I want to setup google 2-legged OAuth using service account. Below is my requirement.
I have one G-Suite Admin account. Lets say googleclassroom.admin#xyz.com
I have created few courses using admin account.
Now I want to manage googleclassroom.admin#xyz.com classroom and its data using service account. How can I configured and setup service account and project in google cloud?
Related
When I want to use Google's Gmail API within my web application in order to receive and send emails, then must this web application be deployed in the Google Cloud as a precondition and any on-premise hosting will fail? Is this the price one must pay to use it?
Your application's code can be hosted anywhere you want. However, you do need to create a Google Cloud account to create a project, enable the APIs and get the application credentials:
Cloud APIs use application credentials for identifying the calling applications. Credential types include API keys, OAuth 2.0 clients, and service accounts. You can use Google Cloud console to create, retrieve, and manage your application credentials. For more information about application credentials, see Authentication Overview.
Once you have your project's credentials you can just create the code within your current app and use the credentials wherever they are needed. You can refer to one of Google's quickstarts for that.
Sources:
Getting started with Google Cloud APIs
Developing on Google Workspace
Gmail API Overview
I have been working with the Android Management API to try and manage the policy of my company's existing enterprise. My company account has the Owner role within the organization and the roles Owner and Service Account Admin for the service account mentioned later.
I followed the Quickstart Guide to get familiar with the API and made some modifications for a more permanent solution along the way such as creating a service account with the Android Management User role via the Google Cloud Platform and generating a JSON key to acquire credentials rather than going through the OAuth2 flow like in the guide. This allowed me to authenticate properly, but when it comes time to patch the policy as such,
androidmanagement.enterprises().policies().patch(
name=policy_name,
body=policy_json
).execute()
I get the following error:
<HttpError 403 when requesting https://androidmanagement.googleapis.com/v1/enterprises/XXXXXXXXX/policies/<policy_name>?alt=json returned "Caller is not authorized to manage enterprise.". Details: "Caller is not authorized to manage enterprise.">
I have verified that the service account I am authenticating with has the Android Management User role, and thus has the androidmanagement.enterprises.manage permission.
I have also attempted to make this call with an elevated admin role in the organization.
Is there a chance that I need to have created the enterprise with my own account to manage the enterprise? The guide suggests that an organization can create multiple enterprises. In which case, would I need to create a new Google account not associated with my organization's enterprise and create a new enterprise that way?
It is advisable to use your own google account to call Android Management API since your organization account may not be compatible with the quickstart.
To access the Android Management API your service account requires the androidmanagement.enterprises.manage permission, which can be granted by the Android Management User role (or roles/androidmanagement.user). Kindly check this link for details regarding creating a service account.
Please keep in mind that the enterprise you created as part of the colab instructions can only be managed using the colab itself. To allow your cloud project to manage an organization, you will need to create one using the client configuration from your cloud project.
I have an existing App Service in XYZ tenant. Previously my API was in XYZ tenant and using that App Service of same Tenant, now I have moved my API from Azure AD of XYZ Tenant to azure AD B2C of ABC Tenant. can I use existing App Service of a different Tenant(XYZ) in this scenario to publish the API. Can App Service be a multi-tenant.
Thanks!!
Per my understanding your app service which hosting your APIs is under subscription of XYZ tenant and use Azure AD App in this tenant to auth your APIs. And now you want to use Azure AD B2C App in another tenant(ABC tenant) to protect your APIs .
Yes, of course you can do that.You can use Azure AD apps belongs to other tenant(including Azure AD b2c tenant) to protect your APIs hosted on App Service . Which Azure subscription that your App Service belongs to just means you will be charged on that subscription, it has nothing to do with the business logic with your code on app service.
If you want to do so , at the code level , there will be some differences compared to using Azure AD applications if you use Azure AD b2c applications to protect your APIs .
This sample page will be helpful for you to modifying your codes : https://learn.microsoft.com/en-us/azure/active-directory-b2c/code-samples
If you want to design your APIs as multi-tenant by Azure AD b2c, this doc will be helpful : https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom
If there is anything unclear , pls feel free to let me know and if my suggestion is helpful , pls mark me :)
I am working on a application that is using google service account with domain wide delegation.
I don't want client to do setting of domain wide delegation and download private key. I could create private key using IAM api.
is there a way to achieve domain wide delegation also via API ?
Thanks
Google's IAM API is part of their Google Cloud API's. As far as I'm aware, there is no equivalent API for standard Google developer project IAM, which is where you would do anything around projects targeting G Suite API's (and the only place where there is a Domain Wide Delegation setting for a service account, AFAIK).
You can grant a service account permission at the Organization level in Google Cloud, but I'm not sure whether that has any effect on the GSuite access controls, as nferrell mentions.
I have implemented Azure Active Directory Oath2.0 authentication and now I have to implement Claims-Based and Active Directory authentication in Java for Dynamics 365 Online/On-Premise.
I'm following this topic: https://msdn.microsoft.com/en-us/library/gg334502.aspx and here it says that Dynamics 365 online supports the following authentication scenarios: Claims Based Authentication or Active Directory Through Federation.
The problem is that I don't know from where to start and what configurations have to be done. I've played with azure portal and with the dynamics 365 online admin panel, but just can't figure out what I have to do :).
Can I use some info from https:// login.microsoftonline.com//FederationMetadata/2007-06/FederationMetadata.xml to perform such authentications?
Do I need do install a local Active Directory server?
I highly recommend looking through some Azure AD samples on how to setup oAuth2.0 to various Microsoft services. The dev landing page has tons of a great samples. Here is the java sample.
If you're trying to sign in purely Azure AD users the access some resources, then this is pretty straight forward. You'll want to register an app in the Azure Portal, setup all the delegated permissions and app configs necessary (the sample will help with this), then use the ADAL library to perform the oAuth2.0 flow. This flow will return back tokens that can be played to whatever service you requested access in the form of http requests.