I am working on an app which provides users with CRUD funtionlity over GCP catalog. I have managed to get the JWT token of the user fron the frontend, but I do not know how to pass this on to the 'DataCatalogClient'. The code looks like this:
const {DataCatalogClient} = require('#google-cloud/datacatlog).v1
const datacatalog = new DataCatalogClient()
The DataCatalogClient does accept some parameters, but I do not see anything related to a token over there. Any help is greatly appreciated!
Related
I am trying to store a secret that I am calling with the following line of code:
const {token} = await context.github.auth({type: "installation"});
I cannot find the API to store the secret once I get it. Any idea on what probot APIs are there to store the secret?
Thanks!
I have tried looking everywhere and cannot find a handy probot API.
I am building a mern application.
the backend built using express exposes an api which users can create data and access the data they have created.
I want to allow users to sign in with google and get authorization to create and access the resources on this api which i control (not on google apis).
I keep coming across oauth 2 / open id connect articles stating that an Id token is for use by a client and a access token provided by a resource server should be used to get access to an api.
e.g. https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
the reason stated for this is that the aud property on the id token wont be correct if used on the api.
I realise that some sources say: that if the spa and api are served from same server and have same client id and therefore audience I can use and id token to authenticate to the api, but I am looking to understand what I can do when this is not the case?
I feel using oauth2 for authorization is overkill for my app and I cant find any information about how to use open id connect to authenticate to my api.
Surely when you sign in to Auth0 authourization server using google it is just requesting an open id connect id token from google?
I am wondering if using Authorization Code Grant flow to receive an id token on the api server would allow me to authenticate a user to my api?
in this case would the api server be the client as far as open id connect is concerned and therefore the aud value would be correct?
I can generate an url to visit the google oauth server using the node googleapis library like so:
const { google } = require("googleapis");
const oauth2Client = new google.auth.OAuth2(
'clientid','clientsecret',
"http://localhost:3000/oauthcallback",//this is where the react app is served from
);
const calendar = google.calendar({ version: "v3", auth: oauth2Client });
const scopes = ["openid"];
const url = oauth2Client.generateAuthUrl({
// 'online' (default) or 'offline' (gets refresh_token)
access_type: "offline",
// If you only need one scope you can pass it as a string
scope: scopes,
});
async function getUrl(req, res) {
console.log(url)
res.status(200).json({
url,
});
}
and use the following flow.
You are not supposed to access any API's using the ID-Token. First of all the life-time of the ID-token is very short, typically like 5 minutes.
You should always use the access-token to access API's and you can using the refresh token get new access-tokens. The ID-token you can only get one time and you use that to create the local user and local cookie session.
If you are using a SPA application, you should also consider using the BFF pattern, to avoid using any tokens in the SPA-Application
see The BFF Pattern (Backend for Frontend): An Introduction
I agree with one of the commenters that you should follow the principle of separation of concern and keep the authorization server as a separate service. Otherwise it will be a pin to debug and troubleshoot when it does not work.
As the title is saying, I'm currently trying to delete a object using request, and google_API.
But, Even though I did what Google Cloud Platform said,
It doesn't work.
Please, Help me. what should I do?
It doesn't appear you're providing any sort of authentication token. You are providing an API key, which is important when making anonymous requests, but an API key does not authenticate your identity or grant any permissions. I am guessing that you are getting 403 Forbidden responses.
Since you're using Node.JS, I might suggest trying the google-cloud library. It's easy to use, and it deals with OAuth 2 authorization logic for you. A delete might look like this:
var gcloud = require('google-cloud')({
projectId: 'grape-spaceship-123'
keyFilename: '/path/to/keyfile.json'
});
var gcs = gcloud.storage();
var myBucket = gcs.bucket('backups');
var myFile = myBucket.file('someFile.png');
myFile.delete(function(err, apiResponse) {});
We are building a solution that will need to access our customers Gmail accounts to read/send mail. On account signup, we'd have a pop-up for our customer to do Gmail auth page and then a backend process to periodically read their emails.
The documentation doesn't seem to cover this use case. For example https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth says that client tokens should be stored in client_secrets.json - what if we have 1000s of clients, what then?
Service accounts are for non-user info, but rather application data. Also, if I use the GoogleWebAuthorizationBroker and the user has deleted access or the tokens have expired, I don't want my backend server app to pop open a web brower, as this seems to do.
I would imagine I could use IMAP/SMTP accomplish this, but I don't think it's a good idea to store those credentials in my db, nor do I think Google wants this either.
Is there a reference on how this can be accomplished?
I have this same situation. We are planning a feature where the user is approving access to send email on their behalf, but the actual sending of the messages is executed by a non-interactive process (scheduled task running on an application server).
I think the ultimate answer is a customized IAuthorizationCodeFlow that only supports access with an existing token, and will not execute the authorization process. I would probably have the flow simulate the response that occurs when a user clicks the Deny button on an interactive flow. That is, any need to get an authorization token will simply return a "denied" AuthorizationResult.
My project is still in the R&D phase, and I am not even doing a proof of concept yet. I am offering this answer in the hope that it helps somebody else develop a concrete solution.
While #hurcane's answer more than likely is correct (haven't tried it out), this is what I got working over the past few days. I really didn't want to have to de/serialize data from the file to get this working, so I kinda mashed up this solution
Web app to get customer approval
Using AuthorizationCodeMvcApp from Google.Apis.Auth.OAuth2.Mvc and documentation
Store resulting access & refresh tokens in DB
Use AE.Net.Mail to do initial IMAP access with access token
Backend also uses AE.Net.Mail to access
If token has expired, then use refresh token to get new access token.
I've not done the sending part, but I presume SMTP will work similarly.
The code is based on SO & blog posts:
t = EF object containing token info
ic = new ImapClient("imap.gmail.com", t.EmailAddress, t.AccessToken, AuthMethods.SaslOAuth, 993, true);
To get an updated Access token (needs error handling) (uses the same API as step #1 above)
using (var wb = new WebClient())
{
var data = new NameValueCollection();
data["refresh_token"] = refresh;
data["client_id"] = "(Web app OAuth id)";
data["client_secret"] = "(Web app OAuth secret)";
data["grant_type"] = "refresh_token";
var response = wb.UploadValues(#"https://accounts.google.com/o/oauth2/token", "POST", data);
string Tokens = System.Text.Encoding.UTF8.GetString(response);
var token = Newtonsoft.Json.JsonConvert.DeserializeObject<dynamic>(Tokens);
at = token.access_token;
return at;
}
I have implemented Google authentication with web API 2 and getting following error:
The given URL is not allowed by Client_id 'ngAuthApp' configuration.
This works when I change AllowedOrigin to (localhost) but not working in api.mytouchstones-uat.net in Client table after azure release.
My code is the following:
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
//Configure Google External Login
googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
{
ClientId = Common.Constant.GoogleClientId,
ClientSecret = Common.Constant.GoogleClientSecret,
Provider = new GoogleAuthProvider()
};
app.UseGoogleAuthentication(googleAuthOptions);
I had the same issue and this was the first google result for me. So I thought I might answer if someone else stumbles upon this question.
I guess you followed this guide, or similar.
Check that your redirect_uri that you send to Facebook/Google etc is the same as the one you have as AllowedOrigin in dbo.Clients.
And make sure that the same uri are allowed in your Facebook/Google appsettings.