When I want to use Google's Gmail API within my web application in order to receive and send emails, then must this web application be deployed in the Google Cloud as a precondition and any on-premise hosting will fail? Is this the price one must pay to use it?
Your application's code can be hosted anywhere you want. However, you do need to create a Google Cloud account to create a project, enable the APIs and get the application credentials:
Cloud APIs use application credentials for identifying the calling applications. Credential types include API keys, OAuth 2.0 clients, and service accounts. You can use Google Cloud console to create, retrieve, and manage your application credentials. For more information about application credentials, see Authentication Overview.
Once you have your project's credentials you can just create the code within your current app and use the credentials wherever they are needed. You can refer to one of Google's quickstarts for that.
Sources:
Getting started with Google Cloud APIs
Developing on Google Workspace
Gmail API Overview
Related
Largely, what I am trying to accomplish is explained in this video by Azure, which is the unsecured version of adding API keys to a REST API (specifically http://conferenceapi.azurewebsites.net/?format=json).
If you watch through the video, it seems great until you realize that anyone can call the "conferenceapi" as long as they know the url, essentially bypassing the entire purpose of Azure API Management which is controlling/metering peoples' access to an API.
My question is, if I'm trying to create the backend (so Spring Boot controllers) of my API Management service, what am I supposed to do in order to make sure that my REST api is only responding to requests made by API Management?
There is surprisingly little documentation on this that I could find:
Securing Backend Services behind Azure API Management
X.509 Authentication
How to secure back-end services using client certificate authentication in Azure API Management (literally only talks about how to upload a certificate and nothing about backend)
Like, a certificate sounds like a great idea. Only, how do I create the certificate, and how do I verify the certificate from a Spring Boot Application? Azure documentation feels so sparse, unless I didn't find the documentation that would address those questions.
I have a request to restrict the access (access control) to a small user community in GCP.
Let me explain the question.
This is the current set up:
A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
Oauth client set up (tokens, authorized redirects URIs, etc.).
HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
The application was built using python + Django framework.
I have already deployed the application (GCP resources) and it is working smooth.
The thing is that, since we are working in GCP, all IAM users who has a valid userID#MyOrgnization.com can access the application (https://URL-for-my-Appl.com).
Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.
For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:
user1#MyOrganization.com
user2#MyOrganization.com
user3#MyOrganization.com
user4#MyOrganization.com
How could I do that, taking into account the info I sent earlier ?
thanks!
You can use Cloud IAP (Identity Aware Proxy) in order to do that.
Identity-Aware Proxy (IAP) lets you manage access to applications
running in App Engine standard environment, App Engine flexible
environment, Compute Engine, and GKE. IAP establishes a central
authorization layer for applications accessed by HTTPS, so you can
adopt an application-level access control model instead of using
network-level firewalls. When you turn on IAP, you must also use
signed headers or the App Engine standard environment Users API to
secure your app.
Note: you can configure it on your load balancer.
It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.
The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer
Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)
in my account the google drive api is disabled but still when I authenticate a thirdparty app using oauth2.0 it can access my drive files. Then what is the use of this enable api.
Cloud developer console is a place for developers to create applications. when you create a new application you must decide which APIs will be used by that application.
I authenticate a third party app using oauth2.0 it can access my drive files
Unless you are the developer of the third party application setting this will not have any effect on what applications created by other developers can do with your account. If you dont want them accessing your drive account then dont install any third party applications that request permission to access your drive account.
We are trying to put an app on the marketplace which needs multiple client_ids
(The app is running on appengine standard with python 2.7)
a client_id for the service_account with domain wide authority
a client_id for the web application
a client_id from an apps-script library
All client_ids use different scopes. I have combined all scopes and entered them on the marketplace SDK configuration.
When i deploy the app on a test domain, only the serviceaccount seems to be authorized.
When the user then access the webapplication he is presented a grant screen which we want to avoid.
The documentation https://developers.google.com/apps-marketplace/preparing?hl=fr seems to imply that multiple client_id's are possible.
How should i configure the marketplace app so that multiple client_ids are authorized?
Is there something special i should do on the credentials configuration page of the api-manager?
Check how you implement the authorization using OAuth 2.0, Service accounts allow a Google Apps domain administrators to grant service accounts domain-wide authority to access user data on behalf of users in the domain. You can also read Server to Server Applications documentation.
Note: You can only use AppAssertionCredentials credential objects in applications that are running on Google App Engine or Google Compute Engine. If you need to run your application in other environments—for example, to test your application locally—you must detect this situation and use a different credential mechanism (see Other). You can use the application default credentials to simplify this process.
Hope this helps.
It turned out all three client_id's were being authorized after all.
the days that i was testing this, it took very long for the authorization to take effect.
At this time all scopes and clientid are authorized within a few minutes.
My identity and access management tool of choice is OpenAM utilising their container based policy agents, this approach is not possible however using the Heroku Celadon Cedar stack -- at least it doesn't look possible to me (www.heroku.com)
What is the recommended way to enforce authentication and authorization for cedar deployed apps?
Thanks
/W
I'm not sure about the OpenAM access management tool. However if your application requires authentication or authorization then I would recommend to contact third party services linke TeleSign for their identity and access management sevices.
You can store your users in your own database, or used a hosted identity service like Stormpath (disclaimer: it's awesome).
If you end up using something like Stormpath, you'll basically work with a REST API to create, manage, and authenticate users.