters in the game. You have to create a Load Balancer and to put your Cloud Run service as backend of it. Then activate Cloud Armor. You will be able to check the IP source of the requester, but also to protect your service against attacks.
I'm looking to implement Sign In With Google for a web app and for compliance reasons, I need to ensure that the users signup/login to our app with MFA.
However, the users which are clients of our app, are not employees of our company, so I don't have access to their G suite accounts and cannot activate MFA directly on their accounts.
How can I know (or enforce) that a user went through MFA when signing in through Google SSO?
There are no references in above link and client libraries like react-google-login don't mention anything either...
Many thanks!
Joel
if you are using google workspace (gsuite), you can enable MFA as shown in this link:
https://mediatemple.net/community/products/googleapps/204404084/how-do-i-enable-2-step-verification-for-google-workspace
There's currently no way for an OpenID relying party to determine whether MFA was used or not.
If you're using Identity-Aware-Proxy (IAP) instead (or on top) of OIDC, you could configure a credential strength policy, but I'm not sure if IAP is an option for your use case.
I have a desktop application which I want to create a new service account for each user of my application.
Is there any API for creating the service account users on the fly?
Scenario: For each user, I want to give service account, and give this service account the data that this user needs.
The point is that I want to give every user some specific data from Google Cloud, but I want the user to get it directly from Google. I cannot use the user account, because I am not sure he have google account.
You can use the Google Identity and Access Management (IAM) API to programatically create service accounts.
However, creating a service account for each of your application's users is expensive and not scalable. Perhaps your service can have a single service account and then the service can control which of the resources that the user may access.
There is no Google Api that allows you to control projects on Google Developer console. The only thing that comes close is the Google Cloud Resource Manager API which is extremely limited in what it supports. You cant use it to create a service account.
Answer: The only way to create a new service account is to log in and do it though the Google Developers console.
According to the docs, Google Apps domain administrators can grant service accounts domain-wide authority to access user data on behalf of users in the domain. My understating is this gives service account authority to access data for all users inside the domain. Is there a way to restrict which users service account has access to?
For example, an application that uses Google Calendar API to view events from the calendars of specific list of users in a Google Apps domain.
Can google apps administrator authorize application for access to some but not all users?
Thanks
The answer was to publish an app in Google Apps Marketplace. An app can be turned ON for everyone or some specific organization unit. See Turn a Marketplace app on or off for users. Organization Unit is how you can control who in organization has access to your app.
If you're an administrator, yes. You can control who uses any particular Google service from their account. Just turn the service on or off for those people in your Google Admin Console. When users sign in to their account, they see only those services that are turned on for them.
To delegate domain-wide authority to a service account, first enable domain-wide delegation for an existing service account in the Service accounts section of the Developers Console Permissions page or create a new service account with domain-wide delegation enabled. Your application has the authority to make API calls as users in your domain(to impersonate users).
Here's a useful material for Delegating domain-wide authority to the service account:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
Everything I'm reading shows that in order for an application to use onedrive, it has to do the oauth2 thing to get credentials. But what if you're a batch process and don't have a web interface for your users.
Google's API has a special type of account called a service account where once you set it up, you can control access to everything from that one account, no need to interact with users. Does such a thing exist for onedrive?
App-only authentication doesn't require the user be prompted for credentials but it also isn't supported in 100% of scenarios. For example, the APIs need a user principle for creating special folders and resolving a user's personal site. Also, it is only supported for OneDrive for Business, not Consumer. Consumer always requires the user be prompted for initial authentication.
Another option would be to spin up a web service of some sort that handles initial user authentication, ie. a sign up page. With that, you can retrieve a refresh token for offline authentication and store it for the user. Every authentication from then on can be done using the refresh tokens, which doesn't require a user prompt.
I finally found this. It's the same basic idea as google's service account, but I think it's harder to use. But at least the concept is supported.
http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx