I am trying to setup Web Security Centre for my Google AppEngine App.
I tried using Google as well as Non-Google Account for Authentication where I provided Username and Password but it errors out saying
Could not sign in using the provided username and password
I tried below things:
Tried creating a test account vikash-security#gmail.com (in compliant with google naming convention) in my gmail and using the same for authentication. (this user had same domain name as my company's)
Created a test user with different domain name and used it for the authentication.
Both the above users have access to my Google App.
Both of the way did not work and throws the same error. Can anyone help me out with the same?
Google enforces a real name policy on G+ accounts. Your test account may be blocked from G+ if the name does not look real. at [1]. It will only work if the Google account you provided should have been G+ verified (with proper G+ setup), but still need to retry after the first failed attempt and it eventually will work.
There are few issues related to this and if this is a bug it will be resolved soon.
I raised this concern with the Google support team and got to know that there was issue from their end and they got this fixed and now my web security custom scan is working with non-google authentication.
Related
Our SPA app and Web API were working well with the standard SignUpSignIn user flow. When we switched to using a custom policy while keeping the same App Registrations, Sign In always displays “Invalid username or password” [1]. (Sign Up and Sign Out work).
To remedy the issue, we created new App Registrations as per Microsoft Custom Policy Tutorial
As stated, we used “Allow public client flows.”
Now the signin/signup page displays “The provided application with ID xxx is not valid against this service.” (error AADB2C90068). This happens whenever we use account type “Accounts in this organizational directory only”
If we use “Accounts in any identity provider”, we go back to getting “Invalid username or password”
Switching the front-end to “SPA” instead of “Public client/native (mobile & desktop)” doesn’t help.
Strangely, we did find a configuration that works: Following the tutorial exactly (Allow public client flows + Accounts in this org directory only + Public client/native platform) but leaving the front-end SPA app pointing to the old app registrations. Obviously we can’t leave it like that.
How do we properly solve the “Invalid username or password” issue with an SPA app using a custom policy?
[1] The corresponding sign-in log says error 7000218.
Also, TrustFrameworkExtensions.xml does have the correct IDs in it.
You could just use the tool I’ve made: https://aka.ms/iefsetup.
But your issue is definitely due to the way you’ve registered the two app registrations, or inserting the IDs into the XML.
This issue was resolved by creating two new App Registrations IEF and ProxyIEF that are for use exclusively by the custom policy XML. Our SPA application and it's Web Api back-end each use one additional App Registration as was the case when we were using a User Flow.
Thanks to Jas Suri, especially for this comment: "Do not change anything that the tool created. The fact that the test app works means it’s something you created in addition to what the tool created that’s not configured correctly."
I'm using Gmail's API to read messages to an inbox.
I have a project in the cloud developer portfolio. I sign in with the account whose inbox I have to get data from.
I've made a service account without any roles etc and downloaded the required key.
I've built a resource using:
scopes = ["https://www.googleapis.com/auth/gmail.readonly"]
credentials = service_account.Credentials.from_service_account_files(path, scopes=scopes)
service = build(
"gmail",
"v1",
credentials=credentials
)
Which is fine. but when I try and pull information from the inbox:
responses = service.users().messages().list(userId="me").execute()
which gives me:
googleapiclient.errors.HttpError: <HttpError 400 when requesting <email> returned "Precondition check failed.">
I've tried changing "me" to the email, setting some roles. I can access this by using OAuth credentials but not with the service key. What could be causing my issue?
I will just try to expand on what #DalmTo said in the comments.
Service Accounts
Service accounts are special accounts that work without human interaction, they can use some google's API as you would in your normal account. There are some API (like Gmail) that cannot be accessible as a Service account because that would cause problems, like spam or problems.
But in a nutshell service accounts are fully independent accounts that can use the API without human interaction.
Domain Wide Delegation
There are some times that in a company (domain) with enterprise behavior there are some task that should be done to all the users, backup all drive files, check emails for spam malicious content or whatever you can imagine. For that the service account can have a special behavior to substitute an user. So the service account is delegated with the user access to the API inside the domain.
Answering your question
For your specific case:
You cannot use GMail API with a Service account
You cannot use Domain Wide Delegation if you don't have a domain to start with
Alternatives
So at this point your set up makes impossible the use of services accounts, so the only way is using your regular account with regular OAuth authentication.
I won't go into detail because this is not what you have asked for, but in case you are not familiar with it, there are ways to use the refresh token so you only have to authorize your app the first time and whenever the refresh token becomes invalid.
I have built an integration with the Docusign API, but am unable to successfully complete the JWT auth flow with our production account.
Everything works fine in our sandbox account - I went through all the steps described in the docs (https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken),
and successfully promoted the integration key to our production account.
However, with the production account, running through the same code to initiate the JWT results in a 400 Bad Request error, with no additional information about the nature of the failure. I've double checked that we are using the correct oauth base domain (what Docusign calls aud) and that RSA keys and redirect URLs are correctly
configured for the production account.
I've also gone through all of the "go live" steps, except for one which mentions migrating users, since it doesn't seem
like this functionality is available on our production account dashboard. On the sandbox account, which has all enterprise features enabled,
the sidebar has a section for "Users and Groups" but there is no such section on our production account.
I'm wondering if the root of the problem is that our production account, which is the Basic API level account, doesn't have adequate permissions
to support the use case I'm building for.
Unfortunately I can't get a straight answer from either account reps or tech support folks as to whether this is true.
are you trying to use the same RSA key you used in Sandbox in Production by any chance?
Also, did you actually get your IK certified and active in production?
I ran Google Cloud Security Scanner against my Google App Engine app. I asked it to authenticate against a "Non-Google Account" -- in other words, user-name/password fields in my webapp. However, I get back the message "Could not sign in using the provided username and password" each time.
(I tried it several times, specifying different user-agents and credentials and against two variants of my login page; and of course confirming that the credentials work when typed in manually. I have the necessary Editor-level permissions on the Google Cloud project.)
What do I need to do to get the Scanner to authenticate?
Here's what the docs say about Non-Google account authentication:
Note that support for login forms is still in development, and may not
work out-of-the-box with your system. If you have confirmed your test
account is able to login manually, but not in Cloud Security Scanner,
use the feedback option within the tools to request support.
One possible workaround is to create a simplified alternative login form for the purposes of using the scanner if it's unable to work with the current one.
I'm new to the concept of maintaining user accounts in a website. I read from this Google developers page that Google provides an authentication and an authorization service. I'm only interested in maintaining accounts on my website that users can log into using their Google account username and password. I have an Express.js server.
I've spent hours reading about this online and stumbled upon one thing: the passport-google-oauth module can be used to do this. But I was unable to find how to get this working with the latest version of Express. Please help.
I would also like to know how to create a project on the Google Developers Console so that the users do not need Google+ accounts to use oauth2 (to get the Client id and secret).