0

I have successfully implemented Google Sign-In for my application as described here, with an additional layer of validation using our back-end server as described here. However, when I try to register my application for Cross-Account Protection, I'm only able to receive events that come from personal (ending in @gmail.com) accounts.

my stream config object looks like this:

{
  "delivery": {
    "delivery_method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
    "url": MY_RECEIVER_ENDPOINT
  },
  "events_requested": [
    "https://schemas.openid.net/secevent/risc/event-type/account-credential-change-required",
    "https://schemas.openid.net/secevent/risc/event-type/account-disabled",
    "https://schemas.openid.net/secevent/risc/event-type/sessions-revoked",
    "https://schemas.openid.net/secevent/risc/event-type/account-enabled",
    "https://schemas.openid.net/secevent/risc/event-type/account-purged",
    "https://schemas.openid.net/secevent/risc/event-type/verification",
    "https://schemas.openid.net/secevent/oauth/event-type/tokens-revoked"
  ]
}

and when I register the endpoint with Google I get a 200 response code, and can successfully test with verify events using the following:

def test_event_stream(auth_token, nonce):
    headers = {'Authorization': 'Bearer {}'.format(auth_token)}
    state = {'state': nonce}
    response = requests.post('https://risc.googleapis.com/v1beta/stream:verify', json=state, headers=headers)
    return response

which will also respond with a 200, and I see following payload (after decoding the jwt token) in my application logs:

{
  "aud": [
    "MY_CLIENT_ID.apps.googleusercontent.com"
  ],
  "events": {
    "https://schemas.openid.net/secevent/risc/event-type/verification": {
      "state": "MESSAGE at Fri Nov  8 01:31:13 2019"
    }
  },
  "iat": 1573176640,
  "iss": "https://accounts.google.com",
  "jti": "JTI_VALUE"
}

I can also receive 'https://accounts.google.com/risc/event/all-token-revoked' events from my own personal Google account when I revoke access from my application in my security panel, but do not receive the same events from my work account (GSuite) when I perform the same actions.

Is there a setting that needs to be enabled either by our GSuite admin or by me in the developer console for this application? Any help here would be greatly appreciated, this is a significant blocker.

wpercy
  • 9,636
  • 4
  • 33
  • 45

1 Answers1

0

The short answer here is that Google does not currently send security events for G Suite accounts. They added a piece to their documentation today (11/12/2019) with the following:

google doc info

wpercy
  • 9,636
  • 4
  • 33
  • 45