I'm trying to create an API for the Google Onhub router, but when I sniff my phone's (as google requires an app to control their router which is why I am making this API to be able to control the router via web interface) network traffic it doesn't send to the router but to a google server IP and when I try to connect to the IP I timeout, any ideas on how I could figure out how to connect/send packets to the google server?
OnHub is managed via the standard GoogleAPI.
The scope required for the OnHub is: https://www.googleapis.com/auth/connectedhome.onhub, but this is undocumented. If you request an access_token with the previous scope, you can guess endpoints required for API communications.
I am working on a project for this now and will be writing a blog post once completed with more details.
Related
Overall flow
I'm working with Google Cloud Platform (GCP), Google Apps Script (GAS), and the Pub/Sub service within a Google Workspace domain environment. This is the flow of requests/data, which works but clearly has auth issues:
GCP Pub/Sub service receives messages for a specific topic
Pub/Sub forwards the message to a push endpoint URL by POST
The push endpoint is a doPost() function within Google Apps Script (GAS), published as a Web App
Details
I have enabled authentication for the Service Account used in the Pub/Sub delivery type options, i.e. Pub/Sub signs a JSON Web Token (JWT) and sends the JWT in the authorization header of the push request. Edit: The Service Account (Client ID) has a domain-wide delegation for the Scopes
https://mail.google.com/
https://www.googleapis.com/auth/drive.scripts
https://www.googleapis.com/auth/drive
Web App deployments come with two options:
"Execute as"
Me (name#workspace-domain.tld)
User accessing the web app
"Who has access"
Only myself
Anyone within {workspace domain}
Anyone with Google account
Anyone
Right now, the web app executes as Me with Anyone having access. And it works.
Problems
The push endpoint is publicly accessible, but should not be. (1)
Follow-up: "The push endpoint must be a publicly accessible HTTPS address" (source) anyways, so "Who has access" will be set to "Anyone" by design.
Limiting the "Who has access" option to "anyone within {domain}" leads to unacknowledged messages inside the Pub/Sub subscription, doPost() will not run, but the endpoint returns straight 40X HTTP codes (probably forbidden).
--> Question: How can I promote the Service Account to being seen as a user within the workspace domain, so it has access to the endpoint?
The push endpoint should validate tokens sent by Pub/Sub. (2)
In GAS, doPost() has no access to (authorization) headers sent to the web app endpoint URL (unfortunately and as far as I know). However, ScriptApp.getIdentityToken() gets an OpenID Connect identity token for the effective user, if the openid scope has been granted.
--> If problem (1) was solved, is it possible to authenticate and authorize the messages send to the endpoint within the GAS doPost() function using ScriptApp.getIdentityToken()? From my understanding, the Service Account should also become the effective user, i.e. "Execute as" = "User accessing the web app".
I might be missing something. So, thanks for any tips and advice!
Doc links
Google Apps Script: Web Apps
https://developers.google.com/apps-script/guides/web
GAS: ScriptApp.getIdentityToken()
https://developers.google.com/apps-script/reference/script/script-app#getidentitytoken
Using push subscriptions: Authentication and authorization by the push endpoint
https://cloud.google.com/pubsub/docs/push#authentication_and_authorization_by_the_push_endpoint
How can I protect an API request sent from a static site hosted on a CDN?
Use case:
A single page application using react is hosted on S3 + Cloudfront. The site calls the Yahoo Finance API to request some market data. The third-party API uses an API key to authenticate the requests. I can only store the third party API key in the static site making it available for anyone.
Considerations:
The static site and the API are not in the same cloud provider or service, so a solution using roles wouldn't work.
A Lambda (Function) proxy solution is my best choice at the moment IMO but this would still allow a request to be sent directly to the Lambda (Function).
The request to the function should also be secure, making the above option still vulnerable. This means that getting the URL to the Proxy Function from the source code and calling the Function is not acceptable either.
Looked around at some other questions posted but I haven't found one that addresses the particular circumstances stated here.
Have installed the API Manager 1.10.0 on a single machine and got everything running. Created and published API containing Openstack's Keystone URL. However when i try to consume API via API console in API store i get the MANAGEMENT CONSOLE as i response.
Have looked at the curl sent and the IP is not right.
Curl request from API Console
Keystone API URLs
Why am i not able to use the API? Why is the Production endpoint in the API overview not used? (it works perfectly fine with a REST Client or even with the same Curl request once i change to IP)
When we construct API endpoint URLs we will use following properties defined in API Manager configuration file(api-manager.xml). If you haven't changed anything there then default ports(8280/8243) will appear there. If you can please try this with private browsing window with https session.
And if you replace curl with IP and correct port 8280, 8243 then did it worked as expected?
<GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
Thanks
sanjeewa.
We're trying to find a way to authenticate a client via a mobile application rather than using a captive portal splash page. Is this possible at all?
I've looked at the CloudTrax API but can't seem to find anything that directly indicates the ability to authenticate users.
Another option I considered was trying to make a http request which would return the splash page and then with Javascript, imitate a click event on the authenticate button..
If you use the cloudtrax http authentication then you should be able to do this fairly easily.
Cloudtrax HTTP auth sends an initial status request to your HTTP auth endpoint whenever a client connects to the wifi network if they haven't already got an authenticated session. This is before any login or captive portal popup is displayed. Your HTTP endpoint can respond to that request with an ACCEPT message along with session time and bandwidth restrictions. The AP will then just authenticate the device and allow it internet access without displaying any captive portal.
Not sure what your use case is for the mobile app (eg are you doing some other customer engagement inside the app?), but you could implement this without an app. Just push them to a captive portal the first time you detect their mac address, get them to register. Then all future connections can just be automated in the backend.
If you do need an app, then just do the registration part inside the app and have the app send their mac address to your backend server so the HTTP auth server can look it up in future.
I've been trying to integrate my application (ruby) with a Google AppScript (published as a Web Application with access level as 'only me') on behalf of a Google Apps account for quite some time, but I can't get a handle of it. Maybe I'm missing a key concept here or that sort of authentication/authorization isn't available when making requests in the background.
The script works fine when I'm logged in to gmail and access the script endpoint. I can also successfully connect to it using a sinatra application authenticated with openid.
I've already tried to use google-api-ruby-client, but I can't get the authorization scope right (service name). I've also tried clientlogin in gdata-ruby-util, to use Gmail login/password and get an authorization error message when trying to fetch from the script url.
Is it doable? Can anyone point me in the right direction?
Unfortunately, Contentservice in Apps Script (which I think you are using to create your webservice) doesn't provide any authentication mechanism. If you are accessing it from a server side script, you can use a token string which is known by your webservice app and your server to provide a level of security to your publicly accessible webservice.
Here are some similar discussion
How to use Google Apps Script ContentService as a REST server
Google App Script: ContentService web app usage