I am starting to develop a web service and I want to enable login with google using their oAuth2. However, when I started reading the requirements I see that I need to authorize my domain and use https. I am in the very initial steps and I still don't have the domain setup and no certificate yet.
Is there any way to test google integrated into my site without all this? only for development phase?
Thank you
Related
I’d like to use the Google Cloud App Engine to serve a SPA and a REST API, both secured behind an authentication wall.
Is there any recommended way of doing this?
So far, I’ve found tutorials on how to secure an API, but not an SPA. Both ends are served from different projects, but I’d like to have a unique authentication step.
Typical flow would be:
Before serving the SPA source code, ask for authentication
Once authenticated, serve the SPA and allow the SPA to access the API resources
Thank you!
So far I’ve reviewed the documentation, it doesn't seem like there is any specific recommended way to authenticate an SPA within Google Cloud.
However, I think a pretty secure way would be to authenticate your application using the Toolkit Identity API of Google. The procedure would be to call this API from App Engine as the first necessary requirement.
This method works with Oauth2 access tokens. I think you could request for authentication credentials to your users before launching your application and granting access to the other resources/APIs.
We have tried various things to get the Google Site Verification API to work, including:
How can I authorize with OAuth 2.0 for google's predictive API in Ruby?
By calling: https://developers.google.com/site-verification/v1/webResource/list using the service account we always get an empty response: {}
When trying the same thing via the web console we get all the websites. We have like 30 websites.
I also had a look at this stackoverflow: Unable to access Google Sites via API, but can via Oauth Playground. Why?, without success.
Why is the body empty?
OAuth 2.0 is not an option for us, as we have a server application.
When using the service account, it will only list the sites that are owned by that service account. If you want to get the sites of a specific user, you must impersonate that user.
I haven't implemented it yet, but apparently you must go to http://www.google.com/a/{your-domain}/ManageOauthClients logged as the user that owns the sites and authorize the client ID of the service account you'll use to access the API, with the appropriate scopes.
This video explains it using Google Drive, but the authentication process is the same.
I'm not sure if this is available for Gmail users.
I'm trying to figure out what I need to do in order to achieve seamless SSO sign up.
When an administrator of a domain installs my google app, all of the users on his/her domain, should be able to sign-in through SSO without seeing any confirmation prompts. I'm looking into documentation on how to set this up:
Instead of displaying a confirmation page, your application should
match the value of the openid.realm parameter in the OpenID request
against the value declared in the application's manifest.
Is there an example of this? Also, I think Google stopped using XML manifest files once they switched from OpendID to OAuth 2.0. If so, how does this whitelist process work with OAuth 2.0?
Should I be utilizing Google Admin SDK?
Since google is moving away from OpenId, white listing instructions are obsolete. Found a blog post about Domain-wide delegation with Oauth 2.0. Google recommends the following:
the recommended authorization mechanism is now to use OAuth 2.0 and
service accounts. Google Apps domain administrators can delegate domain-wide authority to the service account’s credentials for a set of APIs. This results in allowing the application, by using the service account’s credentials, to act on behalf of the Google Apps domain’s users.
instructions on how to set up domain wide delegation - https://developers.google.com/drive/web/delegation
you can find detailed step to achieve seamless SSO sign up at the following url
http://david-codes.blogspot.com/2014/07/how-to-provide-seamless-single-sign-on.html
We have several apps Deployed on Google Apps Marketplace using OAuth 1.0 protocol. According expiration OAuth 1.0 in Google Platform we are trying to migrate all the apps to new OAuth version but we are facing some difficulties regarding background request to Google Admin SDK Directory API.
In our apps we need to request for Domain user accounts, groups and other stuff related Email Domain structure. Until OAuth 1.0 we have been doing this with 2-LO (Two-Legge OAuth) so basically once Admin gave us access we can impersonate request for domain using this mechanism.
After reading all Google Documentation about Google API, Oauth Mechanisms and stuff, and after trying some code test hypothesis too, we haven't figured out yet how can we managed the same concept with OAuth 2 because of the following:
Using Web Server Oauth 2 Strategy simply will not work because in that scenario we would be getting a Domain user Access to Admin SDK. If we keep their access/refresh token pair to later querying Admin SDK and the user is deleted because Domain change it Admin we will be disconnected from flow.
I supposed in that case the best choice was Service Account strategy. The problem with this scenario is the user has to manually configure access to the App in their Admin Console according to the Google's document domain-wide delegation authority (https://developers.google.com/+/domains/authentication/delegation#create_the_service_account_and_its_credentials). This is really awkward for us since we were managing all application installation interactively and we don't want to remove User Experience facilities.
Finally, my questions are:
Is there any way to do domain-delegation authority with OAuth 2 with no manual user configuration, full interactively?
Is there any way to do this without needing user email, which in fact is one of the parameters in Service Account Oauth2 Strategy?
Must we keep 2-LO Authentication for this scenario and do OAuth 2 only for installation Google Marketplace part?
Any comments or guide will be wellcome.
Best,
Certainly - in the latest update to the Google Apps Marketplace, the act of installing an App means the admin doesn't need to do an additional manual step.
You need a way to impersonate a user in a Service Account. Depending on how you implement your application, you might need to utilize the Directory API.
OAuth1 is going away eventually so I recommend you use OAuth2 throughout to simplify your code complexity.
I've been trying to integrate my application (ruby) with a Google AppScript (published as a Web Application with access level as 'only me') on behalf of a Google Apps account for quite some time, but I can't get a handle of it. Maybe I'm missing a key concept here or that sort of authentication/authorization isn't available when making requests in the background.
The script works fine when I'm logged in to gmail and access the script endpoint. I can also successfully connect to it using a sinatra application authenticated with openid.
I've already tried to use google-api-ruby-client, but I can't get the authorization scope right (service name). I've also tried clientlogin in gdata-ruby-util, to use Gmail login/password and get an authorization error message when trying to fetch from the script url.
Is it doable? Can anyone point me in the right direction?
Unfortunately, Contentservice in Apps Script (which I think you are using to create your webservice) doesn't provide any authentication mechanism. If you are accessing it from a server side script, you can use a token string which is known by your webservice app and your server to provide a level of security to your publicly accessible webservice.
Here are some similar discussion
How to use Google Apps Script ContentService as a REST server
Google App Script: ContentService web app usage