Installing Newly Published Oauth2 based Google Marketplace App - google-apps-marketplace

On the process of migrating from OpenId based login to Oauth2 based login of Google Marketplace App SSO, we built an Oauth2 based app & we opensourced our gapps oauth2 app
( https://github.com/Aplopio/django_gapps_oauth2_login )
We published our OAuth2 Login based app to users with a specific domain name account or people with the link.
But we faced some issues while installing:
After agreeing to install on the entire domain, the pop-up did not get closed.
The Get Ready to Install, on clicking Continue again opened the same pop-up.
By closing the pop-up, I was redirected to my app, performing the Oauth2 Login authentication.
Has anyone faced this issue? If so how did you resolve it?
Please update if it's a known issue while installing new google marketplace app.

Related

Google Cloud Run Hosted User Sign-In 'Redirect' Throws Error When Using External Identity Providers

I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?

How does the Google Apps Marketplace SSO requirement work?

We're trying to figure out how to submit to the marketplace, but are not sure what we need to do to alter our existing signup flow to accomodate the SSO requirement
Our app was not originally built to be a marketplace app so our signup flow is built for individual users. We are already following the OAuth2 flow as outlined on this documentation page. However, its not clear to me how this works for an entire org when installing from the context of a marketplace app.
Does the admin grant access to all the individual scopes we currently request for the entire org at once? Is there need for some sort of service account or something since we currently are requesting offline access? I'd like to understand what changes we need to make to our server's signup flow in or whether it is just a scope / manifest mismatch.
We currently request the following scopes from an individual user when signing up.
['email', 'profile' ,'https://mail.google.com/', 'https://www.googleapis.com/auth/calendar'],
Exact questions are...
What (if anything) do we need to do to alter our current individual-focused signup flow to accommodate a Google Apps Admin signing up their whole domain?
What scopes do we need to in our Google Apps Admin listing and how do they relate to the scopes we currently request from individuals?
There are not so many changes if you are already using three legged OAuth2.
The first change would be in you project in the developer console. There you need to enable the Marketplace SDK and make the necessary configurations. Here you will add the scopes that your app will request and those are the scopes that the admin will see when installing the app.
The admin will see the scopes your app is requesting, and he will decide if it's ok to install the application in the domain. If it is approved, then yes, the admin would grant access to the entire domain.
Offline access is part of the Oauth flow, after you receive the refresh token, you can continue refreshing the access token without having the user to grant access again.
It is not necessary to have a service account. The service account has two purposes:
To manage information related to the application. In this case the service account can have access to it's own drive to store and retrieve information that is related to the app functionality.
Impersonation of users. When using domain delegation of authority, you can use a service account to impersonate any user in a domain and act on it's behalf to make API calls.
To deploy your app, you also have to create a new project in the Chrome Web Store, with a manifest for Marketplace.
To answer your questions:
It's not necessary that you modify your current oauth flow. The admin will install the app in the domain, but when a user access to the app, the process for authentication is the same as individual.
The scopes in your Marketplace SDK configuration should match the scopes your app will use. This is mostly for security reasons, it wouldn't be safe if you install an app with some scopes and then the app uses different scopes.
You can try your app before actually deploying it by adding trusted testers in the chrome web store dashboard or in the Console API configuration. This way you can check if your flows and all the configurations were done correctly.
Hope this helps. Let me know if you have more questions.

Undisplaying the permission screen for each user. (Case: Using API don't support Service Account authentication)

We publish an app that use OAuth 2.0 API access on Google Apps Marketplace. It got reviewed by Google and they said our app is invalid because it shows permission screen when a user first runs the app. (The app will be removed from the Google Apps Marketplace if our app is not fixed within 30 days) To solve this issue, we have some problems.
Our app uses OpenID Connect to make users login.
Our app also uses Spreadsheet API and Calendar Resource API (OAuth 2.0 Web Application Flow)
So our questions related above is the followings:
1.
Although our app uses OpenID Connect for login, using OpenID Connect forces our app to show the permission screen. Doesn't it meet the best practice below of Google Apps Marketplace?
https://developers.google.com/apps-marketplace/practices#5_use_one-click_single_sign-on
We followed the OpenID Connect document provided by Google:
https://developers.google.com/accounts/docs/OAuth2Login
2.
Since Spreadsheet API and Calendar Resource API don't currently support the authentication method using Service Account with OAuth 2.0, we chose to use the method of Web Application Flow. Our app get the token when users login, but Google said to us that it fails to meet their SSO requirements. To solve the issue, we are thinking to change our app to authorize AFTER login within the app instead (use Web Application Flow method as it is). Does the way meet the SSO requirements? In other words, is it OK to show permission screen if after login?
We will applicate if anyone can tell us good solution to solve these problems.
Thanks,
If you register your scopes in the Google Apps Marketplace configuration screen, and then only request those scopes in the OpenID Connect flow, then the permissions screen should be automatically skipped. Please ensure the scopes match between these two locations.

Google Apps Marketplace multiple domains(app installations)

We migrating our app from the old Marketplace to the new one. And we faced with the problem like described here - Google Apps Marketplace app installation callback
But we have special app architecture, it allows to the same user authorize multiple domains. For example we have user(authorized with google +) admin#tester1.com and he needs to install app for following domains:
tester1.com where admin account is admin#tester1.com
tester2.com where admin account is admin#tester2.com
For tester1.com we can use licensing API and check if app is installed and who installed it. We already have authorized account admin#tester1.com and the same user installed app.
No issues for this scenario.
Next user needs to install app for tester2.com. In process of installation(at the marketplace side) user switching to new account admin#tester2.com and installing app.
When user backs to us, we using licensing API again and check if app is installed and who installed it. At this step app will be installed, but it will be installed by user admin#tester2.com which is currently not connected to our app.
For this scenario, how we can securely recognize that domain tester2.com should be linked to user admin#tester1.com? Any recommendations/advices?
Currently we see only one way - require user to authorize admin account for each domain that he wants to install with our app.
This appears to be a special case, and Google don't have any guidelines around how to handle it. Deciding how to charge for and provision your application is left up to the developer.

Updating gmail contextual gadgets to the OAuth2

We have a gmail gadget in apps marketplace that use SSO authorization described on this link: https://developers.google.com/google-apps/marketplace/best_practices?csw=1#gadget_sso. With recent update of marketplace is gadget flow will be updated to OAuth2 or it will stay the same?
If yes, then what is the deadline for the migration? I wasn't able to find this on the documentation about release.
Thank you!
In the new marketplace setup, you still have to use a popup to setup the correlation between the opensocial Id and the google user. But the popup will no longer use OpenId/SSO to identify the user to the application. Instead these two OAUTH2 scopes are pre-authorized :
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
and that's enough to get the identity of the user.

Resources