How to generate token to access Google apis using GCP service account - rest

I'm trying to generate access token to access google APIs without the google consent screen. It will enable us to implement code which can automate certain actions in GCP like stopping a VM and lots more. I prefer to use dotnet core for this implementation.
I except to generate a bearer auth token through which I can access Google rest APIs without any environment setup or Google OAuth consent screen.

I have found answer for this question and it will be useful for the community members who are working on GCP or google APIs.
First you have to download json credentials for your gcp account, please refer to this documentation Download service account keys
Please refer to this git repo gcp-auth , it's dotnet core class library which contains static method to GenerateJwt, ExchangeTokenAsync and GetAccessTokenAsync.
Let me explain each method for better clarity.
GenerateJwt - this method generates a signed JWT token from PrivateKey, PrivateKeyID, ServiceAccountEmail which are present in downloaded json from previous step and scope which will be different for different api endpoint like we have https://www.googleapis.com/auth/compute for google apis under compute.
ExchangeTokenAsync - this method need the generated JWT from previous step to generate the actual access token from google which will be valid to access google apis under that scope.
GetAccessTokenAsync - this is combination of above two methods, here you've pass parameters same as passed in GenerateJwt.
Please let me know if it requires any further explanation.

Related

Securing google firebase cloud function with stripe integration

We are using google cloud platform to host our stripe payment gateway. The cloud function sends the payment intent to stripe and a callback that stripe calls with a session object.
Inside the google cloud platform, we are not sure what permission to set our cloud function. Right now, we allow all public access and we are fearing that a hacker can see our secret key from our index.js (where the cloud functions live), or has the ability to manipulated the code inside of the index.js.
With the function's purpose described above, what is the safest permission setting that does not allow any public users to read or manipulate our functions? All we want is to allow the users to invoke the function,
thank you
I've implemented Stripe for an app using a combination of the Golang SDK and JavaScript SDKs that I'm deploying as an app to Cloud Run. So my config is slightly different to yours.
You should be able to:
Provide some protection by keeping Stripe's API keys as environment variables so that the JavsScript only accesses these in-memory. You may want to consider using Secret Manager.
Differentiate between authenticated handlers that trigger the flow and restricted handlers that accept the callback from Stripe.
You can authenticate using Cloud IAP (Google auth requiring users be part of the project) or e.g. Cloud Endpoints and Firebase auth
You can restrict access to the callback to Stripe's endpoints
I'm not a security guy.
Your learnings would make an interesting customer story for Stripe and GCP.
check how these guys implement their stripe functions, they have a bunch of them https://functions.store

How to pass autho 2 details white creating a test suite in Azure DevOps

I am trying to create a test suite in Azure DevOps by using the Rest API. But here I am not sure how to provide the security details.
They have mentioned below details in docs. I am passing it in Postman like this. I tried giving my credentials in client ID and Client Secret as well. Please guide
{"$id":"1","innerException":null,"message":"A potentially dangerous Request.Path value was detected from the client (&).","typeName":"System.Web.HttpException, System.Web","typeKey":"HttpException","errorCode":0,"eventId":0}
There are several ways to call Azure DevOps REST API, in your question, it uses Oauth 2.0 flow to authenticate, you could follow this doc to get the token and call the API.
In your case, if it is not necessary to use Oauth 2.0 flow to do the authentication, actually I recommend you to use PAT(personal access token) to call the API, just generate one and use it in the postman, refer to this doc.

Google Cloud Storage API access (via JWT server-to-server) "Invalid grant_type" issue

While using integromat.com to try to access GCS I get an error:
enter image description here
The error message might be misleading as the instructed string and sent string are identical:
urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
I'm trying to avoid use of OAuth2. Integromat is not registered as a valid endpoint at Google API backend as I understood that would not be necessary when using server-to-server method.
Anyone available and willing to get a mini-contract to dive in on a shared screen together with me to resolve this one?
Best Regards,
Tomas
PS: this is how the failing step looks like on Integromat. "text 68" includes correctly formatted JWT as requested on Google instructions.
enter image description here
Regarding your issue, you can use Single sign-on (SSO). SSO is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The cloud identity is free, and it will not incur any charges. For more information, please read this documentation.

How to call RESTful Store APIs of WSO2 APIM 2.1 which have scope after importing the swagger file?

I have created a RESTful API for all the WSO2 store APIs by using the swagger definition. (https://raw.githubusercontent.com/wso2/carbon-apimgt/v6.1.66/components/apimgt/org.wso2.carbon.apimgt.rest.api.store/src/main/resources/store-api.yaml)
The GET call which does not require any scope, can be called easily from the Stores API console but when trying to call the APIs which have the (apim:subscribe) scope I get "Unauthenticated Request".
NOTE: I am able to use the curl commands to access the STORE APIs by creating tokens but here I am trying to use the swagger file to publish the Store APIs. I have noticed that in the store under the Application-> Production Keys -> Scope there is the apim:subscribe scope available after I've created this API via the swagger file but even when I try to access the APIs using this scope, I still get the "Unauthenticated Request" error.
Can someone tell me what I am missing or doing wrong?
The Swagger specification has a Security Definitions Object:
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-definitions-object
Once you configure it correctly you will have some new elements in the UI, you should see the Authorize button on the top left, and to the right of each action that requires authentication you should see a lock.
See the petstore demo:
http://petstore.swagger.io/
Here are a few more examples:
http://turoapi.azurewebsites.net/swagger/ui/index
This one has an API Key Authentication
http://swagger-net-test.azurewebsites.net/swagger/ui/index
This one has an OAuth2 Implicit Grant

How to use AppStore connect API with my mac, announced in WWDC18?

I have seen the demo in WWDC18 related video here:
https://developer.apple.com/videos/play/wwdc2018/303/
but it is not from the scratch. I don't see that which tool they have used and where we need to start it. Can anyone help with it?
I watched that video too today and I wanted to use these API features, as for now 19-6-2018 this is still marked as coming soon... based on the App Store Connect website https://developer.apple.com/app-store-connect/
In addition, the new API Keys tab under the main App Store Connect is not available yet.This is the starting point to issue / create the API keys.
I am on look out and waiting...
The App Store Connect API is now available. You can find out more here:
https://developer.apple.com/app-store-connect/api/
The general steps are:
Request access to the API.
Your Team Agent (with the Legal role) will need to do this part.
Create and download an API key.
Anyone with Admin access can do this. Each key you create can only be downloaded once, and should be kept safe.
Use the information on the Keys tab + your private key to generate a token.
You can find libraries for many languages to make this easy here.
Supply the JWT as a bearer token in the HTTP Authorization header when making requests.
For example:
GET https://api.appstoreconnect.apple.com/v1/apps
Authorization: Bearer XYZ123
Where XYZ123 is your JWT. (Your real JWT will be much longer.)
Available API endpoints are documented here:
https://developer.apple.com/documentation/appstoreconnectapi
App Store Connect API available here now.