G Suit - Token Validation like unprotect - google-oauth

I have an G-Suite Account..I have created a project in developer console. In that i have chosen the Oauth client Id credential for Application Type (Others). I have received client secret and Client ID..... Using this i have tried the sample mvc https://developers.google.com/drive/v3/web/quickstart/dotnet I have received the token with Below information
1.access_token
2.Experiences
3.refresh_token
4.Token_Type and so on…
I cant find any user related information (eg: UserId) in the token for Authenticate in our application (used tokeninfo api to validate token). I get below response
{
"issued_to": "123456789234.apps.googleusercontent.com",
"audience": "123456789234.apps.googleusercontent.com",
"scope": "https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.user.readonly",
"expires_in": 3520,
"access_type": "online"
}
How to get userid in access_token?

If you are try to get their user information you have to add https://www.googleapis.com/auth/userinfo.profile in your scopes.
View your basic profile info
Here is some additional reference:
How to get user email from google plus oauth
How to identify a Google OAuth2 user?
Hope this helps.

Related

How to authenticate Google Sheets API using OAuth 2.0 from Postman/PowerAutomate(MS Flow)?

I am new to Google Suit. As part of a requirement, we are trying to access Google Sheets from Microsoft Flows (Power Automate) using HTTP call. I have the details to access Google Sheets API such as client_id, client_secret and redirect_uri. It would be if any thoughts on the approach to achieve the authentication with the above details.
Scenario: We have some Google Sheets which holds data to be READ and WRITE Back.
I have tried calling Google Token API with below details, but getting an error
Error 400: invalid_request
Required parameter is missing: response_type
Our main goal is to bypass user consent and authenticate Google APIs using client id and secret and perform the required actions on the data.
Steps performed to authenticate the Google API
Method: Get
URL: https://accounts.google.com/o/oauth2/auth
Headers:
{
"client_id": "xxxxxxxxxxx-xxxxx0r0e4oe1dllujkiejtm7ii42jqk.apps.googleusercontent.com",
"redirect_uri": "https://console.cloud.google.com",
"response_type": "code",
"scope": "https://www.googleapis.com/auth/spreadsheets",
"access_type": "offline",
"prompt": "none"
}
I am following https://developers.google.com/identity/protocols/oauth2/web-server#httprest as a reference.
Your formatting the request wrong. The first call is a http get you just place it in a browser window
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope={scopes comma separated}&response_type=code
It will display the consent screen to the user. All parameters form a query string. They are not sent as headers there is nothing in the docs that says it should be sent as headers.
Useful links:
Google 3 Legged OAuth2 Flow
Understanding Google OAuth 2.0 with curl
The Discovery document

Malformed mfa_token message when trying to challenge an user with MFA

I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.
I am getting an MFA Token by doing the following steps:
Added scope enroll read:authenticators to authorisation endpoint( i.e. “https://<my_domain>/authorize”)
Added an audience:
https://<my_domain>/mfa to the authorisation endpoint
Then I make a post request to token endpoint with authorization code to get the mfa_token.
The only changes I can observe is now the access token(which I presume to be the mfa_token) is in jwt format with expire time 600 sec. By using this access token(=mfa_token)
I built a custom pages for my user for enrollment and challenging the user via sms.
I am able to enroll user, confirm enrollment using this access token.
But when I challenge an user using this access token I get the following error after https://YOUR_DOMAIN/mfa/challenge call.
{
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”
}
Can anyone please say me where I am going wrong?
Is the access token same as the MFA_Token in my case?
Thanks in Advance!
I think the access_token only serves as mfa_token during OOB/device registration. Thenafter, the user will get an mfa_token during auth, which is passed for MFA/OTP challenges
https://auth0.com/docs/login/mfa/ropg-mfa/manage-authenticator-factors-mfa-api#resource-owner-password-grant

WSO2 APIM 3.1.0 - API runs with one user but not for other user with same role

i am working on a multi-tenant app and i have two users with "admin" role. 1st user is "admin" and 2nd user is "abc". When i access token for both users, same scope is returned for both.
{
"access_token": "d479b9e3-1def-31b4-b8a8-3033ae6467ab",
"refresh_token": "887c386b-2ec7-39c4-9bcf-c286f4dfda40",
"scope": "app_non-permission app_permission portal_access",
"token_type": "Bearer",
"expires_in": 1862
}
Using this token, i call my subscribed API, and it works for "admin" user but fails for "abc". Error message for "abc" user is as below.
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900910</ams:code>
<ams:message>The access token does not allow you to access the requested resource</ams:message>
<ams:description>Access failure for API: /portal/1, version: 1 status: (900910) - The access token does not allow you to access the requested resource</ams:description>
</ams:fault>
I am unable to understand why it works for one user but not for the other even though the users have same role and token API also returns same scope.
Looking at your explanation it sounds to me like the 'abc' user needs to also subscribe to the API. You might be using the wrong "grant_type" while retrieving the bearer token. [1]
Another possibility would be to add "application sharing" [2] if it's not possible for your 'abc' user to use it's own store application to subscribe to the API.
[1]https://docs.wso2.com/display/AM260/Password+Grant
[2]https://docs.wso2.com/display/AM260/Sharing+Applications#SharingApplications-Enablingapplicationsharing

Google Photos API - authentication

I'm trying to get list of my shared albums from Google Photos.
I found a enable Photos API in Google Developers Console.
HTTP GET:
https://content-photoslibrary.googleapis.com/v1/sharedAlbums?key=AIzaSyCkXXXXXXXXXXXXXZiOSe9IiyM8E
RESULT:
{ "error": { "code": 401, "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "status": "UNAUTHENTICATED" } } 1
Configuration in developers console:
Please, what I'm doing wrong? Thank you.
Google API need an access token to make sure that the user has the permission to access the feature. Access token is just like cookie that should be send together with the request.
Usually you will need so many setup to get the access token with your own code. But there are a client library that can help you access Google API with small setup.
Access token also has a lifetime, so if you don't use the library you will need to manually refresh the token.
You need to configure OAUth 2.0 credentials (client ID and secret) and not an API key. More details are in the developer documentation here: https://developers.google.com/photos/library/guides/get-started#request-id
The Google Photos library API acts on behalf of a user, that's why you need to authenticate via OAuth 2.0. As part of this request you also need to specify a scope for your users to accept, see this page for more details: https://developers.google.com/photos/library/guides/authentication-authorization
I've been working on a python project to backup google photos library and album info. you can probably modify it to do exactly what you want. It is fully working but does not currently distinguish between shared and private albums.
https://github.com/gilesknap/gphotos-sync
In particular, see https://github.com/gilesknap/gphotos-sync/blob/master/gphotos/authorize.py which handles authentication and authorization for any Google service (it also handles storing the token and refreshing the token).

How to get the logged in user details(user email id and user name) using Access Token in AAD Single Sign on using java script back-end?

Hi am developing a windows store 8.1 app using C# and xaml
For log in, am authenticating the user with Windows Azure Active directory Single Sign-on using JavaScript back-end.
Once the user is logged in and i have the access token, how to get the logged in user's user email id and Username using the access token in the app?
Anybody please provide me a solution to get the user email using the access token?
If you have the access token then that should contain the user id value. For retrieving the e-mail address you have to query the Graph API to get user details. The full documentation on that is here but in short you should make a get request like below, placing the AccessToken in the Authorization header, after "Bearer ".
GET https://graph.windows.net/contoso.onmicrosoft.com/users/Alex#contoso.onmicrosoft.com?api-version=2013-04-05 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
You can use either user principal name or objectId in the address. Better yet, you can use the Azure AD Graph Client nuget package and call their API to get user information.
Uri servicePointUri = new Uri("https://graph.windows.net");
Uri serviceRoot = new Uri(servicePointUri, "contoso.onmicrosoft.com");
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, accessToken);
IUser user = activeDirectoryClient.Users
.Where(user => user.UserPrincipalName.Equals("alex#contoso.onmicrosoft.com"))
.ExecuteAsync().Result.CurrentPage.ToList().SingleOrDefault();
See here for the full sample.