Solved: Re: Application Integration - Regarding OAuth for ...

sharathchandra · 04-11-2023 09:26 AM

This is with respect to my previous post - https://www.googlecloudcommunity.com/gc/Integration-Services/Application-Integration-Conversion-from...

Following up on the discussion in the post, I wanted to check if there is any provision to hit the API trigger of an Application Integration by using a google account configured in the backend (App Engine), without actually asking the user (of the app) to authenticate with their account (from the Google Authorization page)? I’d basically be having a firewall at the App Engine level to restrict users' access to the app based on my use case.

I have tried setting the access_type to 'offline' (but its only helping me for preventing the reprompting, but not the prompt page) and providing the login_hint as shown below (Is it possible to hardcode a single google account in the login_hint and allow all end users to access the application Integration end points?)

Code Snippet for the above discussion:

authorization_url, state = flow.authorization_url(
    access_type='offline',
    login_hint='my_mail_id',
    include_granted_scopes='true')

Also, I was trying to get the auth token on local host by using the below snippet for testing purposes:

"authorization": "Bearer " + os.popen('gcloud auth print-access-token').read().strip()

When I try to use the same logic on my deployed App engine application, I’m seeing the error that the gcloud command couldn’t be found on the deployed host. Is there a way for me to use the above logic to get the token for hitting the API trigger of my Integration flow?

vsy

Hey Sharath !

The below code worked for me in app engine :

credential, gcp_project = google.auth.default()
auth_request = google.auth.transport.requests.Request()
credential.refresh(auth_request)

headers = {'Authorization': f'Bearer {credential.token}', 'Content-Type': 'application/json'}
response = requests.post("https://{region}-integrations.googleapis.com/v1/projects/{project}/locations/-/integrations/{integrationName}:execute", headers=headers, json={"trigger_id":"api_trigger/{triggerId}}", "inputParameters": {"partyName": {"stringValue": "sample_string"}}})
return response.content

Don't forget to include "Application Integration Invoker" role to the service account being used in Appengine.

View solution in original post

sharathchandra

Can anyone please provide their input for this post

vsy

Hey Sharath !

The below code worked for me in app engine :

credential, gcp_project = google.auth.default()
auth_request = google.auth.transport.requests.Request()
credential.refresh(auth_request)

headers = {'Authorization': f'Bearer {credential.token}', 'Content-Type': 'application/json'}
response = requests.post("https://{region}-integrations.googleapis.com/v1/projects/{project}/locations/-/integrations/{integrationName}:execute", headers=headers, json={"trigger_id":"api_trigger/{triggerId}}", "inputParameters": {"partyName": {"stringValue": "sample_string"}}})
return response.content

Don't forget to include "Application Integration Invoker" role to the service account being used in Appengine.

sharathchandra

Hello @vsy ,

Thank you so much for the solution. This was the exact thing we were looking for!! Sorry for the late reply, I did not check this for two weeks. Also, just wanted to clarify if there are any security vulnerabilities with this approach after deploying the application.

Application Integration - Regarding OAuth for API Trigger