Post Password Change Action - Web Service Not Working

[Brandon Justice]

I'm trying to do a web service call to Google post password change and I can't get it to work. When a password is changed I get this error: "A required service is unavailable. Please try again later." Any ideas? I have v1.9.1 and see there may be an issue with this version and Post Password API calls.

Thanks!

[Brandon Justice]

PUT https://admin.googleapis.com/admin/directory/v1/users/@User:Email@

{

  "password": "@RandomChar:12@"

}

[Jason Rivard]

Did you look in the logs....?

[Brandon Justice]

I have been looking through them and haven't found anything yet. I'll update when I find something. Just didn't know if anyone had any ideas right off the bat.

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/1tk0kn1r5V4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/33800b02-d9d5-4f7d-9753-cac393ce89afn%40googlegroups.com.

--

Brandon Justice

[Brandon Justice]

2020-12-29T15:31:33Z, TRACE, client.PwmHttpClient, {6hIIO,USER} received response (id=24) in 188ms: HTTP response status 401 Unauthorized [] header: Vary=Referer header: Content-Type=application/json; charset=UTF-8 header: Date=Tue, 29 Dec 2020 15:31:33 GMT header: Server=ESF header: Content-Length=509 header: X-XSS-Protection=0 header: X-Frame-Options=SAMEORIGIN header: X-Content-Type-Options=nosniff header: Alt-Svc=h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" body: { "error": { "code": 401, "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "errors": [ { "message": "Login Required.", "domain": "global", "reason": "required", "location": "Authorization", "locationType": "header" } ], "status": "UNAUTHENTICATED" } }  

HTTP PUT request to https://admin.googleapis.com/admin/directory/v1/users/@USER:ID@?key=KEY

This is what we are seeing. We have tried adding a key to the end of the URL and no luck. Any ideas?

[jason.e...@gmail.com]

Did you add Authorization in the headers in the HTTP Headers section for pwm? it should look like the below, and yes, you still need the API key at end of url

Name: Authorization

Value: Bearer Your_Token_Here

[Brandon Justice]

I did not. Do you happen to have documentation on how to set up the token and API key? We just need a static token and key preferably from a service account or something that doesn't change. We haven't been able to have any luck with Google's documentation haha.

Thanks Jason!

[jason.e...@gmail.com]

Its been a while since I have setup a new one, go to https://console.developers.google.com/ and login with a gsuite account that has permissions to modify users, probably best to create a user for this purpose since your not using oauth, create a new project, call it pwm or something else, make sure "Admin SDK API" is enabled in the API library, then go to the "Credentials" under API and Services then click create credentials, choose api key, setup restrictions as needed, and save.

[ddunla...@gmail.com]

Just curious - why would one be doing "post password action" instead of using Google Apps Password Sync?

[Brandon Justice]

We are actually only using the SSO portion instead of syncing accounts from local AD. SSO is setup between Azure AD and Google so user's can use their Azure AD credentials to log into Google. JIT provisioning is also setup so there is no reason to do this. Unfortunately we ran into an issue where Google doesn't know when an Azure AD password has been changed. To fix this, we are just trying to get PWM to update the password on the Google account to a random variable then it forces the user to re-log into Azure AD from a Google device/browser. Hope that makes sense.

Jason - I setup up the API Key but am having a hard time finding where to get the token for the HTTP Header.

Thanks!

[jason.e...@gmail.com]

I believe its under the same credentials page to create one, not near a computer atm, google used to have a nice little helper in the console that would ask step by step years ago

[Brandon Justice]

Yeah I remember that now that you mention it. I'm not seeing it anymore so looks like it changed (of course /sigh). Let me know if you have time to see if you can see it otherwise do you know of another way like setting up oauth? Sorry I'm somewhat new to this and just playing around with it now haha.

[Paul Hodgdon]

You need an OAuth token for authorization/authentication.

On Tue, Dec 29, 2020 at 10:33 AM Brandon Justice <bjusti...@gmail.com> wrote:

2020-12-29T15:31:33Z, TRACE, client.PwmHttpClient, {6hIIO,testbrandon} received response (id=24) in 188ms: HTTP response status 401 Unauthorized [71.67.112.181] header: Vary=Referer header: Content-Type=application/json; charset=UTF-8 header: Date=Tue, 29 Dec 2020 15:31:33 GMT header: Server=ESF header: Content-Length=509 header: X-XSS-Protection=0 header: X-Frame-Options=SAMEORIGIN header: X-Content-Type-Options=nosniff header: Alt-Svc=h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" body: { "error": { "code": 401, "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "errors": [ { "message": "Login Required.", "domain": "global", "reason": "required", "location": "Authorization", "locationType": "header" } ], "status": "UNAUTHENTICATED" } }  

HTTP PUT request to https://admin.googleapis.com/admin/directory/v1/users/@USER:ID@?key=KEY

This is what we are seeing. We have tried adding a key to the end of the URL and no luck. Any ideas?

You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/4ae1c0e4-cd8a-4fb6-98a9-08ffc4c83149n%40googlegroups.com.

--

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

[Brandon Justice]

I've been reading into how to do it and it doesn't seem like it's doable via the web service hook method? I have a JWT file and have to generate an access token which doesn't seem easy to integrate into PWM. Looking into OAuth section under SSO in PWM is this the direction I am supposed to go? Any insight into what to do next would be appreciated!

[Paul Hodgdon]

I recall seeing other posts (https://groups.google.com/forum/embed/#!topic/pwm-general/BAkQSGzlm5I)  that used GAM or a third party API to call Google APIs.  It shouldn't be that difficult to create a RESTful service and even deploy that as another app on your application server.

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/94da4ae8-ee55-46d7-ae84-32c328f91be1n%40googlegroups.com.

[Jason Everling]

You can do it, the OAUTH section in PWM is for sign in, nothing else, Ill see if I can find our old info from years back to give you a working example, if I remember correctly, you create a service account in google dev console and generate the token there

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/94da4ae8-ee55-46d7-ae84-32c328f91be1n%40googlegroups.com.

 

[Brandon Justice]

Thank you all!

[Jason Everling]

I went back into old pwm configs, the parameters I had sent were correct, you do need the token, and use a service account in gsuite with permissions setup, I went into our dev console and of course the project was destroyed when we stopped using it years ago like it should have been. Since you do have gsuite, you can easily reach out to Google support and they will walk you through setting it up, not the pwm side of course

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/69622c76-00dd-4050-924d-d076346bfd12n%40googlegroups.com.