How to structure credentials in requests to App Engine App

[David Brogdon]

I am trying to figure out how to authenticate a desktop app to my App Engine app in order to send HTTP requests to my App Engine App. I have read all the documentation I can find but what I really need to know is, how do I feed my service account key info into my http request so that my App Engine app will respond? Right now I am getting an error stating there are no credentials.  

Thanks

[Andres Fiesco Casasola]

How are you issuing the HTTP(s) request from your app engine? Could you please share the documentation you used for the authentication? Are you using a standard or a flex environment?   

[Anatoli Trifonov]

Usually you need to call google api to get token using your service account key. Then use token in https request header.

It does depend on how your app engine app is configured though in terms of authentication.

Sincerely,

Anatoli Trifonov

On Thu, May 5, 2022 at 12:06 AM 'David Brogdon' via Google App Engine <google-a...@googlegroups.com> wrote:

I am trying to figure out how to authenticate a desktop app to my App Engine app in order to send HTTP requests to my App Engine App. I have read all the documentation I can find but what I really need to know is, how do I feed my service account key info into my http request so that my App Engine app will respond? Right now I am getting an error stating there are no credentials.  

Thanks

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/e6c4a60a-1451-43e0-b6a0-f5754c40e7c2n%40googlegroups.com.

[Osvaldo Lopez Acuña]

Please share if you’re using the Standard or Flex environment, in which programming language is your App (including version), what type of service account you have, any related code or settings that you have tried and the complete error and logs. Meanwhile here’s the general App Engine’s Troubleshooting guide where you can find solutions to similar issues. Also, you can check App Engine connectivity questions and Specifying a service account. App Engine lets you use two types of service accounts.

[David Brogdon]

Currently I have a client app that is local to the desktop and needs to send a request via Python to the server app (App Engine App)
 that then interacts with the other services. I am using standard environment. I have tried many examples for the GCP docs for authentication, including oauth, etc. I am just needing to know how to get the token for use in the requests because so far I have failed. I have tried using API key method, service account key method, etc. I just need to authorize the service account.  

[David Brogdon]

This is what I am trying to do based on the GCP docs. I just need to know how to get the token from GCP to use in my client-side app so that it can make requests to my App Engine app. Do you have an example that simply gets a token by using the service account key?

Thanks

On Thursday, May 5, 2022 at 7:03:24 PM UTC-5 anat...@newventurevisions.com wrote:

[David Brogdon]

Standard environment. Client app->App Engine App->Other services is the logic flow. Client is Python code. I am trying to use the service account key to request a token so that my client app and submit a request to my App Engine App (controller/proxy/etc). Code method below:

from google.auth.transport.requests import Request
from google.oauth2 import id_token
import requests


def make_iap_request(url, client_id, method='GET', **kwargs):
    """Makes a request to an application protected by Identity-Aware Proxy.

    Args:
      url: The Identity-Aware Proxy-protected URL to fetch.
      client_id: The client ID used by Identity-Aware Proxy.
      method: The request method to use
              ('GET', 'OPTIONS', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE')
      **kwargs: Any of the parameters defined for the request function:
                https://github.com/requests/requests/blob/master/requests/api.py
                If no timeout is provided, it is set to 90 by default.

    Returns:
      The page body, or raises an exception if the page couldn't be retrieved.
    """
 # Set the default timeout, if missing
    if 'timeout' not in kwargs:
        kwargs['timeout'] = 90

    # Obtain an OpenID Connect (OIDC) token from metadata server or using service
    # account.
    open_id_connect_token = id_token.fetch_id_token(Request(), client_id)

    # Fetch the Identity-Aware Proxy-protected URL, including an
    # Authorization header containing "Bearer " followed by a
    # Google-issued OpenID Connect token for the service account.
    resp = requests.request(
        method, url,
        headers={'Authorization': 'Bearer {}'.format(
            open_id_connect_token)}, **kwargs)
    if resp.status_code == 403:
        raise Exception('Service account does not have permission to '
                        'access the IAP-protected application.')
    elif resp.status_code != 200:
        raise Exception(
            'Bad response from application: {!r} / {!r} / {!r}'.format(
                resp.status_code, resp.headers, resp.text))
    else:
        return resp.text

data={

[Ernesto Contreras Pinon]

Can you share the full stack trace you receive when trying to authenticate? It might help clarify the problem. The Google Auth API reference shows that you can use the "AuthorizedSession" class to create an authenticated session and then use the respective methods to perform HTTP requests from the authenticated session object.   

Have you tried it that way? AuthorizedSession expects a Credentials argument, which is returned from the fetch_id_token() method. You can refer to the complete user guide documentation for more samples.