I'm serving a static page on google cloud storage. It works perfectly well, as long as it is public. Now i setted up acl so that only users of one group can read the storage and unauthenticated users get redirected to google authentication. The Problem is now, that the static content of the website, like javascript and css can't be found anymore and i get 404 Errors there. The static content is as well in the storage bucket and it works fine with public urls. When using authenticated urls, it does not work anymore.
Is my attempt of serving an access controlled page right? I guess so, because it works, except for the static content. So do you have any ideas what i am missing here?
Try to deploy on App Engine you file. For this
In the same root directory of your static file, create a app.yaml file with this content
runtime: nodejs10
env: standard
instance_class: F1
handlers:
- url: /
static_files: index.html
require_matching_file: false
upload: index.html
- url: /(.*)
static_files: /\1
require_matching_file: false
upload: /.*
- url: .*
script: auto
Deploy on App Engine gcloud app deploy
Check if it works on the provided URL.
If so:
Go to Security -> Identity Aware Proxy (IAP)
Activate IAP for App Engine; It's possible that the OAuth consent screen have to be configured at this step is you don't do it before
Select the checkbox on the left of your root service, and go the the info panel on the right of the page
Add members, groups or domain with the role IAP-secured Web app user
Test and enjoy!
You can use the following workaround to add user authentication to your GCS static pages based on buckets.
First you need to create a public file called redirect.html this file will be the entry point of your static webpage, and you need to add the following content
<html>
<head>
<meta http-equiv="Refresh" content="0; url=https://storage.cloud.google.com/[yourbucketname]/index.html">
</head>
Redirecting to your site..
index.html and other files must be private files with read permissions granted to selected users
The magic behind this is that your browser will prompt to choose a google account, in case that your browser doesn't have any active google account.
And only the users with Reader permission (or with other roles with read access) will access to your static website.
Just a friendly reminder, this will take the main Google account in the browser if your browser have more than 1 Google account this can cause authentication issues, if this happens use an incognito window.
you can find more information on this Medium article
Extra step
If you have enabled Data access logs this workaround will thrown some authentication issues, you need to add exceptions to the users that will use the authenticated site
To do this, in Cloud Console, navigate to IAM & Admin > Audit Logs. Look through the list or filter for Google Cloud Storage. Click on the row.
In the info panel on the right side, on the Exempted Users tab, click Add Exempted User.
Related
So I created a website which shouldn’t be publicly accessible. Therefore I added the keycloak js adapter. Everything works as expected and I am redirected when entering the website url.
But there is a problem. If I use wget on the js/images/css etc. I still can access them because no javascript code is executed and no redirect is performed. How can I make sure that only authenticated users can access these resources? The website is hosted on nginx.
Expected is:
User tries to download file
User is redirected to keycloak if not authenticated.
Solved see comment under original post.
I integrate Google's Auth API in my production website.
When I enter the login page, it throws an idpiframe_initialization_failed exceptions to the console.
I found out that I can fix it by enabling that API / Cookies in my chrome browser, but I want to find a comprehensive solution that will prevent those exceptions in my production environment.
So my two questions are:
What do you suggest me to do in order to achieve that?
In general, what is the meaning of those excpections?
Thanks :)
If you have a production url like http://godaddysite.com etc host your page there with a Webserver.
Opening a htnl page from your computer with javascript doesnot work as it is not hosted on webserver.
Please check your redirect url etc when you created Oauth client.
Go to the Credentials page.
Click Create credentials > OAuth client ID.
Select the Web application application type.
Name your OAuth 2.0 client and click Create
check origins
create new OAuth with correct origins.
I have a Cloud storage bucket with static files in it.
I have set up a load balancer with Cloud CDN enabled on the cloud bucket above.
When I go to the public_IP assigned in the load balancer I get an xml error message access denied as this is just an ip, not a landing page.
When I go to public_ip/index.html, then the website load.
EDIT (removing) :The content of the bucket will only be served by a sub-domain of an external domain name, that's why I can't name my bucket as the domain name.
It is possible to rename a bucket as a subdomain, and the landing page definition works, but the base question remains.
Is there a possibility to set the landing page for the IP address anyhow?
Yes, it's possible to configure a landing page for any Cloud Storage bucket using the gsutil command line tool. For example, the following command configures the landing page for the bucket named elving:
gsutil web set -m index.html gs://elving
Unfortunately, it's not currently possible to configure this using the Google Cloud Console. You must use the API directly or use a tool such as gsutil. You can find more information about gsutil at https://cloud.google.com/storage/docs/gsutil.
This is how I set up redirection to the Amazon S3 site:
(Basically followed instructions from here)
Set up a bucket called www.mysite.com and configured it for static website hosting
In my Godaddy account, configured:
Added a CNAME entry for 'www' to point to the publicly accessible S3 site (like mysite.in.s3-website.amazonaws.com)
Added a forwarding rule (302 redirect) to make both mysite.com and www.mysite.com work - whenever someone types in mysite.com, it redirects (browser url bar changes) to www.mysite.com.
Coming to my actual problem - when I do a Google search, the pages are listed under the S3 site ( mysite.in.s3-website.amazonaws.com) - which I'd like to think of as an implementation detail. Is there something else I should do to get google recognize and show links under mysite.com ?
I'm running a meteor app from a server at http://example.com:3000 and trying to get it to authorize via Facebook using accounts-facebook.
My HTML looks like this:
<head>
<title>appname</title>
</head>
<body>
<h1>Welcome to Meteor!</h1>
{{> hello}}
</body>
<template name="hello">
<button>Click Me</button>
{{>loginButtons}}
{{#if currentUser}}
Logged in
{{/if}}
</template>
I do have accounts-ui and accounts-facebook enabled. I went through the Facebook app registration process. Here are my basic settings:
My advanced settings are default, and I have switched the "Do you want to make this app and all its live features available to the general public?" on in Status & Review.
When I actually try to log on using Facebook, the authorization window redirects to http://localhost:3000/_oauth/facebook?code=AQBaOoQ8XVQvzdqH8dyF03vVVP3daO9UO-tB0IZYCsYOYxL0LFWVrZUt2Rh34I2HI8Y5kofDP8sj46dn--N1pk6h0WOfoLAoaZxJzwSjocmBrRowjGv8JWcyN42msFuUdQAxQzbyrhnE2mQFUQISBOVzbnsR20ozS1pUmSdCb9BbmbidS8NvKvtEmSXm1lh9zPH7DYG4KfWQ2yIWSO8JMLEWa04TOP5rLDc75ak4WfXr1emb25T7981HUL8pCF_d_NgbFCNojoyY2yIB80e1nHxhovr-V3UWcCrNjH8aljTxy-qVGCmuLa4GravNIRfy9I8&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJlUkpSQjRja0FqVmJTWklCajhvQ01IdGlVdkktNnBXcF81d0RGR3Rod1lDIn0%3D#_=_, which isn't a valid address as the server is run and accessed remotely.
Additionally (and I suppose most problematically), the page doesn't acknowledge that any authorization has occurred, and acts like the login has failed (so I assume it has).
Can anyone tell me what I'm doing wrong? Thanks!
To make Meteor try to redirect from the Facebook login to the correct landing page (hosted at example.com, not localhost), I needed to make Meteor acknowledge that it's being run on example.com, not localhost:3000. The way to do this was to set the environment variable ROOT_URL.
On bash:
export ROOT_URL=http://example.com:3000
If you're running the site on example.com on port 3000, be sure to put it in your .profile or equivalent to make the environment variable persist between sessions.
Check the redirect URI on the "Advanced" tab.
It should be like this:http://localhost:3000/_oauth/facebook
NOT like this: http://localhost:3000/_oauth/facebook?close
Lets try this.
First go through
My apps > Test apps
Now on the top-right there is a Green button create a test app
Now some kind of modal appears, Test App Name and Test App Namespace, select whatever name you want
First
on Basic complete this 2 options
Now on App Domains select
localhost:3000
and on the site URL.
localhost:3000
and on advanced, on the Valid OAuth redirect URIs
http://localhost:3000/sessions/create
Second
on the /server/facebook-config.js for example, add this code.
// first, remove configuration entry in case service is already configured
Accounts.loginServiceConfiguration.remove({
service: "facebook"
});
Accounts.loginServiceConfiguration.insert({
service: "facebook",
appId: "yourTestAppId",
secret: "yourTesSecret"
});
And it should work
#RiverTam's answer did it for me! I have self-signed SSL cert on localhost with SSLProxy and I was under the wrong assumption that you could add custom routes to the callback URL, so I had to do several things:
1. In the meteor run command, export ROOT_URL first before meteor run
export ROOT_URL=https://localhost:3100; meteor --settings settings-development.json --port 3100
2. Add the callback url that FB wants, with localhost domain
Navigate to FB App in developer.facebook.com => Facebook Login => Settings => Client OAuth Settings and add URL like so:
3. Leave Domain empty
This is under FB App in developer.facebook.com => Settings => Advanced => Domain Manager
+999999 to River Tam for FireFly reference :P