I've shared a Google Sheet with my Google Service account email, which looks something like:
myappname-service#myappname-266229.iam.gserviceaccount.com
This permits my application to access that Google Sheet.
I'd like to be able to share the Google Sheet with a custom email address (e.g. google#myappname.com) aliased to that ugly autogenerated service account email (myappname-service#myappname-266229.iam.gserviceaccount.com).
How could I go about doing this?
edit:
Example of code used for interacting with Google APIs
from google_auth_httplib2 import AuthorizedHttp
from google.oauth2 import service_account
import pygsheets
def _get_gc():
scope = ['https://www.googleapis.com/auth/spreadsheets']
credentials = service_account.Credentials.from_service_account_file(
settings.GOOGLE_SERVICE_AUTH_FILE,
scopes=scope,
)
http = AuthorizedHttp(credentials, http=HTTP)
logger.info('Created GC creds, returning...')
return pygsheets.authorize(custom_credentials=credentials, http=http)
def do_something(url):
gc = _get_gc()
spreadsheet = gc.open_by_url(url)
Issue – Service accounts cannot have aliases:
Unlike regular accounts, service accounts cannot have aliases. Their email address is defined by:
The name of the corresponding project.
The name of the service account.
You cannot give it additional aliases.
Workaround – Impersonate a regular account:
If you want to avoid sharing the Google Sheets with the autogenerated service account email address, but you want to keep using the service account to interact with the API, your best option would be to share the Sheets with a regular account that has an acceptable email address, and use the service account to impersonate this regular account, when interacting with the API.
1. Delegating domain-wide authority:
One of the most useful things about a service account is that you can grant it the ability to impersonate any user in your domain and access data on behalf of it. This is called domain-wide delegation, and it can be activated for a service account by following these steps:
Important: You need to be an administrator of the G Suite domain in order to delegate domain-wide authority.
2. Impersonating:
At this point, your service account can impersonate any user in the account. To actually impersonate an account, you would just need to specify which account you want to impersonate when building the credentials.
In your specific case, you would need to provide the parameter subject when calling from_service_account_file, as you can see on the domain-wide delegation section of this page:
credentials = service_account.Credentials.from_service_account_file(
settings.GOOGLE_SERVICE_AUTH_FILE,
scopes=scope,
subject="your-account#your-domain.com"
)
Reference:
Delegating domain-wide authority to the service account
Related
I'm trying to implement IdentityServer4. We need to functionality to login as another user, when we're administrators.
I've already setup the login functionality for regular users, but I'd like a specific endpoint where an administrator can enter the username/id of a regular user.
How would one go about implementing this in IdentityServer4, as well as regular oauth2?
This is outside the scope of OIDC/OAuth2 interactions but there are some conventions for how to respresent such a scenario in the result token/claims. Have a read of https://www.rfc-editor.org/rfc/rfc8693 (in particular the act claim bits) for some inspiration.
We did this via the sign in UI flow but the model was that users could grant other users impersonation permissions explicitly. If when signing in you had valid impersonation grants then you'd be prompted as part of the sign in flow to choose a different account or continue as yourself. In your case you can identify admin users and give them the option to impersonate anyone you like.
If the user choses an impersonatee then it would change the current session to respresent that user but also store claims relating to the original user/session in the actor claim (act) and also add an amr claim of imp. We then made these claims available to clients so that they'd be aware of the fact impersonation was used and could then for example add that info to audit logs etc. We also notify the impersonated user via email and restrict access to account settings - i.e. impersonators can only sign into clients as other users, they cannot change their account settings.
We create users with their email address. We send email to each user with a link to change password api with changePasswordId. When user clicks the link, he will be redirected to change password screen where he can set the password and access the application. This works.
But, now we want to allow users to register with their social Idps upon receiving invitation/verification email. Can't see any fusionauth documentation on this part.
Questions are as follows
How to let user select their social Idp while verifying their email?
Can a user have multiple logins with different Idps for one application in FusionAuth?
Is there any linking api which links all external user accounts with their fusionauth user account?
The flow we are expecting is :
Invite User -> User clicks link -> User will be presented with set
password and social logins-> User chooses google -> Google
authenticates user and returns token back to fusion auth -> fusion
auth links user's google account with already created (invited) user
account. -> Next time user logs in with google account -> Fusion auth
identifies the user and allows him to access the application.
Updated :
Let me try to explain our situation and need, with less focus on the password setup task:
We need to set up new users that are associated with google based education accounts on custom school domains. Teachers and students that might have addresses like first.last#middle.school.com We need to take the class roster from Google Classroom, initialize accounts for each student in our backend via our API which also creates FusionAuth user and app registrations for each.
Schools don't often want kids setting passwords on vendor sites. When we send the account confirmation / verification email to the new cohort of students they would ideally be directed to the approved and configured method for that domain (perhaps Google, Microsoft, other SAML or password). If we can't get selective about the confirmation method shown after the student provides her invited email address then we could present multiple confirmation options on the same screen and let the teacher direct the students to the correct choice.
But in summary we need to avoid requiring password setup and support confirmation with the invited social account when required by the school.
If I understand your use case correctly, what you want is to add the "Login with Google buttons" to the Setup Password workflow. This is different than the Email Verification workflow, so if you are looking for a way to log users in with their social profiles during Email Verification, that's something completely different. In fact, I don't think that is a use case because after the user verifies their email, they need to log in again and they can do that using their social profile.
Unfortunately, FusionAuth doesn't fully support the ability to allow someone to use the Setup Password workflow using a social login. It might be possible though using the Email Templates and Theme editor in FusionAuth. I haven't tested this, but you could try it and see if it works.
What you would do is to pass in a URL parameter to show the social login buttons during the Setup Password workflow. This would be something you could do in the email template for Setup Password like this:
Click this link to setup your password:
<a href="https://example.com/password/change/${changePasswordId}?showSocial=true">
Setup Password
</a>
Then, using the Theme editor in FusionAuth, you would add some code in to show the buttons like this (the ?? part is to handle when the parameter is missing):
[#if showSocial?? && showSocial]
show social buttons here
[/#if]
You could give that a try and see if it works for your use case. If it doesn't work, you can always open a feature request for this on our GitHub issue tracker and we can see if it receives enough upvotes to get on the roadmap. You can also engage FusionAuth professional services to build this feature for you as well.
For your other questions, you can have as many logins with external IdPs as you want for a single user. The user is unique by their email address.
I'm not sure what you mean by "linking api", but if a user logs in with an external IdP, their tokens from those external providers are stored on the user object. You can look up those values and then call third-party APIs with their access_tokens.
UPDATE 8/27/2019
Ah yes. The social login buttons do require all of the OAuth parameters, so this solution won't work because those parameters aren't part of the Setup Password workflow.
I guess I'm confused on how this actually works and whether or not this is a workflow FusionAuth should be handling. Social logins aren't generally used for account verification. They are normally used for account creation. For example, you could just send the student to FusionAuth before their account is created, they login with their Google classroom account, and then they have a FusionAuth account. Is there any reason the student can just login in after their account is created? Is that not essentially the same thing?
Could you do something where students that have accounts in Google Classroom are created in FusionAuth with a randomly generated 32 character password (for security) since they will be logging in with Google regardless. You can then just send them an email with a standard login link.
For students that login in with a username and password to FusionAuth directly, send them a Setup Password email. This will let them pick their own password.
In terms of account Linking, FusionAuth links accounts automatically based on email address (the unique login identifier actually). Therefore, you don't need to call any extra API to associate the social login with a user.
I might still not be clearly understanding the use case, so feel free to contact us directly using the form on our website. We might need to setup a web conference to discuss your needs in detail.
If I have a website where it is possible to sign in with multiple different providers (Say Facebook, GitHub, Google), what do I use as the local-to-my-site unique identifier for users? For example, if these two steps happened:
I sign in with GitHub (For the first time) and my username is mogronalol and email is mogronalol#mogronalol.com.
A local-to-my-site acccount with an email address of mogronalol#mogronalol.com and username of mogronalol is created.
If I use the email address as the local unique identifier, what happens if my email address changes in GitHub to other#other.com? The same question applies to changing username also.
If I got some sort of unique ID from GitHub, and used that as the identifier, then what do I do if my email address or username changes in GitHub. Do I just updated my local-to-my-site-copy to be the same as the one on GitHub each time I log in?
Of course, this problem is worsened if I want to log in with my Facebook account as well as my GitHub account. What happens if my email address and / or username are different across both of these? How would my local site know to link the accounts together? And if things like email address are different once the accounts are linked, which one do I use?
First, maybe you could try on some tutorial to feel how OAuth work.
After your OAuth authentication succeed, your website will receive a series of information provided by OAuth provider.example
Within this information, there are two special columns called uid and provider used to recognize user from OAuth provider.
You will use these two columns to tell which provider the authentication come from (i.e. facebook or github), also you need to save these fields to your account columns.
Then use rest of information to create the account in your website.
For example, use OAuth provider's email as email(github's email as email).
After you create account, every time you login server from OAuth provider.
You only need to check provider and uid in account column.
Let's back to your question.
If I use the email address as the local unique identifier, what happens if my email address changes in GitHub to other#other.com? The same question applies to changing username also.
If I got some sort of unique ID from GitHub, and used that as the identifier, then what do I do if my email address or username changes in GitHub. Do I just updated my local-to-my-site-copy to be the same as the one on GitHub each time I log in?
Github's email or user change won't affect your login (We only check provider and uid fields to login user).
I suggest not to sync with your OAuth provider's information(We only use OAuth provider's information when create account).
If you are going to support multiple OAuth provider, I suggest you read through this article.
You have to separate uid and provider to other table called identity.
Each account has many identities.
I also did it before.
If you don't mind, here is the sample code snippet to deal with multiple OAuth providers.
You have to think about the logic in your login flow.
For example, user has signed in and login OAuth => Link account with OAuth provider
User not signed in and login OAuth => If find user with OAuth, login, else create account using OAuth provider's information
Of course, this problem is worsened if I want to log in with my Facebook account as well as my GitHub account. What happens if my email address and / or username are different across both of these? How would my local site know to link the accounts together? And if things like email address are different once the accounts are linked, which one do I use?
We only link account, when user is already signed in.
When you link account, you could determine to use OAuth provider's information to update account(just like you used to register account).
I suggest to use the original email not to update it from OAuth provider's information.
I have a rails application in which I wanted to send email using Gmail API(using google-api-client for ruby). I have created one application in google developers and I have generated a service account key. I am using google specification for storing that credential JSON file(storing in /home/user/.config/gcloud/applicaton_default_credentials.json).
For starters, I wanted to fetch user labels below is my code
require 'google/apis/gmail_v1'
gmail_v1 = Google::Apis::GmailV1
service = gmail_v1::GmailService.new
service.authorization = Google::Auth.get_application_default([gmail_v1::AUTH_SCOPE, gmail_v1::AUTH_GMAIL_COMPOSE, gmail_v1::AUTH_GMAIL_MODIFY, gmail_v1::AUTH_GMAIL_READONLY])
user_id = 'me'
result = service.list_user_labels(user_id)
But this is giving me Google::Apis::ClientError: failedPrecondition: Bad Request error.
My end goal is to send email using an email for which I have generated the credentials JSON file, as I don't want to put my username and password in the smtp config of the ActionMailer.
Remember Service accounts isn't YOU. A service account is a dummy user who has a Google drive account and a google calendar account and probably a few more. However it does not have a gmail account.
user_id = 'me'
Will not work with a Service account.
Note: You cant use service accounts with normal gmail user accounts.
If this is a domains account user then you can take the service account email address and add it as a user on your domains admin account. Granting it permission to access the users gmail accounts. Then you will need to do something like
user_id = 'user#domain'
After many hours of debugging, I finally found a working solution. DalmTo is right about the concept that a service account can't access Gmail as Gmail requires a User account, but we can leverage the power of impersonation in this case. The steps to do impersonation are:
Go to your service account.
Give permission to the user you want to impersonate.
We need to change our code for this setup like below
service = gmail_v1::GmailService.new
service.authorization = Google::Auth.get_application_default([gmail_v1::AUTH_SCOPE, gmail_v1::AUTH_GMAIL_COMPOSE, gmail_v1::AUTH_GMAIL_MODIFY, gmail_v1::AUTH_GMAIL_READONLY])
auth_client = service.authorization.dup
auth_client.sub = 'user#domain'
user_id = 'me'
result = auth_client.list_user_labels(user_id)
Note: For this, to work, we need to go to our G-suit account and give proper permission to our service account.
I'm following the client side authentication as described at https://developers.google.com/accounts/docs/OAuth2UserAgent
I am routinely signed on to multiple Google accounts. Normally, the flow will prompt me to choose which account I want to authenticate with. However there are sometimes instances where it assumes the first account I signed in with, which is not the account I wish to use.
When users register with my service, they do so with a specific email address (and google id).
How do I qualify the oauth dialogue such that it will always take place using only the specified user?
On https://developers.google.com/drive/about-auth I can see a comment...
Note: If you want to use the user_id parameter to select the current user from
(potentially) multiple logged-in accounts,
also add https://www.googleapis.com/auth/userinfo.email.
The implies that there is a user_id parameter I can include in the oauth call, but I can't see it documented anywhere, and there is nowhere in the Javascript API where I can inject a user_id.
Add the user_id parameter to your Authorization URI.
gapi.auth.authorize({..., user_id: 'ali#gmail.com'}, handleAuthResult);