search

bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

Authenticating Google AppEngine service accounts #132

Open bbassingthwaite opened 9 years ago

bbassingthwaite commented 9 years ago

Hi,

I am looking to use oauth2_proxy to secure services that are accessed from our App engine application. Each application is provided a service account that is used for any oauth calls that are made from the application. There are also API's provided to get the service account name and a token for a specified scope.

Here is a python script that if run on the appengine application would pass the assert call.

import json
from google.appengine.api import app_identity, urlfetch

access_token, _ = app_identity.get_access_token(['https://www.googleapis.com/auth/userinfo.email'])
json_data = json.loads(
    urlfetch.fetch(
        'https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token={}'.format(access_token)
    ).content
)

assert app_identity.get_service_account_name() == json_data['email']

I am wondering if there is a way today for us to pass the access token and the service account name and oauth2_proxy will validate with Google that the supplied service account is in the authenticated-emails-file?

Thanks!

merland commented 8 years ago

Hi. Did you ever solve this? I am trying to do almost the same thing. Would be really nice if ouath2_proxy could handle this.