1 of 53

Developers

2 of 53

Keys to the Kingdom:

OAuth in Google Cloud Platform

Adam Eijdenberg

Product Manager�eijdenberg@google.com

Ben Sittler

Software Engineer�bsittler@google.com

3 of 53

4 of 53

What are we covering today?

  • Authentication
    • From first principles, using Google Client Libraries
    • From anywhere, Google App Engine, Google Compute Engine�
  • Authorization

5 of 53

Let's make an API call

6 of 53

7 of 53

All I want to do is make an API call!

  • What is the minimum I need to do to make a successful API call against a Google API?

GET /bigquery/v2/projects/1234/datasets HTTP/1.1�Host: www.googleapis.com�Authorization: Bearer yaXXXXXXXXXX

  • You need a token - This presentation will show you how to get one - painlessly!

8 of 53

What is a token?

  • Called an "Access Token" - identifies 3 things to Google:

  1. The application (called Client) making the request

  • The User (if applicable) authorizing the request

  • What class of actions the user has authorized the application to perform (called Scope)

9 of 53

How do I get one?

  • This depends on whose data is being accessed�
  • Data owned by a Google user
    • e.g. show consent screen for your application to access data on behalf of a user, e.g. Google Drive, Google Calendar�
  • Data owned by my application or provided by Google
    • e.g. Google Cloud Storage, Google BigQuery API, Google Compute Engine�
  • This presentation will focus on accessing data belonging to your application - typical pattern for Cloud Platform APIs

10 of 53

Configuring the project

11 of 53

Accessing data owned by my application

  • Let's get started with BigQuery

https://developers.google.com/console/

12 of 53

Project

  • Container for:
    • Resources
      • Google Cloud Storage buckets
      • Google Compute Engine virtual machines
      • BigQuery datasets
    • Registered applications and credentials�
  • Holds configuration for:
    • Authorization
    • Billing / quota management
    • Services enabled

13 of 53

Enable the service

  • Remember the access token identifies the application making the request?

  • The API you are calling must be enabled within the project where the application is registered (next step)

14 of 53

Create a service account

  • A service account is a non-human user
  • Allows your application to make API calls on behalf of itself
  • Identity for your application - like a role account

15 of 53

Branding Information screen

  • The first time a Client is created you will be prompted for the following - this is not used for application authentication.

16 of 53

Select "Service Account"

17 of 53

Download key

18 of 53

Take note of the email address

19 of 53

Let's get an access token

20 of 53

Create an assertion

yyyyyyy@developer.gserviceaccount.com https://www.googleapis.com/auth/bigquery

21 of 53

Create an assertion

import time��now = long(time.time())

� {� "iss": "yyyyyyy@developer.gserviceaccount.com",� "scope": "https://www.googleapis.com/auth/bigquery",� "aud": "https://accounts.google.com/o/oauth2/token",� "exp": now + (60 * 60), "iat": now� }

22 of 53

Create an assertion

import time, json, base64��now = long(time.time())�assertion_input = "%s.%s" % (� base64.urlsafe_b64encode(

json.dumps({"alg": "RS256", "typ": "JWT"}).encode("UTF-8")

).rstrip("="),� base64.urlsafe_b64encode(json.dumps({� "iss": "yyyyyyy@developer.gserviceaccount.com",� "scope": "https://www.googleapis.com/auth/bigquery",� "aud": "https://accounts.google.com/o/oauth2/token",� "exp": now + (60 * 60), "iat": now� }).encode("UTF-8")).rstrip("="))

23 of 53

Sign it - and swap it

� � xxxxxxxx-privatekey.p12 notasecret

24 of 53

Sign it - and swap it

import urllibfrom OpenSSL import crypto��

urllib.urlencode({

"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",� "assertion": "%s.%s" % (assertion_input,� base64.urlsafe_b64encode(crypto.sign(crypto.load_pkcs12(� file("xxxxxxxx-privatekey.p12", "rb").read(),� "notasecret").get_privatekey(), assertion_input, "sha256")).rstrip("="))� })

25 of 53

Sign it - and swap it

import urllib2, urllibfrom OpenSSL import crypto�� access_token = json.loads(urllib2.urlopen("https://accounts.google.com/o/oauth2/token",

urllib.urlencode({

"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",� "assertion": "%s.%s" % (assertion_input,� base64.urlsafe_b64encode(crypto.sign(crypto.load_pkcs12(� file("xxxxxxxx-privatekey.p12", "rb").read(),� "notasecret").get_privatekey(), assertion_input, "sha256")).rstrip("="))� })).read())["access_token"]

26 of 53

Result

{� "access_token" : "yaXXXXXXXXXXXXXXXXXXXXXXXX",� "token_type" : "Bearer",� "expires_in" : 3600�}

27 of 53

Try using it

print urllib2.urlopen(urllib2.Request(� "https://www.googleapis.com/bigquery/v2/projects/%s/datasets"

% "my-test-project-id",� headers={'Authorization': 'Bearer %s' % access_token}�)).read()

28 of 53

Try using it

print urllib2.urlopen(urllib2.Request(� "https://www.googleapis.com/bigquery/v2/projects/%s/datasets"

% "my-test-project-id",� headers={'Authorization': 'Bearer %s' % access_token}�)).read()

Result:

{� "kind": "bigquery#datasetList",� "etag": "..."�}

29 of 53

Using Google Client libraries

yyyyyyyyyyy@developer.gserviceaccount.com xxxxxxxxxxx-privatekey.p12https://www.googleapis.com/auth/bigquery

30 of 53

Using Google Client libraries

import httplib2from oauth2client.client import SignedJwtAssertionCredentials��http = SignedJwtAssertionCredentials(� "yyyyyyyyyyy@developer.gserviceaccount.com",� file("xxxxxxxxxxx-privatekey.p12", "rb").read(),� scope="https://www.googleapis.com/auth/bigquery"�).authorize(httplib2.Http())

31 of 53

Use authorized HTTP object directly

print http.request("https://www.googleapis.com/bigquery/v2/projects/%s/datasets"

% "my-test-project-id")[1]

32 of 53

Use authorized HTTP object directly

print http.request("https://www.googleapis.com/bigquery/v2/projects/%s/datasets"

% "my-test-project-id")[1]

Result:

{� "kind": "bigquery#datasetList",� "etag": "..."�}

33 of 53

Or the full client library stack

from apiclient.discovery import build��service = build('bigquery', 'v2')�print service.datasets().list(projectId="my-test-project-id").execute(http)

34 of 53

Or the full client library stack

from apiclient.discovery import build��service = build('bigquery', 'v2')�print service.datasets().list(projectId="my-test-project-id").execute(http)

Result:

{� "kind": "bigquery#datasetList",� "etag": "..."�}

35 of 53

Google hosted environments

36 of 53

Google hosted environments?

  • Built-in service account support provided for:
    • Google Compute Engine
    • Google App Engine�
  • You need to add the Google App Engine service account email address to the team for the project that contains the data you wish to access.�
  • For some APIs you will also need to pass an API key in the request

37 of 53

Use built-in identity in Google App Engine

# Built-in:

https://www.googleapis.com/auth/bigquery��

38 of 53

Use built-in identity in Google App Engine

# Built-in:from google.appengine.api import app_identity��access_token, ttl = app_identity.get_access_token(� "https://www.googleapis.com/auth/bigquery")��

39 of 53

Use built-in identity in Google App Engine

# Built-in:from google.appengine.api import app_identity��access_token, ttl = app_identity.get_access_token(� "https://www.googleapis.com/auth/bigquery")��# With client library:

https://www.googleapis.com/auth/bigquery

40 of 53

Use built-in identity in Google App Engine

# Built-in:from google.appengine.api import app_identity��access_token, ttl = app_identity.get_access_token(� "https://www.googleapis.com/auth/bigquery")��# With client library:from oauth2client.appengine import AppAssertionCredentials��http = AppAssertionCredentials(� "https://www.googleapis.com/auth/bigquery").authorize(httplib2.Http())

41 of 53

Use built-in identity in Google Compute Engine

# When starting your VM - authorize the VM to use the scope you need:�gcutil --project=my-test-project-id addinstance foobar \

--service_account_scopes=https://www.googleapis.com/auth/bigquery��

42 of 53

Use built-in identity in Google Compute Engine

# When starting your VM - authorize the VM to use the scope you need:�gcutil --project=my-test-project-id addinstance foobar \

--service_account_scopes=https://www.googleapis.com/auth/bigquery��# Inside the VM:�curl "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" -H “Metadata-Flavor: Google”

43 of 53

Use built-in identity in Google Compute Engine

# When starting your VM - authorize the VM to use the scope you need:�gcutil --project=my-test-project-id addinstance foobar \

--service_account_scopes=https://www.googleapis.com/auth/bigquery��# Inside the VM:�curl "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" -H “Metadata-Flavor: Google”

# Result:

{� "access_token" : "yaXXXXXXXXXXXXXXXXXXXXXXXX",� "token_type" : "Bearer",� "expires_in" : 3600�}

44 of 53

Use client library on Google Compute Engine

https://www.googleapis.com/auth/bigquery

45 of 53

Use client library on Google Compute Engine

from oauth2client.gce import AppAssertionCredentials��http = AppAssertionCredentials(� "https://www.googleapis.com/auth/bigquery").authorize(httplib2.Http())

46 of 53

Authentication - summary

  • Your applications need an identity (like a role account) when they access Google APIs�
  • When running in Google App Engine or Google Compute Engine use built-in credentials�
  • When running elsewhere (including local Google App Engine development) create a service account and download a private key�

47 of 53

What is a token?

  • Called an "Access Token" - identifies 3 things to Google:

  • The application (called Client) making the request

  • The User (if applicable) authorizing the request

  • What class of actions the user has authorized the application to perform (called Scope)

48 of 53

Authorization is based on the user

  • Ensure the email address associated with the user is added as a "Team" member on the project associated with the resource being accessed
  • Correct scope associated with access token�

49 of 53

Billing/quota based on client

  • Validate against the project associated with client ID:
    • Service is enabled
    • Billing state is active (where applicable)
    • Quota limit (for API call) has not been exceeded
      • Per project (e.g. courtesy limit)
      • Per user - configurable by developers�
  • For APIs that include accessing resources belonging to a project (e.g. most Cloud Platform APIs), the above is also validated against the project owning that resource (if different)

50 of 53

Summary

  • Access token must be presented
    • Recommend client libraries to acquire token�
  • Authorize user by adding to appropriate Team�
  • Now, go and use our APIs to change the world!
    • (or at least solve your problems!)�
  • Ask questions if you are stuck!
    • StackOverflow (google-oauth)

51 of 53

Thank You!

Adam Eijdenberg - eijdenberg@google.com

Ben Sittler - bsittler@google.com

52 of 53

Google Cloud Platform Resources

cloud.google.com - get started today

developers.google.com - docs and developer guidance

cloud.google.com/newsletter - stay up to date

googlecloudplatform.blogspot.com - our blog

https://developers.google.com/api-client-library/ - client libraries

https://developers.google.com/accounts/docs/OAuth2ServiceAccount - protocol details

Get questions answered on StackOverflow (google-oauth)

53 of 53

Developers