I am developing a Google Workspace addon for Google Drive in python. I have the deployment set up and the addon installed (it is unpublished). The deployment is set up such that when a user clicks an item it runs a function that is supposed to generate an authentication token.
Following the python quickstart for the Gmail API, I have to generate an access token before building a gmail service. Here is said article: https://developers.google.com/gmail/api/quickstart/python
When I click on my addon's icon image the homepage loads in the right-side side-panel. The problem is, after that, when a user clicks an item the side-panel loads with a text saying "Timeout receiving HTTP content."
After digging around in the logs I have discovered that the user needs to be directed to the Google Oauth consent screen ("to authorize the app go to this link") but that does not happen within the side-panel.
The code that is supposed to do this is:
flow = InstalledAppFlow.from_client_secrets_file('credentials.json', scopes)
creds = flow.run_local_server(port=0)
Is there are a way of directing the user to the link from the side-panel?
Edit: The app itself is authorized, however what I want to do is create a service object of Gmail by running:
service = build("gmail", "v1", credentials=creds)
I am doing this in a function that runs when a user clicks on a file. This is so that I can get the credentials (the variable called creds).
Related
We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
I created a static Web site using Azure Static Web Apps (under the Free plan for now -- not sure if that's relevant to the issue at hand.) I can access the Web site through an ***.azurestaticapps.net URL.
I then tried to test Azure Active Directory authentication per Microsoft's instruction from this page:
https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization
My problem is that logging out does not seems to work as I would expect on a normal Web site. I could log out, but when I tried to login again (hoping to use a different Azure AD account,) the Microsoft login screen flashes by and I got logged right back in with the user that I just logged out from. Switching to a different tab doesn't help.
Steps to repro:
Navigate to /.auth/login/aad and login using a Microsoft Account. Say NO to 'Stay signed in?' prompt.
Navigate to /.auth/me to see the basic information on the logged in account to prove that I'm in the logged in state.
Navigate to /.auth/logout to logout. Immediately, navigate to /.auth/me again to confirm that my static Web App regards me as 'logged out.' I'd see this:
{"clientPrincipal": null}
Navigate to /.auth/login/aad again. Microsoft login page flashes by, and I am logged right back in with the previously logged out user.
Things that sort of worked
Any of the two actions below alone seems to make the browser forget my logged-in state:
Close the whole browser and relaunch it. I'd get asked to pick the previous user (and then enter the password) or choose a new user. This sort of works but reminds me of some Web sites 15-20 years ago that said 'For security reasons, please don't forget to close your entire browser after logging out from this one tab.'
Open a new tab in the same browser, and navigate to hotmail.com. That tab will enjoy my logged-in state from the Static Web Apps tab. I'd see my mails right away. Then I log out from the hotmail.com tab, switch back to ***.azurestaticapps.net tab and see that I am still logged into my Static Web App. Good! Then if I log out from my Static Web App and try to log back in, it has forgotten my logged-in state this time. In other words, logging out from the hotmail.com tab is somehow more powerful.
I also tested /.auth/login/google too and the same problem arises! So the issue seems to be on the Azure Static Web Apps side, not how idPs handle their logout process.
Am I missing anything obvious?
I've written an authorization flow for my action, to do account linking with the "Implicit flow". I have been testing it using the web simulator. When I try to run the action in the web simulator it tells me to link my account, and provides a URL:
"https://assistant.google.com/services/auth/handoffs/auth/start?provider=hello_dev&return_url=https://www.google.com/"
I run that URL and this is what happens:
My Java servlet receives the auth request from google. It contains what is documented, a GOOGLE_CLIENT_ID, a REDIRECT_URI, a STATE and "response_type=token"
I create an access-token from the Google ID that is logged in by using UserServiceFactory.getUserService().getCurrentUser().getUserId()
I craft a URL to the redirect-uri that contains my ACCESS_TOKEN, token_type=bearer, and state= the state string I originally received
I create a web page for the user that contains that link so they can click it and it executes the link and my account is linked.
That works great and the response is a blank page with a URL that says: "https://www.google.com/?result_code=SUCCESS&result_message=Accounts+now+linked."
However, I wanted a flow that allowed the user to ensure they are logged in, and logged into the Google Account they wanted to link
So, I also present a link that logs them out if they'd like. The link is created by using userService.createLogoutURL(thisUrl)
If they do that, I then present them a link to log in, created using userService.createLoginURL(thisUrl)
Once they have logged in, with a different Google ID, they are back on the original page which allows them to log out again or click the "link account" link.
The situation is, that if they click the "link account" link now, the EXACT same link that would have worked successfully before they logged out (except a different ACCESS_TOKEN value) and logged back in with a different account, the response is a blank page with a URL that says: "https://www.google.com/?result_code=FAILURE&result_message=Account+linking+failed"
Two things of note:
If they log out and log back in with the same account, then the "link account" URL works fine
If they are not logged in at all when beginning the process, and then log in and then use the "link account" link it works fine
So, the only time it fails is when they are logged in, log out, log in with a different account, and click to link accounts. That's when it fails.
The account doesn't matter, multiple different accounts work, as long as the browser is logged into the first account and doesn't change during the flow.
I honestly cannot imagine how this is happening.
This gets even worse if I do it in the Google Home app, as it then returns some "malformed request error" page and basically stops working, PERMANENTLY. Stopping/Starting the action didn't help. Stopping/Starting the Web service didn't help. Rebooting the Android device didn't help. Link Account from the Google Home app was permanently broken. The only way I was able to get it working again was to use the Account Link URL (gotten from the web simulator) in the Chrome Browser on my Android device, which seemed to "reset" everything.
At this time, we require that the Google user who initiates the account linking process, both via the simulator and Google Home application, be the same Google user that logs in via a Google Sign-in option, if it is offered as part of your auth flow. This is a hard requirement.
For this reason, we'd suggest not offering a Google logout option as part of your account linking process.
I'm trying to implement a Facebook Share widget which will be a link(button) on a client's page. When user clicks on "share" button, dialog will show up, populated with the information(caption, description, etc.) received from our server.
I've tried using Feed Dialog to accomplish this task.
I've gone as far as: - registering my application with Facebook and getting my application ID. - placing feed dialog code onto the test page which is currently located on my local machine.
So, currently my application points to localhost url.
Everything works as expected as Site Url and App domain are set to my local machine url. However, for our purposes we need to trigger this dialog from many different client's pages. So, those URLs will always be different.
I was thinking to use https://www.facebook.com/sharer/sharer.php however, as far as I know it doesn't have a callback function which we also need to have.
Do you have any advise on how this can be implemented?
I have installed the facebook API in phonegap but i have hard time making it work see link .The index.html file in the exemple folder has a login button that once taped opens the native facebook application on my device requiring email and password. After having authenticated me, it takes me back succesfully to my app.
Whenever i tap on the "getsession" button for exemple it shows me an alert saying "undefined". I want to know how to get the access token that is given right after the authentication process within my app and everything related to the session so i can perform other tasks?
Thank you