...
Went back to https://www.google.com/a/cpanel/sagebionetworks.com/ManageOauthClients
and clicked 'authorize' again.
This time it worked!!
Notes
Q: What's the cumulative file size on the Sage SSH server?
A: About 2GB, considering the files in the directory /data/incoming on sage.fhcrc.org
Google Apps provides two APIs to help with authentication:
SAML Single Sign-On (SSO) Service: would allow *us* to create and maintain users and groups outside of Google.Time to write the web app.
On the subject of 2-legged OAuth, from
http://code.google.com/apis/accounts/docs/OAuth.html#WorkingOauth
"This differs from the normal authorization flow, also known as 3-legged OAuth, in
that no access token is required. All applications using 2-legged OAuth must be
registered with Google."
There's a code example here:
http://code.google.com/apis/googleappsgdata/domaindocs/sso/saml_reference_implementation.html
Google Apps Provisioning API: would allow us to programmatically create Google users and groups in our private domain. This would streamline adding users to Google Apps. If we used it as a total solution, then the non-google app's (e.g. Addama) would have to go to google for authentication, which violates the 'arms length' integration requirement.
OpenID sounds like an alternative to SAML:
http://www.google.com/support/forum/p/apps-apis/thread?tid=33a3707bd2ea7904&hl=en
In the case of OpenID, the user may have a Google Account, a Google Apps Account, or an account from any other domain that provides OpenID federated login.
Integration of GAE with OpenID:auth/oauth.html#2LeggedOAuth
another example:
http://code.google.com/p/gdata-java-client/source/browse/trunk/java/sample/oauth/TwoLeggedOAuthExample.java
Notes
Q: What's the cumulative file size on the Sage SSH server?
A: About 2GB, considering the files in the directory /data/incoming on sage.fhcrc.org
Google Apps provides two APIs to help with authentication:
SAML Single Sign-On (SSO) Service: would allow *us* to create and maintain users and groups outside of Google.
http://code.google.com/appenginegoogleapps/docsdomain/java/users/overviewsso/saml_reference_implementation.html
"What would Atlassian Do" (WWAD)?
4.1 Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.
http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence
4.2 Crowd is a single sign-on (SSO) application for as many users, web applications
and directory servers you need — all through a single web interface.
http://www.atlassian.com/software/crowd/
Crowd centralises identity management, allowing you to take users from different directories
and manage them in one place. Multiple user directories can be centrally managed via Crowd's
administration console.
Crowd's OpenID authentication server, CrowdID, talks with websites and applications using
OpenID. It expands Crowd's SSO capabilities to applications outside your organisation's firewall.
http://confluence.atlassian.com/display/CROWD/Configuring+the+Google+Apps+Connector
To enable single sign-on in Google Apps, you will need the Premier, Education, or Partners edition of Google Apps.
The Crowd Google Apps connector does not support the automatic adding of users. If a user exists
in Crowd but not in Google Apps, then the user will not be able to log in to Google Apps.
To add an application (e.g. a GAE app like Addama registry):
http://confluenceGoogle Apps Provisioning API: would allow us to programmatically create Google users and groups in our private domain. This would streamline adding users to Google Apps. If we used it as a total solution, then the non-google app's (e.g. Addama) would have to go to google for authentication, which violates the 'arms length' integration requirement.
OpenID sounds like an alternative to SAML:
http://www.google.com/support/forum/p/apps-apis/thread?tid=33a3707bd2ea7904&hl=en
In the case of OpenID, the user may have a Google Account, a Google Apps Account, or an account from any other domain that provides OpenID federated login.
Integration of GAE with OpenID:
http://code.google.com/appengine/docs/java/users/overview.html
"What would Atlassian Do" (WWAD)?
4.1 Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.
http://confluence.atlassian.com/display/CROWDDEV/ApplicationDEV/Single+Sign-on+Integration+Overview
Licensing and hosting Crowd:
- Crowd is not hosted by Atlassian. We have to run it ourselves. It runs on Windows, Linux or Mac and uses an apache tomcat app server:+with+JIRA+and+Confluence
4.2 Crowd is a single sign-on (SSO) application for as many users, web applications
and directory servers you need — all through a single web interface.
http://confluencewww.atlassian.com/displaysoftware/CROWDcrowd/Installing+Crowd+and+CrowdID- Pricing: This is a little confusing but it seems to say that it's $10 for up to 10 users then $600/$1200 for up to 100 users (academic/commercial)
Crowd centralises identity management, allowing you to take users from different directories
and manage them in one place. Multiple user directories can be centrally managed via Crowd's
administration console.
Crowd's OpenID authentication server, CrowdID, talks with websites and applications using
OpenID. It expands Crowd's SSO capabilities to applications outside your organisation's firewall.
http://wwwconfluence.atlassian.com/softwaredisplay/crowd/pricing.jsp
To integrate other applications with Crowd:
Writing a Crowd custom application connector:
http://confluence.atlassian.com/display/CROWDDEV/Creating+a+Crowd+Client+for+your+Custom+Application
To integrate with Apache's authenticationCROWD/Configuring+the+Google+Apps+Connector
To enable single sign-on in Google Apps, you will need the Premier, Education, or Partners edition of Google Apps.
The Crowd Google Apps connector does not support the automatic adding of users. If a user exists
in Crowd but not in Google Apps, then the user will not be able to log in to Google Apps.
To add an application (e.g. a GAE app like Addama registry):
http://confluence.atlassian.com/display/CROWDCROWDDEV/IntegratingApplication+CrowdIntegration+with+Apache
Other Single Sign-On software:
Another alternative is "SSO Easy".
Open source alternativeOverview
Licensing and hosting Crowd:
- Crowd is not hosted by Atlassian. We have to run it ourselves. It runs on Windows, Linux or Mac and uses an apache tomcat app server:
http://codeconfluence.googleatlassian.com/googleappsdisplay/domain/open_source_projects.html#sso
Enterprise Sign-on Engine:
http://esoeproject.org/
Other notes
- Sage SSH/SCP server authenticates using standard unix log-in.
Addama Authentication/Authorization
Some info hereCROWD/Installing+Crowd+and+CrowdID
- Pricing: This is a little confusing but it seems to say that it's $10 for up to 10 users then $600/$1200 for up to 100 users (academic/commercial)
http://codewww.googleatlassian.com/psoftware/addama/w/list
- Addama authentication is via Servlet filters using GAE User Service OR a Google API-key.
- Addama handles authentication via Servlet Filters; the servlet config xml file shows what's in place.
- Addama white list: "user x can get these services, or anything under the branch."
Notes on Addama Registry Filters:
org.systemsbiology.addama.coresvcs.gae.filters.StaticContentFilter
I don't think this has anything to do with authentication, rather it's a cache for static content.
Note: You can't even get this far without being authenticated.
Note: The white list (below) *authorizes*, and doesn't apply to static content.
org.systemsbiology.addama.coresvcs.gae.filters.UserServiceFilter
If logged-in Google Acct OR valid API Key, then allow, else deny.
org.systemsbiology.addama.coresvcs.gae.filters.WhiteListFilter
If the user is an Admin or is in a 'white list' for the requested resource, then allow, else deny.
To integrate other applications with Crowd:
Writing a Crowd custom application connector:
http://confluence.atlassian.com/display/CROWDDEV/Creating+a+Crowd+Client+for+your+Custom+Application
To integrate with Apache's authentication:
http://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Apache
Other Single Sign-On software:
Another alternative is "SSO Easy".
Open source alternative:
http://code.google.com/googleapps/domain/open_source_projects.html#sso
Enterprise Sign-on Engine:
http://esoeproject.org/
Other notes
- Sage SSH/SCP server authenticates using standard unix log-in.
Addama Authentication/Authorization
Some info here
http://code.google.com/p/addama/w/list
- Addama authentication is via Servlet filters using GAE User Service OR a Google API-key.
- Addama handles authentication via Servlet Filters; the servlet config xml file shows what's in place.
- Addama white list: "user x can get these services, or anything under the branch."
Notes on Addama Registry Filters:
org.systemsbiology.addama.coresvcs.gae.filters.DirectLinkFilter
Seems to handle a specific kind of request called a 'direct link' request.
(This MIGHT be a method for retrieving large files.)StaticContentFilter
I don't think this has anything to do with authentication, rather it's a cache for static content.
Note: You can't even get this far without being authenticated.
Note: The white list (below) *authorizes*, and doesn't apply to static content.
org.systemsbiology.addama.coresvcs.gae.filters.AdminOnlyFilter
Filter out any requests NOT from an admin.
Applied only for addama/memcache/*UserServiceFilter
If logged-in Google Acct OR valid API Key, then allow, else deny.
org.systemsbiology.addama.coresvcs.gae.filters.WhiteListFilter
If the user is an Admin or is in a 'white list' for the requested resource, then allow, else deny.
org.systemsbiology.addama.coresvcs.gae.filters.ProxiesFilterDirectLinkFilter
Seems to forward certain requests (in particular, non-registry requests) to GAE's "URLFetchService".- what does <security-constraint> in the GAE web.xml file mean?
A: from http://code.google.com/appengine/docs/java/users/overview.html
If handle a specific kind of request called a 'direct link' request.
(This MIGHT be a method for retrieving large files.)
org.systemsbiology.addama.coresvcs.gae.filters.AdminOnlyFilter
Filter out any requests NOT from an admin.
Applied only for addama/memcache/*
org.systemsbiology.addama.coresvcs.gae.filters.ProxiesFilter
Seems to forward certain requests (in particular, non-registry requests) to GAE's "URLFetchService".
- what does <security-constraint> in the GAE web.xml file mean?
A: from http://code.google.com/appengine/docs/java/users/overview.html
If you have pages that the user should not be able to access unless signed in, you can establish a security constraint for those pages in the deployment descriptor (the web.xml or app.yaml file). If a user accesses a URL with a security constraint and the user is not signed in, App Engine redirects the user to the sign-in page automatically (for Google Accounts or Google Apps authentication) or to the page at /_ah/login_required (for OpenID authentication), then directs the user back to the URL after signing in or registering successfully.
A security constraint can also require that the user be a registered administrator for the application. This makes it easy to build administrator-only sections of the site, without having to implement a separate authorization mechanism.
Nicole's "an area for testing" is a "google apps for your domain" domain
http://www.google.com/a/sagebionetworks.com is a "test domain for Google Apps"
What's the difference between a "google account" and a "google apps account"?
A: the latter is newer and ultimately should subsume the former.
Does Google Apps support OpenID?
A: Only as an "Identity provider" (of the Google Apps ID) not as a service provider seeking authentication.
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
3 ways to authenticate GAE
- google accounts
- google-apps account (on proprietary domain associated with Google)
- OpenID
ours is a google apps premier (="business"?) account
Notes on Authorization
From:
http://www.google.com/support/a/bin/answer.py?answer=61017&hl=en
With Google Apps for Business and Education, administrators can use two-legged OAuth for
domain-wide delegation of authority. An application that has the OAuth consumer key and
secret (roughly equivalent to a role account username and password) is allowed to act as
any user in the domain when accessing Google Data APIs. Unlike three-legged OAuth, users
do not need to give consent on an individual basis, as this decision is made on their behalf
by the administrator.
This is one of the admin screens in sagebionetworks.com for authorization:
https://www.google.com/a/cpanel/sagebionetworks.com/ManageOauthClients
From:
http://www.google.com/support/forum/p/apps-apis/thread?tid=21d4f55e584e3970&hl=en
Also, for access control, your SSO solution can create a cookie for the user storing
his username. When a specific website page is requested, you can again use Provisioning
API to determine if the username stored in cookie is part of the required Google group
and authorize him.
A Dead End
I starting implementing OAuth, but mistakenly started working on '3 legged OAuth' when in fact I wanted to implenent the much simpler '2 legged' variety. I include my notes in case we have to go back to '3 legged authorization later.'
Went to
http://code.google.com/apis/accounts/docs/OAuth.html#GoogleAppsOAuth
which says that I have to do the following sequence:
1. Get an unauthorized request token (OAuthGetRequestToken)
2. Authorize the request token (OAuthAuthorizeToken)
3. Exchange the authorized request token for an access token (OAuthGetAccessToken)
1. issue this request:
https://www.google.com/accounts/OAuthGetRequestToken
with query param's (also can go elsewhere, values are my best guesses right now):
oauth_consumer_key=sandbox-sagebionetworks.appspot.
Nicole's "an area for testing" is a "google apps for your domain" domain
http://www.google.com/a/sagebionetworks.com is a "test domain for Google Apps"
What's the difference between a "google account" and a "google apps account"?
A: the latter is newer and ultimately should subsume the former.
Does Google Apps support OpenID?
A: Only as an "Identity provider" (of the Google Apps ID) not as a service provider seeking authentication.
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
3 ways to authenticate GAE
- google accounts
- google-apps account (on proprietary domain associated with Google)
- OpenID
ours is a google apps premier (="business"?) account
Notes on Authorization
From:
httpcom
oauth_nonce= ""+Math.abs(Random.nextLong()) // (must be unsigned)
oauth_signature_method=HMAC-SHA1
oauth_signature=OrB7tgg7BJtAkn9uvbo14uC9
oauth_timestamp=System.currentTimeMillis()
scope=https://apps-apis.google.com/a/feeds/group/#readonly https://apps-apis.google.com/a/feeds/user/#readonly
oauth_callback= a URL our application supplies to receive a <request token, verifier> pair
The response header includes (for example)
oauth_token=ab3cd9j4ks73hf7g
&oauth_token_secret=ZXhhbXBsZS5jb20
&oauth_callback_confirmed=true
2. Issue this request:
https://www.google.com/accounts/OAuthAuthorizeToken
oauth_token=<the value returned above>
hd=sagebionetworks.com
Now our callback URL is called to receive the <reques token, verifier> pair
3. Issue this request:
https://www.google.com/support/a/bin/answer.py?answer=61017&hl=en
With Google Apps for Business and Education, administrators can use two-legged OAuth for
domain-wide delegation of authority. An application that has the OAuth consumer key and
secret (roughly equivalent to a role account username and password) is allowed to act as
any user in the domain when accessing Google Data APIs. Unlike three-legged OAuth, users
do not need to give consent on an individual basis, as this decision is made on their behalf
by the administrator.
This is one of the admin screens in sagebionetworks.com for authorization:
accounts/OAuthGetAccessToken
oauth_consumer_key=sandbox-sagebionetworks.appspot.com
oauth_token=<the request token returned from request #1>
oauth_verifier=<verification code supplied in the callback>
oauth_signature_method=HMAC-SHA1
oauth_signature=OrB7tgg7BJtAkn9uvbo14uC9
oauth_timestamp=System.currentTimeMillis()
oauth_nonce= ""+Math.abs(Random.nextLong()) (must be unsigned)
Response header contains the access code
oauth_token=ab3cd9j4ks73hf7g&oauth_token_secret=ZXhhbXBsZS5jb20
I wrote a routine to do step 1, with all param's except 'scope' and 'auth_callback'.
When I ran it, it returned: "400 OK"
Changed the app to have valid values for the scop and callback. Tried again. Result:
Result:
java.io.IOException: Could not fetch URL: https://www.google.com/a/cpanel/sagebionetworks.com/ManageOauthClients
From:
http://www.google.com/support/forum/p/apps-apis/thread?tid=21d4f55e584e3970&hl=en
Also, for access control, your SSO solution can create a cookie for the user storing
his username. When a specific website page is requested, you can again use Provisioning
API to determine if the username stored in cookie is part of the required Google group
and authorize himaccounts/OAuthGetRequestToken....
I think it's a matter of formatting the param's.
I moved the params into the request header. Now the IOException goes away and I'm back to 400/OK.