I use Cloud Endpoints and do client-side oauth to access my backend. This works fine, except that it means I can only check whether the person hitting up my app URL is a user or not after the whole page and attached scripts have loaded and the oauth request has completed.
I'd like to enable server-side authentication so that I can use the same URL for my landing page and my app, and redirect the person to the app if she is a user or to the landing page if she isn't.
The problem is that the User Tutorial uses the UserService for authentication whereas Cloud Endpoints uses the OAuth Service. I can't figure out how to use OAuth in my redirect filter because all the links from the OAuth section linked to above are for OAuth 1 and are deprecated.
How can I check in my redirect filter whether the person visiting is a user or not and simultaneously get a token that I can use to subsequently call my endpoints if she is a user?
I'm using the Google Api JS client to make calls to cloud endpoints, so the solution would optimally integrate with that, using gapi.auth.setToken(token) with the token retrieved and bypass the whole gapi.auth.authorize(params, callback) dance.
You can provide custom servlet implementaion for login flow where You will fetch oauth-token by providing new Flow and then validate that access token to grant authorization of protected resources.
Google provides good reference document here and You can use this sample code repo
for reference.
You can use the user API for endpoints, no need to use OAuth if doesn't suit your needs. You only need to add an parameter of the type com.google.appengine.api.users.User to your endpoint. As stated here.
Eg:
#ApiMethod(name = "scores.insert")
public Score insert(Score score, User user) throws OAuthRequestException, IOException {
//Check if user is null
//Do your thing
}
Related
I would like to get instance of Google Calendar, but without redirecting to Google log-in page for user authorization. I am able to load client secrets like client ID, client secret etc. However, authorize() method is always redirecting me to google log-in page.
Is there any solution how to get credentials and authorization required for getting calendar and event instances from google, but just with authorization included in java class, not by redirecting to log-in page?
You just need to go to the login page once, after that, you just need to call the refresh token process if the token is not valid.
Take a look here: https://developers.google.com/calendar/auth
Or, you can take a look in the Google Service Accounts
The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario you need a service account, which is an account that belongs to your application instead of to an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved. This scenario is sometimes called "two-legged OAuth," or "2LO." (The related term "three-legged OAuth" refers to scenarios in which your application calls Google APIs on behalf of end users, and in which user consent is sometimes required.) Typically, an application uses a service account when the application uses Google APIs to work with its own data rather than a user's data.
I am planing to write an API for a mobile app. To lower the barrier for first time users i do not want a login screen on the first start. So what I want is, if the app notices it is it's first start it should register itself:
/register
A standard User should be generated like Name: GuestXX43, Authtoken XX43-58asda5-54asd, some additional Data
The user is now able to make other endpoint request due to its auth token.
But how do I check for the correct auth token on every Request?
/user [Update]
the user is also able to update his username and password to reloggin on another Device.
Which auth method will suite these thoughts, is there any doubt using this kind of auth flow?
Thanks guys
Are you using Google Cloud Endpoints? If the user credentials is set in some header, you can retrieve it in the backend via injecting HttpServletRequest in Java or check HTTP_YOUR_HEADER_NAME environment variables in Python.
Also you can try custom authenticator if you uses Java; this post can be relevant: Google Cloud Endpoints and user's authentication.
I'm running a webapp that checks if a user is logged in with UserService, then shows them their homepage if they are, or redirects them to a login screen if not. Once on the page, I would like to be able to update specific portions using AJAX when they click certain elements. Now, I have already written a REST API in the same GAE project using Cloud Endpoints that gets all the information I want, and so in the spirit of DRY I would rather use my own API than write new servlets to handle these requests.
The problem is that I need to generate an OAuth token in order to access the API. I can easily do this from the Google API JavaScript Client Library, but then my user needs to re-authenticate for the rest API, which is not only bad from a UX perspective, but more importantly exposes my client id in the page's javascript and passes a token through HTTP (non-SSL) headers.
The only option I see is to write a servlet for each request and have duplicate work. But conceptually, I'm already logged in to Google, so I should just be able to access the API. How does one usually go about this? Am I thinking about it all wrong?
UserService and OAuth are two different authentication (and authorisation) mechanisms and you can not combine them.
If you do need OAuth to access some of the APIs than also use server side OAuth. This way you can access APIs and replace UserService all in one go.
I am having trouble implementing federated login in Google AppEngine Java.
https://developers.google.com/appengine/articles/openid
I am getting the users service and getting current user. If the current user is null, then I will ask user service to create a login url with the open id provider of my choice(eventually, user will be allowed to choose). Here's the code snippet
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
if(user == null)
{
userService.createLoginURL(request.getRequestURI(),null,"yahoo.com",null);
//do a redirect
}
The third parameter of the method UserService.createLoginURL(....), is federatedIdentity(see here). For this argument, I have so far used the values "yahoo.com", "http://open.login.yahooapis.com/openid20/www.yahoo.com/xrds", "https://openid.stackexchange.com/" and all the time, I am being redirected to Google account's login page. I have also noticed that the url in returned with these arguments is a little different than the one generated with no parameters.
I think I am doing some mistake here, but am not able to figure out where. What exactly should be passed to that parameter so user can be redirected to the respective provider's login page? For example, yahoo, stackoverflow, facebook, etc.
As an extended question, I believe that once the user is authenticated and sought approval, App Engine will automatically return that user via UserService.getCurrentUser() when asked next time. Am I correct?
For the record, I have set the 'Authentication Type' to 'Federated Login' in the Application settings.
Update 12/5/12: I went with openid4java. It has direct example provided as a sample in the distribution, which work like a charm on app engine.
This is probably not what you want to hear, but we have been there and abandoned OpenID for OAuth 2. I am aware that OpenID is meant for authentication and OAuth for authorization (see this other question), but in real life people are just using OAuth for both.
We went with Scribe and are very happy with it. Note that this means rolling your own authentication solution and probably limiting your list of providers, as each one does things differently.
I'm attempting to add OAuth support to an existing Spring webapp to allow people to login with their Google/Facebook/Twitter/etc. accounts. To do this I'm using the 'spring-social' framework, and the 'spring-social-google' library for it. I'm also trying to do this while working within a number of constraints:
The existing webapp does not use spring-security for authentication or for controlling access to resources, it provides its own form-based authentication.
The existing webapp does not track the authenticated user details using the servlet-container's Principal, instead it stores a reference to the authenticated user in the HTTP session.
The existing webapp does not (and cannot) have a Spring DispatcherServlet bound to the webapp root URL (i.e. /).
Accounts in the database are uniquely keyed by e-mail, so really all I'm attempting to do is glue together a flow that goes roughly like:
Login Page (user chooses between OAuth and direct login)
-> <Provider OAuth Flow> (user completes OAuth authorization)
-> OAuth Callback URL (grab user email, check for existing account, create if needed)
-> Post-login Landing Page (done)
Anyhow, the limitations noted above caused a variety of problems, most of which I've managed to find workarounds for. However I'm getting some bizarre behavior from the Google OAuth connector (Twitter and Facebook appear to work correctly). Basically, it appears that it is not sending the OAuth clientId or clientSecret during the final request to Google:
DEBUG: org.springframework.web.client.RestTemplate - Writing [
{code=[4/dVVrFDpNLDGTmXCuuQj6fcfaetEU.UkLPQd7NOLYbgrKXntQAax0INYiydQI],
redirect_uri=[http://localhost:8080/oauth/signin/google],
grant_type=[authorization_code]}] as "application/x-www-form-urlencoded"
This returns a code 400 ("bad request").
If I head over to hurl.it and POST the same data to the same URL (https://accounts.google.com/o/oauth2/token) and manually add in the client_id and client_secret values, the call returns a successful response.
So what could be causing the Google connector to omit these values?
For reference, I'm including the spring-social-google library in my project like:
<dependency>
<groupId>org.springframework.social</groupId>
<artifactId>spring-social-google</artifactId>
<version>1.0.0.M1</version>
</dependency>
...and then in my #Configuration class I've got:
#Bean
#Scope(value="singleton", proxyMode=ScopedProxyMode.INTERFACES)
public ConnectionFactoryLocator connectionFactoryLocator() {
ConnectionFactoryRegistry registry = new ConnectionFactoryRegistry();
registry.addConnectionFactory(
new GoogleConnectionFactory(
"<google client id>",
"<google secret key>"));
registry.addConnectionFactory(
new FacebookConnectionFactory(
"<facebook client id>",
"<facebook secret key>"));
registry.addConnectionFactory(
new TwitterConnectionFactory(
"<twitter client id>",
"<twitter secret key>"));
return registry;
}
The rest of what I'm using is pretty much standard straight out of the spring-social-showcase example (albeit hacked up to remove extraneous things and to work within the constraints noted above). Strangely, attempting to log in with Google does correctly show the OAuth authorization page on Google with my app/project name correctly displayed. The error happens after I hit the "Allow" button to authorize the OAuth login and return to the webapp.
Anyhow, what might be causing this issue, and how might it be fixed?
You may not have turned the google+ api on in the google developer console.
This is a separate task from getting an OAuth 2 token or api key.
If you have not done so already
http://console.developers.google.com
Navigate to your project.
Click 'APIs'.
Check 'Google+ API' is in the list of Enabled API's. If it is not, browse for it and enable it.