google-auth-library-ruby | Google Auth Library for Ruby | OAuth library
kandi X-RAY | google-auth-library-ruby Summary
kandi X-RAY | google-auth-library-ruby Summary
This is Google's officially supported ruby client library for using OAuth 2.0 authorization and authentication with Google APIs.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Get a default security credentials .
- Create a new lock
google-auth-library-ruby Key Features
google-auth-library-ruby Examples and Code Snippets
Community Discussions
Trending Discussions on google-auth-library-ruby
QUESTION
Google API clients typically recognise the GOOGLE_APPLICATION_CREDENTIALS environment variable. If found, it's expected to point to a JSON file with credentials for either a service account or a user.
Service account credentials can be downloaded from the GCP web console and look like this:
...ANSWER
Answered 2018-Jul-09 at 19:22As you point out gcloud command line tool (CLI) does not use application default credentials. It has separate system for managing its own credentials.
GOOGLE_APPLICATION_CREDENTIALS are designed for client libraries to simplify wiring in credentials, and gcloud CLI is not a library. Even in the client code best practice is not to depend on this environment variable but instead explicitly provide credentials.
To answer your second question, user credentials can be obtained via
QUESTION
I need to know that the plaintext/ciphertext being sent to Google CloudKMS, and the public/private key used to authenticate, are secure in transit, but I don't know how to prove that.
As per KMS docs, I created a service account, downloaded the JSON key file, and have hooked it up via the environment variable GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json.
I am using the google-api-client gem (at version 0.10.3, released 13 months old, because I can't install mime-types >= 3.0 whilst using padrino-mailer: see this commit), have tested the Google::Apis::CloudkmsV1::CloudKMSService methods encrypt_crypto_key and decrypt_crypto_key, and they're working nicely.
I have tried reading through the source code of the google-api-client, googleauth, and signet gems. All I'm certain of is:
- The JSON key file is loaded and the
private_keyvalue is used to makeOpenSSL::PKey::RSA.newhere Signet::OAuth2::Clientis given the RSA key assigning_keyin this file
I would consider the security proven if the JSON key file is used to encrypt the string sent through encrypt_crypto_key on the calling server, and likewise to decrypt the string received by decrypt_crypto_key, and the CloudKMS server on the other end behaves similarly. This is what I'm assuming the library does – End-to-end encryption – but I must see it to believe it. I attempted to view the traffic in Wireshark but couldn't make any sense of it (maybe that fact proves it? I don't know )
Can anyone help me prove or disprove this method of calling CloudKMS to encrypt/decrypt user data – using the google-api-client gem with a JSON key file downloaded as per the docs – is secure?
Related: for those of you who are interested, the CloudKMS API is on the roadmap to be included in the newer google-cloud gem.
...ANSWER
Answered 2018-May-01 at 14:24The communications between your client and Google are secured via TLS. You can see in Wireshark that the communications are on port 443 and that a TLS connection is negotiated.
Your requests are authenticated using OAuth. In this case (using a service account from outside of GCP), this is done using the flow documented in Using OAuth 2.0 for Server to Server Applications:
- you are responsible for provisioning your off-GCP app with the private key issued to the service account you wish to assert;
- it then uses that private key to sign a JWT and submit it to Google's OAuth server;
- Google replies with an OAuth access token which is a bearer credential which identifies the service account in question;
- You then provide that access token with your requests to KMS to identify the entity making the requests as the service account and using its authority;
- KMS and GCP then use that identity to evaluate IAM access controls to determine whether particular operations are authorized.
This is secured end-to-end (the TLS connection is end-to-end security since the parties to the communication—your service and Google—are the TLS endpoints). Since your question seems to be "are these requests secure in transit, and how can I show this", I think it's sufficient to show that a TLS connection is being negotiated, Wireshark should be able to show you this. (Your connection library also needs to be doing a suitable PKI evaluation of the presented certificate; validating that this is taking place correctly is a little more involved, but it's a reasonable thing to trust is happening correctly if you investigate the tools you're using and their assertions around certificate validation).
Best wishes and thanks for using GCP and Cloud KMS. Let us know if you have any further questions.
QUESTION
I have a mobile app that is signin in with google and sending a server auth code to my backend app. I want to use this code, along with the client secrets from the google developer console, to retrieve a refresh code for retrieving data from google drive when the user is offline.
Google provides an client for auth calls in ruby, but it seems not to be maintained lately and I could not see a way to do this kind of authorisation in the docs. In the documentation, I could find an example of how to do this on python:
...ANSWER
Answered 2018-Feb-22 at 16:41In case somebody stumbles here with a similar problem, what caused the request to fail was the Content-Type, and not the grant_type parameter.
Digging around in the code for the client library I saw that they use application/x-www-form-urlencoded the endpoint expects a application/x-www-form-urlencoded content type. I adjusted my code accordingly and was able to get a successful response with the valid credentials and token.
Here follows the resulting code:
QUESTION
Where is user_id supposed to come from in this example?
Using the command line example from here: https://github.com/google/google-auth-library-ruby
I've only changed the example by removing the '/path/to/' and there is a client_secrets.json in my working directory.
...ANSWER
Answered 2017-Jan-25 at 20:49The user_id should the email address of the person who clicks the link.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install google-auth-library-ruby
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
