google / identity-toolkit-java-client Goto Github PK

Hi

Using the uploadUsers method of a GitkitClient object I was able to upload two users with the same email address and different localId.
How is this allowed ?
It seems to me like a bug. Can you please fix ?

Thanks

The initRsaSHA256Signer method on RpcHelper hides exceptions important information when doing things like

log.warning("can not initialize service account signer: " + e);

a better way to do it would be

log.warning("can not initialize service account signer: " + e, e);

Reference code:

  private RsaSHA256Signer initRsaSHA256Signer(String serviceAccountEmail, InputStream keyStream) {
    try {
      if (serviceAccountEmail != null && keyStream != null) {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(keyStream, "notasecret".toCharArray());
        return new RsaSHA256Signer(
            serviceAccountEmail,
            null,
            (RSAPrivateKey) keyStore.getKey("privatekey", "notasecret".toCharArray()));
      }
    } catch (KeyStoreException e) {
      log.warning("can not initialize service account signer: " + e);
    } catch (CertificateException e) {
      log.warning("can not initialize service account signer: " + e);
    } catch (UnrecoverableKeyException e) {
      log.warning("can not initialize service account signer: " + e);
    } catch (NoSuchAlgorithmException e) {
      log.warning("can not initialize service account signer: " + e);
    } catch (IOException e) {
      log.warning("can not initialize service account signer: " + e);
    } catch (InvalidKeyException e) {
      log.warning("can not initialize service account signer: " + e);
    }
    log.warning("service account is set to null due to: email = " + serviceAccountEmail
        + "keystream = " + keyStream);
    return null;
  }

I would love to see an example of gitkit usage with some kind of container authentication. I've tried to get it working using the docs and quickstart application but have been unsuccessful thus far. Is there such a thing available? Thanks.

Has only private constructors, which are unaccessible outside the library.

Hi

'Password-users' have their email not verified and we need to know this in our signin flow. However, GitkitUser does not expose the JSON value of "verified".

GitkitClient provides a validateTokenToJson which we can use to get to the information but for this we have to get the token value first and getting the token we have to read the cookie again.
JsonObject jsonToken = gitkitClient.validateTokenToJson(getCookieAGAIN());

It would be great to:

1. Get the "verified" value via GitkitUser
2. Probably also useful: access to the token value from GitkitClient.getToken()

best regards - Robert

Hi,

1. To handle sign out, I understand the token cookie has to be deleted, however to do this one has to know its name. Since GitkitClient is initialized with the cookie name it would be convenient if it would be possible to access it without having to parse the original configuration input.
   i.e. provide gitkitClient.getCookieName()

2. After signout it makes sense to redirect the user to the original signin/widget url as a confirmation of his signout. Again it would be useful to get the widget Url directly from GitkitClient
   i.e. provide gitkitClient.getWidgetUrl()

thank you and best regards - Robert

Calling this method gets the following exception:

com.google.identitytoolkit.GitkitClientException: Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.
at com.google.identitytoolkit.RpcHelper.checkGitkitException(RpcHelper.java:346)
at com.google.identitytoolkit.RpcHelper.invokeGitkitApi(RpcHelper.java:272)
at com.google.identitytoolkit.RpcHelper.getAccountInfo(RpcHelper.java:118)
at com.google.identitytoolkit.GitkitClient.getUserByToken(GitkitClient.java:180)

The method should call invokeGoogle2LegOauthApi("getAccountInfo", params) instead to send an access token.

It appears that whenever the user enters a gmail address, it automatically connects them with Google Plus as the identity provider.
This brings up 2 issues:

1. We would like to be able to create a password account with a gmail address, and not force the user to login with their google account.
2. There is not way to connect with a gmail account if it's not the account that is connected to the device.
   For example, my device has the gmail account: [email protected].
   If I try to login with the identity toolkit and the email: [email protected], it tells me I have to sign in again ("A change in your account requires that you sign in again").

Am I missing something?
If not, Can you fix this limitation?
Thanks

The project uses both gson and json, although gson can probably do everything that json can. Is there any reason why both are needed, and if not, can json be removed so to reduce dependencies?

Hi,

According to current documentation (https://developers.google.com/identity/toolkit/web/reference/relyingparty/uploadAccount), GKit supports "rounds", "memoryCost" parameter for uploadAccount method.
Unfortunately, current version of identity-toolkit-java-client doesn't support these parameters.
Could you please add them.

Best,
Andrei

Given a Gitkit token, I'd like to have a verified version of JSON object instead of just the GitkitUser. To do so I suggest to provide a getter for JsonTokenHelper. Please confirm this change is acceptable.

Thanks!

GitkitClient should allow to be configured with proxy parameters, if not it is not usable when you are behind a proxy.
Maybe by just doing a "proxy" version of the HttpSender should be enough...

I am trying to get an email verification link for a particular email registered user via System.out.println(gitkitClient.getEmailVerificationLink(gitkitUser.getEmail()));. However, I am getting this exception: com.google.identitytoolkit.GitkitServerException: org.json.JSONException: JSONObject["access_token"] not found.

May I know what have I done wrong.

Thanks in advance.

Hi,

I noticed that 'password-users' do not have a verified email. In the forum I saw a suggestion to implement it by getting a oobCode and validating the email ourselves. So I managed to do this, but I had to 'clone' RpcHelper class to make the following requests:

1. Getting the oobCode. RpcHelper.getOobCode is public but it is not exposed through the GitkitClient class.

String oobCode=rpcHelper.getOobCode(params).getString("oobCode");
<<

2. Set the email verification status to 'confirmed', however rpcHelper.invokeGoogle2LegOauthApi has private access

rpcHelper.invokeGoogle2LegOauthApi("setAccountInfo", params));
<<

Thus my suggestion:

Since there are a number of git-API calls not supported currently it would be extremely useful to get

1. Access to the rpcHelper via gitkitClient.getRpcHelper();
2. Public access to rpcHelper.invokeGoogle2LegOauthApi()
3. Public access to rpcHelper.invokeGitkitApi()

Thank you and best regards - Robert

This library used to work fine with previous App Engine SDKs, but I'm getting the following errors with the current version:

java.nio.file.Files is not supported by Google App Engine's Java runtime environment
java.nio.file.Paths is not supported by Google App Engine's Java runtime environment

Is there any workaround for this issue? The only place these objects have been used in the library is one line in the public static GitkitClient createFromJson() method. Is this method expendable?

Hi,

jsontoken uses httpcore 4.0.1

[INFO] +- com.googlecode.jsontoken:jsontoken:jar:1.1:compile
[INFO] | +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] | - org.apache.httpcomponents:httpcore:jar:4.0.1:compile

which is tough when I need this:

[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.3.6:compile
[INFO] | | - org.apache.httpcomponents:httpcore:jar:4.3.3:compile

any chance that jsontoken gets brought up to speed, or dropped as a dependency in favour of another library?