Identity Aware Proxy (IAP) for a URL - Google app engine - google-app-engine-python

We have two projects -
Project 1 - Google App engine standard python 2.7.
Project 2 - Google Appp engine standard python 3.3
Project 1 application is secured using Firebase user authentication.
We have a need to access a particular function (URL) of Project 1 accessing from Project 2. The call from Project 2 will be done by the server (not user). We need this to be secure.
Can we enable just this function (URL) in Project 1 with IAP? And use the instructions here to authenticate?
It the above is not a solution, what are our options?

Yes, the link you provide exposes proper solutions. Although, I believe the best one is to use a Service Account for Project 2 that allows access to Project 1 resource (Use the proper Cloud Function role).
Include the Service Account credentials in Project 2 and use the proper library to call the service using the Service account credentials. Learn how to create a Service account credential here

Related

Enabling AAD federated SSO for Google compute engine hosted app

I have a Webapp hosted on Google compute engine. I am trying to list it on Microsoft AppSource. One of the mandatory conditions for listing is enabling Azure Active Directory federated Single Sign-on (AAD federated SSO) for the app.
Google Cloud platform supports SAML 2.0-based SSO. Hence technically this should be possible. Has anybody tried it and any has experiences to share. Thanks in advance.
In order for an application to integrate with Azure Active Directory - it is not required that you have an Azure Subscription, or even Azure Active Directory (specially if your application is a multi-tenant application) - you can host your application anywhere.
For AppSource, as long as your app integrates with Azure Active Directory, then you are able to list your app on AppSource - which means that the application does not need to be hosted in Azure. AppSource also requires Open Id Connect - SAML would not qualify. For more details please see this article.
To make it easier to test the Azure AD integration in your application, you can create/ use a test tenant with a Microsoft personal account (MSA), as well as use this MSA account to register your application for OAUTH2 flow.
You probably don't want to use GCP's SSO. This is really designed to allow your developers to use your organization's auth system while working on GCP. This is different than allowing your users to use their organization's AD while working within your web app.
Instead, I suggest you look to see if anyone has built AD or SAML integration for the framework your webapp is built with, or look to implementing it yourself. This allows the SSO auth to be used for the app itself, instead of in accessing GCP APIs.

How to integrate an API Connect API as a BFF into a Bluemix mobile project?

Trying to use an API Connect generated app as the backend for my mobile project adding an OPENAPI_SPEC env variable as defined here:
https://console.ng.bluemix.net/docs/mobile/sdk_compute.html#definition
I can add the app as a compute instance in the Mobile Project UI but it can't generate the SDK, I guess it is because when published via APIC Editor to Bluemix the Loopback app isn't accessed directly but through the APIC gateway.
Any suggestion here?
I would presume that although you have an OPENAPI_SPEC environment variable, your Open API swagger doc isn't valid.
When you download the project, it will auto-generate an SDK corresponding with your backend's Open API document.
For instance, here is how you set the environment variable with an example relative path:
And here is a valid API doc that it's using (albeit not in the most elegant Open API compliant format yet but it works).
https://updatesdk.mybluemix.net/explorer/swagger.json
A good way to test the validity of your OPEN API swagger doc is using the new Bluemix SDK Gen CLI Plugin.
$ bx sdk validate
NAME:
validate - Determines if an OpenAPI specification is valid for SDK generation
USAGE:
bluemix sdk validate OPENAPI_DOC_LOCATION | APP_NAME
OPENAPI_DOC_LOCATION - is a raw OpenAPI specification (URL to spec or local file; json or yaml)
APP_NAME - is the name of an app running in your current space hosting
OpenAPI spec.
In addition, IBM provides a deployable BFF starter sample with an accompanying blog post which may be helpful.

IBM Bluemix - Kitura Swift - is missing a required environment variable: 'OPENAPI_SPEC'

I am stuck for the moment. I cannot obtain the source code for the mobile project and I do not know where is the problem. All my researches was without positive result.
My intention with IBM Bluemix is to develop myself a small project only in Swift (server side + iOS) because I am iOS mobile developer.
When I try to get the code for mobile project (iOS) I get these error:
Error Notification:
The Cloud Foundry App 'XXX' is missing a required environment variable: 'OPENAPI_SPEC'.
I want to use OpenWhisk SDK for iOS. I do not know where to set the variable OPENAPI_SPEC and what value to put in it.
I have setup a Cloud Foundry App started from "Runtime for Swift - Kitura" and a mobile project named started from "Code Starter - OpenWhisk".
Can you help me with some advice or some sample?
Thank you!
If you added a Swift server side Compute to your mobile project, you will need to add an environment variable called OPENAPI_SPEC to your backend to point to a valid Open API swagger document outlining the API.
This way when you download the project, it will auto-generate an SDK corresponding with your backend's Open API.
For instance, here is how you set the environment variable:
And here is a valid API doc that it's using (albeit not in the most elegant Open API compliant format yet but it works).
https://updatesdk.mybluemix.net/explorer/swagger.json
The idea is that the "project" concept takes an abstracted view of a Compute runtime (Cloud Foundry, Docker, etc.) and only cares that it exposes an API compliant with the Open API specification. Using that defined Open API spec, you can dynamically generate an SDK for a "project" when it's downloaded (for iOS, Android, etc.).
If your backend Compute exposes no Open API specification at this time, and you just want to download the code of OpenWhisk for iOS, you can just deassociate that backend Compute from your mobile project for now, and it should download the code. If you ever build on top of that backend and want to reconnect it in the future, you can add it and redownload at a later time (doing a git diff or using the Bluemix CLI SDK plugin to download an SDK from your Open API specification later in your project's lifecycle).

Where is the application secret?

I can't find my Application Secret key in the Mobile Options tab.
I went to look into the Mobile Application Security I found out that it is no more. It is replaces by Mobile Client Access. So where is it ?
If you have Mobile Client Access instead of Mobile Application Security then it sounds like you created a MobileFirst Starter Boilerplate (the newest release) rather than a Mobile Cloud Boilerplate (deprecated as of December 15th).
The new services within the MobileFirst Starter Boilerplate do not use the Application Secret for security or validation. I would recommend you take a look at that linked deprecation announcement and see what all has changed in the move to the new services and what you as a developer would need to do to migrate your preexisting code.
The new service Mobile Client Access require only appId and Route. (no app secret)
You can find more information here: https://www.ng.bluemix.net/docs/services/mobileaccess/getting-started.html
In the "next-step section" you can find some example that explains how to use the service ( how you can see the application secret is not required).

IONIC | Login Authentication using Active Directory

Is it possible to use authenticate user from mobile application using Active Directory credentials in IONIC? I have gone through many google, but could not find any thing specific to Active Directory.
Ionic Framework is a front end framework. You can authenticate by any means that's available from your backend API.
auth0.com offers a soultion that might work for your needs if you want to integrate against a pre-baked solution rather that writing your own. They have a library for Ionic Framework.
You can find github repo here: https://github.com/auth0-samples/auth0-ionic2-samples
Auth0 offers identity management as a service (authentication). The Ionic Framework library claims that you can integrate against:
Google,
Facebook,
Microsoft Account,
LinkedIn,
GitHub,
Twitter,
Box,
Salesforce,
Windows Azure AD,
Google Apps,
Active Directory,
ADFS
or any SAML Identity Provider
Keep in mind that your Active Directory server will have to be available to Auth0 in some way in order for the integration to work. This may not be appropriate if you're building a purely internal enterprise app.