Authentication server for Google Apps - authentication

We are using Google Apps services in our startup for email and docs. However for some other purposes such as svn and bug tracker we have our local machines on which we have installed the required apps. All of them have their own separate credential sets.
Ideally I'd like to have one authentication (i.e. that of Google Apps) and authenticate on svn & trac etc. using them. Considering Google Apps does not support OpenID, what should be a good solution? Can I setup a server which uses a particular protocol and still nicely wraps around Google Apps authentication?

There is a Google Federated Login API now, it provides OpenID services. Also, as this guy has shown, it's easy to use Google App Engine to create an OpenID provider of your own using Google IDs as the underlying credentials. HTH.

OAuth may help, up to a point -- Google Apps' gdata APIs do support it decently, see here. Of course all this requires and concerns programming, not just system administration: but then I know for sure your question IS about programming, since it's on Stack Overflow -- if you meant to ask strictly about sysadm issues, you would of course be using serverfault.com, right?-)

Related

Developer-authenticated end users with Google Cloud Platform

For authenticating end users to things like IoT services, many cloud services have a custom option: The client authenticates with the dev's own server (however the dev implements that), which in turn gets a token from the cloud service and sends that to the client for authentication with the cloud service. Amazon and Twilio are examples of this. This allows for a fully customizable auth.
If I understand correctly, Google Cloud Platform requires end users to authenticate with Google's OAuth2 service, meaning they must sign in with a Google account. I don't see any way around this, but the limitation is so severe that I wonder if I'm missing something. Is there some way I can instead authenticate users my own way?
meaning they must sign in with a Google account
That's not entirely correct, you probably overlooked this in the very doc you referenced (emphasis mine):
Firebase Authentication gives you a robust, secure authentication
system-in-a-box that helps you do sign in with any account your
users want to use. Firebase Authentication supports password
authentication in addition to federated sign in with Google, Facebook,
Twitter, and more, allowing you to easily scale your authentication
system as you grow on desktop and mobile.
So you can have your users choose their username and password or login using one of their supported 3rd party non-Google accounts.
But it will still be Google handling the authentication for you, which is good if you plan to use other GCP products/services as the authentication can be propaged.
If you want to handle the authentication yourself - nothing stops you from doing that, but it may be difficult/impossible to integrate it with other GCP products/services. The Plain OAuth 2.0 might be what you're looking for (I don't understand it enough), search for it in the Compare Auth Options guide.

API Authentication for multiple apps

I have been doing a lot of research into how to authenticate mobile apps with an API - I still feel a bit unsure about which flow & architecture would be better to use in my particular use case.
I think what's confusing me is some of the terminology used.
My use case:
An API & database on one server. Which holds the users & and the users resources.
A web app, which I have built and consumes the API. Hosted on the same server as the API. So it's dogfooding.
A web app, which I have built and consumes the API. Hosted on a different server to the API.
A mobile app, which I have built and consumes the API.
I'd like to be able to authenticate with the API using username & password.
The API will never be opened up for consumption by other 3rd party services except the web app and the mobile app.
Initially I felt like using the Resource Owner Password Credentials Grant flow would be sufficient. However in the docs it states that this flow should be used if "The client is absolutely trusted with the user credentials".
Since both my mobile & web apps will be built by me, I'm assuming they are seen as 1st party clients. Therefore am I right in thinking they are considered to be trusted with the user credentials? As I typically thought that when implementing oAuth, the idea would be to have the authentication server separate from the resource server. Which would allow you to have one authentication server for multiple APIs.
After reading this post: Why the Password Grant is not suitable for modern applications
It threw me off track a bit. But then, is this post talking about using this flow in my use case?
I was also looking at the Implicit Grant Tokens flow. However using this flow I couldn't really see how the user would enter their credentials first?
I also question if any of the oAuth flows is really needed for my use case and I should instead look at other ways of authenticating?
I'm really quite lost with this I would like some direction to go in with how to authenticate users in my particular case.
Thanks in advance!
I'll most likely be using Laravel to house my API and so I do have Passport available to me to implement oAuth
EDIT
From following this oauth article I've found that in all use cases of my app, I end at Password Credentials Grant flow. Would I be correct here?

How can impersonate a Domain to Access Google API Admin SDK with Oauth2?

We have several apps Deployed on Google Apps Marketplace using OAuth 1.0 protocol. According expiration OAuth 1.0 in Google Platform we are trying to migrate all the apps to new OAuth version but we are facing some difficulties regarding background request to Google Admin SDK Directory API.
In our apps we need to request for Domain user accounts, groups and other stuff related Email Domain structure. Until OAuth 1.0 we have been doing this with 2-LO (Two-Legge OAuth) so basically once Admin gave us access we can impersonate request for domain using this mechanism.
After reading all Google Documentation about Google API, Oauth Mechanisms and stuff, and after trying some code test hypothesis too, we haven't figured out yet how can we managed the same concept with OAuth 2 because of the following:
Using Web Server Oauth 2 Strategy simply will not work because in that scenario we would be getting a Domain user Access to Admin SDK. If we keep their access/refresh token pair to later querying Admin SDK and the user is deleted because Domain change it Admin we will be disconnected from flow.
I supposed in that case the best choice was Service Account strategy. The problem with this scenario is the user has to manually configure access to the App in their Admin Console according to the Google's document domain-wide delegation authority (https://developers.google.com/+/domains/authentication/delegation#create_the_service_account_and_its_credentials). This is really awkward for us since we were managing all application installation interactively and we don't want to remove User Experience facilities.
Finally, my questions are:
Is there any way to do domain-delegation authority with OAuth 2 with no manual user configuration, full interactively?
Is there any way to do this without needing user email, which in fact is one of the parameters in Service Account Oauth2 Strategy?
Must we keep 2-LO Authentication for this scenario and do OAuth 2 only for installation Google Marketplace part?
Any comments or guide will be wellcome.
Best,
Certainly - in the latest update to the Google Apps Marketplace, the act of installing an App means the admin doesn't need to do an additional manual step.
You need a way to impersonate a user in a Service Account. Depending on how you implement your application, you might need to utilize the Directory API.
OAuth1 is going away eventually so I recommend you use OAuth2 throughout to simplify your code complexity.

rails: google affiliate network API oauth when API does not support Service Account model

Update 1: as I delve deeper, this isn't really anything to do with Rails, it's more of a question about how to have a server access our account using credentials provided by Google when the API we're calling doesn't support the Service Model
I have a server application that needs to connect to Google API from Rails. I can authenticate with OAuth2 successfully using the google-api-ruby-client gem and get other APIs working. There are several samples that use the gem, but most assume you want a user to authenticate themselves in a web environment. Others support what Google calls a "Service Model" where it's really the app validating itself. I have that working, too.
However the specific API I am querying is Google Affiliate Network (GAN), which does not support the Service Account model. In particular, I need a server to be able to authenticate with OAuth2 without any user interaction. I have done this using OAuth in several other contexts, but am struggling to get it working in this case.
Does anyone know of working Rails code for GAN?
Update 2: I am searching this google document on API authorization for strategies that don't require user interaction.
I found a workable solution -- it uses Google's "Installed Application" approach, which needs one bit of manual setup, but is otherwise a working solution.
https://gist.github.com/3543368

Google Account to sign into a third-party website

I want to use google/yahoo ids to be used to login to my website.
As its done in stackoverflow.
Can any one provide me a starting point.
That authentication method is called OpenID. You can get details at the open id website.
If your webiste uses PHP on the server, here's a resource to get you started with OpenID and PHP
UPDATE
Since I've posted this, the world of open federated authentication has evolved quite a bit. If you're interested in this you may wish to look up OAuth v2 online, or check out these links: www.oauth.net and the Google resources on OAuth2 available here.
OAuth builds upon the concepts of OpenID and it expands the functionality quite a bit, in particular in the areas of not just providing authentication but also providing authorization for applications using a centralized provider of the user's choice (i.e. Google, Facebook, Twitter or your own :) )
I have been using JanRain for the same thing. It is free and integrates with loads of different login providers, such as, Facebook, Twitter, Google, OpenId (generally), yahoo, msn, and many more.
There is code that lets you integrate it with almost any programming language/platform you want.
try this sample in CodeProject.
http://www.codeproject.com/KB/web-security/OpenIdFormsAuth.aspx
It worked fine with me.