I am using google cloud auth for signing my requests for a firebase based project. Until yesterday it worked seamlessly, after using the gcloud auth print-identity-token I have received a token for the selected project and account. Yesterday after a restart this functionality stopped working. I still receive a token and the gcloud seems to be configured well(re-initialised it, and tried to completely uninstall/install it), but the returned token has different aud field. Therefore my firebase functions consider my requests as unauthenticated. let me paste the error message below:
Failed to validate auth token. FirebaseAuthError: Firebase ID token has incorrect "aud" (audience) claim. Expected "xyzmyproject" but got "32512345659.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK
I have checked the identity token via jwt.io and the aud is set to the wrong 32512345659.apps.googleusercontent.com value as the error message describes it.
Furthermore while was investigating I found out that the gcloud auth login command redirects me to the url the client_id is specified as 32512345659.apps.googleusercontent.com.
Related
I have created a Google cloud function, and in the permissions I've added the 'Cloud Functions Invoker' role to the 3 individual users I want to be able to trigger the function.
The function is accessible at the trigger endpoint provided, similar to this:
https://us-central1-name-of-my-app.cloudfunctions.net/function-name
I have assigned myself the invoker role on the function. When I enter the URL I get a 403
Your client does not have permission to get URL /function-name from
this server.
Since I am signed into my Google account already, I had assumed I would have permissions to access this function.
If not, how can I show the authentication prompt as part of the function without exposing the entire function via allUsers?
You can't call directly the function even if you are authenticated on your browser (this feature will come later, when you will be behind a Global Load Balancer and with IAP activated).
So, to call your function you have to present an identity token (not an access token). For this, you can use the gcloud SDK with a command like this (on linux and after having initialized it with your user credentials (gcloud init))
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://....
You can also create an API Gateway in front of it (I wrote an article on this) and use an API Keys for example.
I'm attempting to understand how spring boot uses http sessions to manage the oauth authorization code flow.
I understand that after the user submits their credentials via the /login form spring will persist the authentication object so it can be retrieved when the browser is redirected to retrieve the authorization code.
What I dont understand is if the browser needs to sends jsession cookie to the server or http basic authentication header when invoking this flow.
For example if I wanted to initiate the flow manually via curl do I need to specify any special headers ?
It doesn't use HTTP sessions to persist it, the client ID and authorisation code (the code that's passed back to the client app after the user authenticates) is used to identify the authentication object. The authorisation code is then used to obtain the access token.
So:
The client app redirects to the auth server, passing in their client ID.
The user authenticates with their username and password on the auth server , which stores the authentication against the code and client ID and passed the authorisation code back to the calling app as a request param on the redirect URL.
The client app calls back to the auth server, authenticating with it's client ID and secret and passing in the authorisation code. This is then swapped for the access (and possible refresh) token.
If the app needs the user details, the client app calls the user details endpoint authenticating with the access token it now has.
I am learning how to use Google Drive API to upload a file and I am getting this error:
"Client error: `POST https://www.googleapis.com/oauth2/v4/token` resulted in a `401 Unauthorized` response:\n{\n \"error\": \"unauthorized_client\",\n \"error_description\": \"Client is unauthorized to retrieve access tokens using this me (truncated...)\n"
I think this stem from a wrong configuration of my service account. When I created my service account, I didn't use Enable G Suite Domain-wide Delegation and just used the generated json key.
Attached here is a screenshot of my IAM & ADMIN
I also enabled API for google drive, so what am I missing?
You have to create a client id for the service account and with that id you have to enable the SCOPE in security - advanced configuration
I am facing the following problem.
I have to log in users in Openshift using Keycloak and then these users should be able to use the Openshift API using a custom external Web GUI which I made.
When I log in, Keycloak returns a Keycloak JWT-token. But my problem is that with this Keycloak JWT-token I cant use the Openshift API, for that I need an Openshift token, which is a different token. I could get the Openshift token using an http request to -openshiftmaster-/oauth/authorize , But I don't wanna do this cause this second authentication would mean a second login screen for the user.
Is there a way, once logged in usingKeycloak and in possession of a Keycloak JTW-token, to get the Openshift token without having to authenticate again against Openshift with username and password?
You can set up keycloak as an open id provider. Link 2. Link 3.
I'm using the Google client API library for Python. My code is running on an Ubuntu 14.04LTS server.
I have a working Google Compute project, were I created and downloaded a OAuth2.0 token to my server.
I'm trying to write a script that does the following:
Automatically (with no user interaction) authenticate to Google Compute engine.
create a new VM and then perform more actions...
My basic problem is using the OAuth2.0 authentication. It required user approval on a javascript supporting browser, and I want to do it automatically, on my server.
Using my code on my desktop works. A browser page pops up requiring my approval. On my server, I get the following message:
we have detected that your javascript is disabled in your browser
The code segment I use for authentication is:
# authenticate using the OAuth token
client_secret = os.path.join(
os.path.dirname(__file__),
self._oauth_token_path)
# set up a Flow object for the authentication
flow = client.flow_from_clientsecrets(
client_secret,
scope=scope,
message=tools.message_if_missing(client_secret))
# open credential storage path
credential_storage = file.Storage(self._credential_storage_path)
credentials = credential_storage.get()
# get credentails if necessary
if credentials is None or credentials.invalid:
credentials = tools.run_flow(flow, credential_storage, flags)
I read about service account access as a replacement of the regular OAuth2.0 authentication. Does any one know if that's the best way to go? any thoughts on how to do it better?
OAuth 2.0 requires user approval and is not the method to go for if you want to run your code/scripts automatically.
Service accounts are more suitable for this and are supported by the API (https://cloud.google.com/compute/docs/authentication#tools)
You create a service account + key in the developer console and use both to authenticate your application.