G Suite Identity Provider for AWS Browser-Based Application

Question

G Suite Identity Provider for AWS Browser-Based Application

I know how to create an authenticated Google application using google-signin-client_id 3089273xx-xxxxxxxxxxxx.apps.googleusercontent.com and <script src="https://apis.google.com/js/platform.js" async defer></script> , but the problem is that I was not able to LIMIT login only for my company. G Suite Instance .

The application I have is a serverless JS package hosted on S3. The registered Google token is tied to the AWS role, which refers to vulnerable resources.

Thus, typical googleUser.getBasicProfile() email verification solutions or passing the hd parameter do not make any sense of security, since you can control them with the IIUC browser dev tools.

Is there any other Google API that I could use, or what strategy could I apply? I assume that the solution will come in the form of a special google-signin-client_id for the domain of my company, which is hosted by G Suite. Here's how it relates to a role in AWS:

I know that I can set up duplication of my users in AWS user pools and use Cognito, but I try to have a "single source of truth" for company employees and ease the administrative burden.

+5

google-oauth google-api firebase google-login

hendry Oct 18 '16 at 2:25

source share

2 answers

hendry · Answer 1 · 2016-10-27T08:40:09+0000

UPDATE: this answer is unsafe, as if you simply deleted host_domain , you can authenticate using any Google login.

After deviating from https://developers.google.com/identity/work/it-apps and using GAPI directly, I found that I can do

  GAPI.auth2.init({ client_id: CLIENT_ID, hosted_domain: 'example.com' })

And then, when in the documentation, you set up Client Access Control API

So, now only users of @ example.com on Gsuite can access this JS application! It took weeks to understand. Therefore, just to complete, how to authenticate using Google in a serverless application without AWS:

Set the client ID using the OAuth client ID with the URLs of your whitelist from https://console.developers.google.com/apis/credentials
In AWS IAM, configure a role with Google as (web provider) with a client ID
Add your client ID https://admin.google.com/AdminHome?chromeless=1#OGX:ManageOauthClients as described here https://developers.google.com/identity/work/it-apps to significantly limit your application in the domain of your company.

So now we have a statically hosted application, limited only by company employees to access AWS confidential paid APIs.

Carlos Alberto Schneider · Answer 2 · 2017-05-08T20:47:02+0000

I tried 3 different options, the first worked for my scenario:

The first option is to confirm the Google ID token for each call on the lambda side

I always pass id_token as a header on client calls (web and mobile applications).

"allowedHds" - a list of allowed domains.

 const oauth = new Auth.OAuth2(CLIENT_ID_WEB, CLIENT_SECRET); oauth.verifyIdToken(token, null, (err, ticket) => { if (err) { return reject(err); } const payload = ticket.getPayload(); const tokenIsOK = payload && payload.aud === CLIENT_ID && new Date(payload.exp * 1000) > new Date() && acceptableISSs.has(payload.iss) && acceptableHds.has(payload.hd) return tokenIsOK ? resolve(payload.hd) : reject(); });

The second option is to confirm the Google Id token on the lambda side

I started this alternative path, but I did not finish, because the first solutions that corresponded to my needs and the steps were close (for this I need a pool of indents):

1) Send id_token to the lambda function and confirm it in the Google API (here you can check the domain using the code above)

2) Call the cognitoidentity.getOpenIdTokenForDeveloperIdentity function on the lambda side using the id_token coming from the browser.

3) On the client, call any of the Cognito or STS functions, such as takeWebIdentity, AssumeRole, using the tokens returned from getOpenIdToken.

 function getCognitoToken(id_token) { var param = { IdentityPoolId: 'us-east-1:f7b3d55f-6b63-4097-be8f-3dc22ddec1a4', Logins: { 'accounts.google.com': id_token } } return check_company(id_token).then(function (valid) { return cognitoidentity.getOpenIdTokenForDeveloperIdentity(param).promise() })

I could not finish the third step. You need to use the tokens obtained in the second step without revealing the identifier pool identifier. If you do this and make sure that the role cannot contain the identifier pool identifiers, it will work as intended and will be safe.

Third Option - SAML Provider

You can create a SAML provider and use SAML statements to validate a user's domain.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

I tried unsuccessfully to do this.

PS: Google Admin allows you to create private applications, limiting your corporate domains, but it works only for mobile phones, as far as I know.

https://support.google.com/a/answer/2494992?hl=en

Hope this helps someone!

G Suite Identity Provider for AWS Browser-Based Application

More articles: