subject:"Re\: \[google\-appengine\] Re\: Obtaining refresh_token through offline

Re: [google-appengine] Re: Obtaining refresh_token through offline_access scope to be used with IAP

2020-09-02 Thread wesley chun

That's great to hear José. I'm a bit new to using JWT tokens myself (having
only used OAuth2 access & refresh tokens) when talking to Google APIs. One
big advantage to JWT tokens is that you save API calls to both exchange a
JWT for an access token as well as your case of needing to send a refresh
token to get a new/valid access token. Cheers!

On Wed, Sep 2, 2020 at 1:04 AM 'José Cantera' via Google App Engine <
google-appengine@googlegroups.com> wrote:

> Yes, Wesley is right, in the end a refresh_token is not that necessary in
> this case, it suffices with self-signing a new JWT token with the exp
> timestamp updated,
>
> thanks!
>
> On Wed, Sep 2, 2020 at 3:26 AM wesley chun  wrote:
>
>> Hi, I may not be correct in my understanding but believe that refresh
>> tokens are only used in cases where you're using OAuth2 access tokens for
>> authorization. Since you're using a self-signed JWT instead of an access
>> token
>> ,
>> I don't think the useful reference that David linked to applies in your
>> case (and BTW, this is independent of whether you're using IAP or not).
>>
>> Since you're signing the JWT token, can't you simply resign it with an
>> updated timestamp in your JWT payload (as shown a bit further down on the
>> page I just linked to above)? (I believe that'll have the same effect of
>> using a refresh token to get an updated access token.)
>>
>> On Tue, Sep 1, 2020 at 2:00 PM 'David (Cloud Platform Support)' via
>> Google App Engine  wrote:
>>
>>> This documentation
>>> 
>>> about refreshing an access token (offline access) using Google's
>>> authorization server could be helpful.
>>>
>>> On Monday, August 31, 2020 at 8:26:25 AM UTC-4 jose.c...@iota.org wrote:
>>>
 I am using IAP to protect a Web API Application. I have enabled a
 service account to get access to the APIs through an id_token. I am able to
 obtain an id_token (JWT) by signing a JWT (using the keys of my service
 account) with the following assertions
 {
  "iss": "xx.iam.gserviceaccount.com",
  "sub": "xx.iam.gserviceaccount.com",
  "aud": "https://oauth2.googleapis.com/token;,
  "target_audience": "my_application_client_id",
  "iat": 1598702078,
  "exp": 1598705593
  }

 and then Posting to the token service as follows
 curl --location --request POST 'https://oauth2.googleapis.com/token' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'assertion=’
  --data-urlencode
 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
 --data-urlencode 'scope=openid’

 Now I would like to also obtain a refresh_token and has been
 impossible. I have tried with *scope=openid offline_access* but no
 luck. Is *offline_access* implemented in the Google Auth Server? Any
 other mechanism to obtain a refresh_token?

 Thank you very much

 *IOTA Foundation*
 c/o Nextland
 Strassburgerstraße 55
 10405 Berlin, Germany

 Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov,
 Navin Ramachandran
 ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin)

>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Google App Engine" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to google-appengine+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com
>>> 
>>> .
>>>
>>
>>
>> --
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> "A computer never does what you want... only what you tell it."
>> wesley chun :: @wescpy  :: Software
>> Architect & Engineer
>> Developer Advocate at Google Cloud by day; at night...
>> Python training & consulting : http://CyberwebConsulting.com
>> "Core Python" books : http://CorePython.com
>> Python blog: http://wescpy.blogspot.com
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Google App Engine" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/google-appengine/XJz5lES-TyQ/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> google-appengine+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com
>>

Re: [google-appengine] Re: Obtaining refresh_token through offline_access scope to be used with IAP

2020-09-02 Thread 'José Cantera' via Google App Engine

Yes, Wesley is right, in the end a refresh_token is not that necessary in
this case, it suffices with self-signing a new JWT token with the exp
timestamp updated,

thanks!

On Wed, Sep 2, 2020 at 3:26 AM wesley chun  wrote:

> Hi, I may not be correct in my understanding but believe that refresh
> tokens are only used in cases where you're using OAuth2 access tokens for
> authorization. Since you're using a self-signed JWT instead of an access
> token
> ,
> I don't think the useful reference that David linked to applies in your
> case (and BTW, this is independent of whether you're using IAP or not).
>
> Since you're signing the JWT token, can't you simply resign it with an
> updated timestamp in your JWT payload (as shown a bit further down on the
> page I just linked to above)? (I believe that'll have the same effect of
> using a refresh token to get an updated access token.)
>
> On Tue, Sep 1, 2020 at 2:00 PM 'David (Cloud Platform Support)' via Google
> App Engine  wrote:
>
>> This documentation
>> 
>> about refreshing an access token (offline access) using Google's
>> authorization server could be helpful.
>>
>> On Monday, August 31, 2020 at 8:26:25 AM UTC-4 jose.c...@iota.org wrote:
>>
>>> I am using IAP to protect a Web API Application. I have enabled a
>>> service account to get access to the APIs through an id_token. I am able to
>>> obtain an id_token (JWT) by signing a JWT (using the keys of my service
>>> account) with the following assertions
>>> {
>>>  "iss": "xx.iam.gserviceaccount.com",
>>>  "sub": "xx.iam.gserviceaccount.com",
>>>  "aud": "https://oauth2.googleapis.com/token;,
>>>  "target_audience": "my_application_client_id",
>>>  "iat": 1598702078,
>>>  "exp": 1598705593
>>>  }
>>>
>>> and then Posting to the token service as follows
>>> curl --location --request POST 'https://oauth2.googleapis.com/token' \
>>> --header 'Content-Type: application/x-www-form-urlencoded' \
>>>  --data-urlencode 'assertion=’
>>>  --data-urlencode
>>> 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
>>> --data-urlencode 'scope=openid’
>>>
>>> Now I would like to also obtain a refresh_token and has been impossible.
>>> I have tried with *scope=openid offline_access* but no luck. Is
>>> *offline_access* implemented in the Google Auth Server? Any other
>>> mechanism to obtain a refresh_token?
>>>
>>> Thank you very much
>>>
>>> *IOTA Foundation*
>>> c/o Nextland
>>> Strassburgerstraße 55
>>> 10405 Berlin, Germany
>>>
>>> Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov,
>>> Navin Ramachandran
>>> ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin)
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Google App Engine" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to google-appengine+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com
>> 
>> .
>>
>
>
> --
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> "A computer never does what you want... only what you tell it."
> wesley chun :: @wescpy  :: Software
> Architect & Engineer
> Developer Advocate at Google Cloud by day; at night...
> Python training & consulting : http://CyberwebConsulting.com
> "Core Python" books : http://CorePython.com
> Python blog: http://wescpy.blogspot.com
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Google App Engine" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/google-appengine/XJz5lES-TyQ/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> google-appengine+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com
> 
> .
>

-- 
*IOTA Foundation*
c/o Nextland
Strassburgerstraße 55
10405 Berlin, Germany



Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov, Navin 
Ramachandran
ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin)

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on

Re: [google-appengine] Re: Obtaining refresh_token through offline_access scope to be used with IAP

2020-09-01 Thread wesley chun

Hi, I may not be correct in my understanding but believe that refresh
tokens are only used in cases where you're using OAuth2 access tokens for
authorization. Since you're using a self-signed JWT instead of an access
token
,
I don't think the useful reference that David linked to applies in your
case (and BTW, this is independent of whether you're using IAP or not).

Since you're signing the JWT token, can't you simply resign it with an
updated timestamp in your JWT payload (as shown a bit further down on the
page I just linked to above)? (I believe that'll have the same effect of
using a refresh token to get an updated access token.)

On Tue, Sep 1, 2020 at 2:00 PM 'David (Cloud Platform Support)' via Google
App Engine  wrote:

> This documentation
> 
> about refreshing an access token (offline access) using Google's
> authorization server could be helpful.
>
> On Monday, August 31, 2020 at 8:26:25 AM UTC-4 jose.c...@iota.org wrote:
>
>> I am using IAP to protect a Web API Application. I have enabled a service
>> account to get access to the APIs through an id_token. I am able to obtain
>> an id_token (JWT) by signing a JWT (using the keys of my service account)
>> with the following assertions
>> {
>>  "iss": "xx.iam.gserviceaccount.com",
>>  "sub": "xx.iam.gserviceaccount.com",
>>  "aud": "https://oauth2.googleapis.com/token;,
>>  "target_audience": "my_application_client_id",
>>  "iat": 1598702078,
>>  "exp": 1598705593
>>  }
>>
>> and then Posting to the token service as follows
>> curl --location --request POST 'https://oauth2.googleapis.com/token' \
>> --header 'Content-Type: application/x-www-form-urlencoded' \
>>  --data-urlencode 'assertion=’
>>  --data-urlencode
>> 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
>> --data-urlencode 'scope=openid’
>>
>> Now I would like to also obtain a refresh_token and has been impossible.
>> I have tried with *scope=openid offline_access* but no luck. Is
>> *offline_access* implemented in the Google Auth Server? Any other
>> mechanism to obtain a refresh_token?
>>
>> Thank you very much
>>
>> *IOTA Foundation*
>> c/o Nextland
>> Strassburgerstraße 55
>> 10405 Berlin, Germany
>>
>> Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov,
>> Navin Ramachandran
>> ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin)
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com
> 
> .
>


-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"A computer never does what you want... only what you tell it."
wesley chun :: @wescpy  :: Software
Architect & Engineer
Developer Advocate at Google Cloud by day; at night...
Python training & consulting : http://CyberwebConsulting.com
"Core Python" books : http://CorePython.com
Python blog: http://wescpy.blogspot.com

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com.

Re: [google-appengine] Re: Obtaining refresh_token through offline_access scope to be used with IAP

Re: [google-appengine] Re: Obtaining refresh_token through offline_access scope to be used with IAP

Re: [google-appengine] Re: Obtaining refresh_token through offline_access scope to be used with IAP

3 matches

Site Navigation

Mail list logo

Footer information