Application Integration - Regarding OAuth for API Trigger

Google Cloud Integration Services
1

This is with respect to my previous post - https://www.googlecloudcommunity.com/gc/Integration-Services/Application-Integration-Conversion-from-curl-command-to-python/td-p/541145

Following up on the discussion in the post, I wanted to check if there is any provision to hit the API trigger of an Application Integration by using a google account configured in the backend (App Engine), without actually asking the user (of the app) to authenticate with their account (from the Google Authorization page)? Iā€™d basically be having a firewall at the App Engine level to restrict usersā€™ access to the app based on my use case.

I have tried setting the access_type to ā€˜offlineā€™ (but its only helping me for preventing the reprompting, but not the prompt page) and providing the login_hint as shown below (Is it possible to hardcode a single google account in the login_hint and allow all end users to access the application Integration end points?)

Code Snippet for the above discussion:

authorization_url, state = flow.authorization_url(
    access_type='offline',
    **login_hint='my_mail_id'**,
    include_granted_scopes='true')

Also, I was trying to get the auth token on local host by using the below snippet for testing purposes:

ā€œauthorizationā€: "Bearer " + os.popen(ā€˜gcloud auth print-access-tokenā€™).read().strip()

When I try to use the same logic on my deployed App engine application, Iā€™m seeing the error that the gcloud command couldnā€™t be found on the deployed host. Is there a way for me to use the above logic to get the token for hitting the API trigger of my Integration flow?

2

Can anyone please provide their input for this post

3

Hey Sharath !

The below code worked for me in app engine :

credential, gcp_project = google.auth.default()
auth_request = google.auth.transport.requests.Request()
credential.refresh(auth_request)

headers = {'Authorization': f'Bearer {credential.token}', 'Content-Type': 'application/json'}
response = requests.post("https://{region}-integrations.googleapis.com/v1/projects/{project}/locations/-/integrations/{integrationName}:execute", headers=headers, json={"trigger_id":"api_trigger/{triggerId}}", "inputParameters": {"partyName": {"stringValue": "sample_string"}}})
return response.content

Donā€™t forget to include ā€œApplication Integration Invokerā€ role to the service account being used in Appengine.

3 Likes
4

Hello @vsy ,

Thank you so much for the solution. This was the exact thing we were looking for!! Sorry for the late reply, I did not check this for two weeks. Also, just wanted to clarify if there are any security vulnerabilities with this approach after deploying the application.