Meta tags:
description= Protect user accounts with Cross-Account Protection
;
Headings (most frequently used words):
and, your, the, event, token, java, python, stream, configuration, with, api, an, receiver, security, events, protect, user, accounts, cross, account, protection, stay, organized, collections, save, categorize, content, based, on, preferences, page, summary, overview, set, up, project, in, console, create, endpoint, register, need, help, prerequisite, decode, validate, handle, oauth, identifiers, supported, types, duplicated, missed, generate, authorization, call, risc, optional, test, error, code, reference, access, scopes, product, info, stack, overflow, developer, consoles, get, update, current, stop, resume,
Text of the page (most frequently used words):
the (214), risc (89), you (85), google (83), your (77), account (73), token (66), event (65), https (58), and (57), for (56), #security (46), com (45), stream (37), #endpoint (37), service (36), with (34), project (29), googleapis (28), sign (27), user (27), configuration (26), events (26), api (25), use (25), that (25), type (24), tokens (23), jwt (23), key (23), string (22), openid (20), v1beta (20), new (20), can (20), authorization (20), cross (20), console (19), this (18), get (18), protection (18), json (17), oauth (16), these (16), schemas (16), net (16), secevent (16), request (15), create (15), not (15), using (15), receiver (15), are (14), update (14), app (14), accounts (14), public (14), credentials (14), identity (13), have (13), status (13), must (13), from (13), verify (12), access (11), delivery (11), following (11), requests (11), issuer (11), terms (10), apis (10), will (10), verification (10), was (10), updaterequest (10), when (10), return (10), claim (10), apps (10), information (9), post (9), client (9), http (9), example (9), import (9), them (8), thumb (8), need (8), more (8), java (8), www (8), auth (8), only (8), time (8), disabled (8), 403 (8), one (8), make (8), then (8), suggested (8), auth_token (8), response (8), updateresponse (8), email (8), identifier (8), decode (8), content (7), see (7), should (7), scopes (7), set (7), may (7), headers (7), state (7), required (7), iss (7), library (7), which (7), users (7), 123456789 (7), googleusercontent (7), down (6), date (6), code (6), send (6), error (6), method (6), 400 (6), received (6), authtoken (6), subject (6), sub (6), open (6), catch (6), null (6), appropriate (6), reason (6), their (6), validate (6), implement (6), cloud (5), platform (5), firebase (5), actions (5), developers (5), samples (5), try (5), page (5), section (5), about (5), delivered (5), authorized (5), url (5), contain (5), test (5), bearer (5), handle (5), doesn (5), described (5), credential (5), events_requested (5), but (5), note (5), algorithm (5), aud (5), service_account (5), file (5), signed (5), address (5), receive (5), register (5), enable (5), ensure (5), ids (5), notifications (5), español (4), under (4), readwrite (4), has (4), enabled (4), invalid (4), any (4), how (4), admin (4), calls (4), sure (4), could (4), please (4), disable (4), raise (4), exception (4), def (4), python (4), responsestatus (4), addheader (4), httppost (4), object (4), jsonmapper (4), objectmapper (4), unique (4), same (4), receiving (4), types (4), based (4), used (4), keyid (4), signing (4), below (4), take (4), recovery (4), currently (4), sessions (4), also (4), client_ids (4), public_key (4), don (4), document (4), such (4), android (3), developer (3), web (3), linking (3), connect (3), stack (3), overflow (3), policy (3), our (3), other (3), out (3), policies (3), first (3), check (3), help (3), application (3), call (3), supports (3), configured (3), require (3), does (3), called (3), permission (3), associated (3), found (3), hour (3), format (3), now (3), int (3), header (3), execute (3), ioexception (3), final (3), static (3), body (3), start (3), next (3), change (3), receiver_endpoint (3), push (3), delivery_method (3), requesting (3), generate (3), private_key_id (3), kid (3), private_key (3), exp (3), issued_at (3), iat (3), riscmanagementservice (3), pip (3), install (3), issuedat (3), clientemail (3), privatekey (3), created (3), claims (3), consent (3), jti (3), action (3), provided (3), secure (3), hijacking (3), identifiers (3), revoked (3), values (3), contains (3), legacy (3), single (3), previous (3), step (3), abcedfgh (3), token_data (3), risc_config (3), certificate (3), well (3), known (3), rsa (3), publickey (3), decodedjwt (3), got (3), before (3), important (3), click (3), services (3), choose (3), 한국어 (2), 日本語 (2), ภาษาไทย (2), বাংলা (2), हिंदी (2), فارسی (2), العربيّة (2), עברית (2), русский (2), türkçe (2), tiếng (2), việt (2), português (2), brasil (2), polski (2), italiano (2), indonesia (2), français (2), américa (2), latina (2), deutsch (2), english (2), all (2), products (2), chrome (2), home (2), store (2), data (2), blog (2), tag (2), understand (2), too (2), steps (2), last (2), updated (2), 2026 (2), utc (2), except (2), licensed (2), details (2), registered (2), its (2), license (2), feedback (2), still (2), reference (2), readonly (2), decide (2), message (2), existing (2), cannot (2), support (2), build (2), likely (2), learn (2), least (2), expect (2), domains (2), management (2), role (2), making (2), instructions (2), roles (2), riscconfigs (2), correct (2), after (2), failed (2), valid (2), include (2), fieldname (2), field (2), sent (2), handles (2), requested (2), test_event_stream (2), unsuccessful (2), raise_for_status (2), stream_verify_endpoint (2), nonce (2), testeventstream (2), getentity (2), entity (2), httpentity (2), getstatuscode (2), statuscode (2), getstatusline (2), statusline (2), getheaders (2), responsecontenttypeheaders (2), defaulthttpclient (2), httpresponse (2), stringentity (2), setentity (2), statestring (2), writevalueasstring (2), throws (2), void (2), some (2), working (2), together (2), correctly (2), sending (2), through (2), registering (2), ever (2), stop (2), while (2), want (2), current (2), posting (2), above (2), successfully (2), configure_event_stream (2), stream_cfg (2), stream_update_endpoint (2), configureeventstream (2), streamconfig (2), eventsrequested (2), list (2), receiverendpoint (2), make_bearer_token (2), encoded (2), rs256 (2), payload (2), expires_at (2), 3600 (2), client_email (2), service_json (2), credentials_file (2), pyjwt (2), rsakey (2), expiresat (2), withaudience (2), withissuer (2), rsa256 (2), expire (2), serviceaccountcredentials (2), fileinputstream (2), find (2), current_time (2), service_account_email (2), prerequisite (2), begin (2), dup (2), like (2), dataflow (2), activity (2), gmail (2), alternate (2), follow (2), bulk (2), ending (2), delete (2), respond (2), supported (2), possible (2), token_identifier_alg (2), table (2), identifies (2), newer (2), might (2), subject_type (2), additional (2), decoded (2), validate_security_token (2), qrstuvwx (2), ijklmnop (2), validation (2), audience (2), algorithms (2), validating (2), key_id (2), keys (2), google_certs (2), jwt_header (2), jwks_uri (2), risc_config_uri (2), jwks (2), uri (2), verifier (2), expiration (2), googlecerts (2), jwksuri (2), unverifiedjwt (2), choice (2), because (2), each (2), prevent (2), tasks (2), way (2), cryptographically (2), organization (2), risk (2), profile (2), default (2), receives (2), responding (2), overview (2), suspension (2), affected (2), were (2), improve (2), within (2), protect (2), ios (2), resources (2), sharing (2), passkeys (2), authentication (2), manage, cookies, privacy, dashboard, cast, sdk, play, consoles, branding, guidelines, product, info, latest, news, ask, question, fork, yourself, github, easy, easytounderstand, solved, problem, solvedmyproblem, otherup, missing, missingtheinformationineed, complicated, many, toocomplicatedtoomanysteps, outofdate, issue, samplescodeissue, otherdown, tell, otherwise, noted, trademark, oracle, affiliates, site, apache, creative, commons, attribution, questions, secevents, scope, authenticating, detailed, unable, 4xx, 5xx, 404, statuses, unsupported, works, connection, requires, clients, useful, every, hosted, add, domain, belong, here, assign, needs, deleted, already, managing, able, custom, again, spec, compliant, urls, attached, hasn, expired, unauthorized, 401, parsed, errors, returned, succeeds, simply, logging, examine, logs, confirm, ctime, tostring, anything, specify, identifying, flow, subscribe, optional, deactivated, buffer, they, occur, reenable, resume, future, modify, modifying, modified, back, returns, 200, describes, everything, aslist, arrays, host, security_event_types, specifying, interested, configure, including, alternatively, approach, simpler, network, round, trip, expires, continue, encode, load, couldn, loaded, classcastexception, withkeyid, withexpiresat, withissuedat, withsubject, rsaprivatekey, 3600000, gettime, exactly, getclientemail, getprivatekeyid, getprivatekey, fromstream, googlecredentials, makebearertoken, private, downloaded, screen, gcp, accompanied, limited, retries, extended, period, permanently, miss, attempt, redeliver, believes, been, therefore, sometimes, multiple, times, cause, repeated, inconvenience, consider, there, external, tools, duplicated, missed, log, look, suspicious, usually, necessarily, offer, analyze, determine, corresponding, refresh, needed, stored, terminate, additionally, suggest, attributes, integrate, index, quick, match, double, hash, sha, 512, hash_base64_sha512_sha512, characters, prefix, refresh_token, token_type, individual, fields, specified, particular, contained, issued, id_token_claims, html, javascript, represents, mapping, specifies, concerns, available, track, indicate, intended, recipient, verified, 7375626a656374, 756e69717565206964656e746966696572, 1508184845, looks, 202, indicated, false, verify_exp, options, signature, situation, dumps, from_jwk, rsaalgorithm, none, get_unverified_header, malformedurlexception, malformed, jwtdecodeexception, invalidclaimexception, jwkexception, max_value, long, acceptleeway, jwtverifier, rsapublickey, getpublickey, urljwkprovider, jwkprovider, getkeyid, oauth2, certs, real, implementation, validatesecurityeventtoken, matches, discovery, represent, historical, looking, specific, kind, listed, whichever, decoding, malicious, attacks, bad, actors, sections, describe, essential, even, during, testing, stores, abides, deletes, reasonable, timeframe, strings, jwts, related, enabling, owned, bind, read, requirements, selected, typically, become, managed, carefully, best, practices, newly, download, keep, somewhere, safe, accessible, prompted, who, granted, addresses, sdks, settings, directly, responsible, whatever, complete, workspace, formerly, suite, signals, anti, fraud, session, purposes, review, comply, failure, result, developed, foundation, standard, mitigate, potential, sends, objects, expose, very, little, just, occurred, compromised, temporarily, emails, being, alert, major, changes, often, implications, instance, hijacked, potentially, lead, compromise, lets, shared, listening, various, taking, handling, helps, outlined_flag, summary, save, categorize, preferences, stay, organized, collections, skip, main,
Text of the page (random words):
ons https schemas openid net secevent oauth event type tokens revoked required if the token is for google sign in terminate their currently open sessions additionally you may want to suggest to the user to set up an alternate sign in method suggested if the token is for access to other google apis delete any of the user s oauth tokens you have stored https schemas openid net secevent oauth event type token revoked see oauth token identifiers section for token identifiers required if you store the corresponding refresh token delete it and request the user to re consent next time an access token is needed https schemas openid net secevent risc event type account disabled reason hijacking reason bulk account required if the reason the account was disabled was hijacking re secure the user s account by ending their currently open sessions suggested if the reason the account was disabled was bulk account analyze the user s activity on your service and determine appropriate follow up actions suggested if no reason was provided disable google sign in for the user and disable account recovery using the email address associated with the user s google account usually but not necessarily a gmail account offer the user an alternate sign in method https schemas openid net secevent risc event type account enabled suggested re enable google sign in for the user and re enable account recovery with the user s google account email address https schemas openid net secevent risc event type account credential change required suggested look out for suspicious activity on your service and take appropriate action https schemas openid net secevent risc event type verification state state suggested log that a test token was received duplicated and missed events cross account protection will attempt to redeliver events that it believes have not been delivered therefore you may sometimes receive the same event multiple times if this could cause repeated actions that inconvenience your users consider using the jti claim which is a unique identifier for an event to de dup the events there are external tools like google cloud dataflow that may help you to execute the de dup dataflow note that events are delivered with limited retries so if your receiver is down for an extended period of time you may permanently miss some events register your receiver to begin receiving security events register your receiver endpoint using the risc api calls to the risc api must be accompanied by an authorization token you will receive security events only for the users of your app so you need to have an oauth consent screen configured in your gcp project as a prerequisite for the steps described below 1 generate an authorization token to generate an authorization token for the risc api create a jwt with the following claims iss service_account_email sub service_account_email aud https risc googleapis com google identity risc v1beta riscmanagementservice iat current_time exp current_time 3600 sign the jwt using your service account s private key which you can find in the json file you downloaded when you created the service account key for example java using java jwt and google s auth library public static string makebearertoken string token null try get signing key and client email address fileinputstream is new fileinputstream your service account credentials json serviceaccountcredentials credentials serviceaccountcredentials googlecredentials fromstream is privatekey privatekey credentials getprivatekey string keyid credentials getprivatekeyid string clientemail credentials getclientemail token must expire in exactly one hour date issuedat new date date expiresat new date issuedat gettime 3600000 create signed token algorithm rsakey algorithm rsa256 null rsaprivatekey privatekey token jwt create withissuer clientemail withsubject clientemail withaudience https risc googleapis com google identity risc v1beta riscmanagementservice withissuedat issuedat withexpiresat expiresat withkeyid keyid sign rsakey catch classcastexception e credentials file doesn t contain a service account key catch ioexception e credentials file couldn t be loaded return token python import json import time import jwt pip install pyjwt def make_bearer_token credentials_file with open credentials_file as service_json service_account json load service_json issuer service_account client_email subject service_account client_email private_key_id service_account private_key_id private_key service_account private_key issued_at int time time expires_at issued_at 3600 payload iss issuer sub subject aud https risc googleapis com google identity risc v1beta riscmanagementservice iat issued_at exp expires_at encoded jwt encode payload private_key algorithm rs256 headers kid private_key_id return encoded auth_token make_bearer_token your service account credentials json this authorization token can be used to make risc api calls for one hour when the token expires generate a new one to continue to make risc api calls note alternatively you can do service account authorization with oauth 2 0 but the jwt based approach described above is simpler and doesn t require a network round trip should you decide to use service account authorization see the access token scopes section for scopes you should be requesting 2 call the risc stream configuration api now that you have an authorization token you can use the risc api to configure your project s security event stream including registering your receiver endpoint to do so make an https post request to https risc googleapis com v1beta stream update specifying your receiver endpoint and the types of security events you re interested in post v1beta stream update http 1 1 host risc googleapis com authorization bearer auth_token delivery delivery_method https schemas openid net secevent risc delivery method push url receiver_endpoint events_requested security_event_types for example java public static void configureeventstream final string receiverendpoint final list string eventsrequested string authtoken throws ioexception objectmapper jsonmapper new objectmapper string streamconfig jsonmapper writevalueasstring new object public object delivery new object public string delivery_method https schemas openid net secevent risc delivery method push public string url receiverendpoint public list string events_requested eventsrequested httppost updaterequest new httppost https risc googleapis com v1beta stream update updaterequest addheader content type application json updaterequest addheader authorization bearer authtoken updaterequest setentity new stringentity streamconfig httpresponse updateresponse new defaulthttpclient execute updaterequest header responsecontenttypeheaders updateresponse getheaders content type statusline responsestatus updateresponse getstatusline int statuscode responsestatus getstatuscode httpentity entity updateresponse getentity now handle response configureeventstream https your service example com security event receiver arrays aslist https schemas openid net secevent risc event type account credential change required https schemas openid net secevent risc event type account disabled authtoken python import requests def configure_event_stream auth_token receiver_endpoint events_requested stream_update_endpoint https risc googleapis com v1beta stream update headers authorization bearer format auth_token stream_cfg delivery delivery_method https schemas openid net secevent risc delivery method push url receiver_endpoint events_requested events_requested response requests post stream_update_endpoint json stream_cfg headers headers response raise_for_status raise exception for unsuccessful requests configure_event_stream auth_token https your service example com security event receiver https schemas openid net secevent risc event type account credential change required https schemas openid net secevent risc event type account disabled if the request returns http 200 the event stream was successfully configured and your receiver endpoint should start receiving security event tokens the next section describes how you can test your stream configuration and endpoint to verify everything is working correctly together get and update your current stream configuration if in the future you ever want to modify your stream configuration you can do so by making an authorized get request to https risc googleapis com v1beta stream to get the current stream configuration modifying the response body and then posting the modified configuration back to https risc googleapis com v1beta stream update as described above stop and resume the event stream if you ever need to stop the event stream from google make an authorized post request to https risc googleapis com v1beta stream status update with status disabled in the request body while the stream is deactivated google doesn t send events to your endpoint and doesn t buffer security events when they occur to reenable the event stream post status enabled to the same endpoint 3 optional test your stream configuration you can verify that your stream configuration and receiver endpoint are working together correctly by sending a verification token through your event stream this token can contain a unique string that you can use use to verify that the token was received at your endpoint to use this flow make sure to subscribe to https schemas openid net secevent risc event type verification event type when registering your receiver to request a verification token make an authorized https post request to https risc googleapis com v1beta stream verify in the body of the request specify some identifying string state anything for example java public static void testeventstream final string statestring string authtoken throws ioexception objectmapper jsonmapper new objectmapper string json jsonmapper writevalueasstring new object public string state statestring httppost updaterequest new httppost https risc googleapis com v1beta stream verify updaterequest addheader content type application json updaterequest addheader authorization bearer authtoken updaterequest setentity new stringentity json httpresponse updateresponse new defaulthttpclient execute updaterequest header responsecontenttypeheaders updateresponse getheaders content type statusline responsestatus updateresponse getstatusline int statuscode responsestatus getstatuscode httpentity entity updateresponse getentity now handle response testeventstream test token requested at new date tostring authtoken python import requests import time def test_event_stream auth_token nonce stream_verify_endpoint https risc googleapis com v1beta stream verify headers authorization bearer format auth_token state state nonce response requests post stream_verify_endpoint json state headers headers response raise_for_status raise exception for unsuccessful requests test_event_stream auth_token test token requested at format time ctime if the request succeeds the verification token will be sent to the endpoint you registered then for example if your endpoint handles verification tokens by simply logging them you can examine your logs to confirm the token was received error code reference the following errors can be returned by the risc api error code error message suggested actions 400 stream configuration must contain fieldname field your request to the https risc googleapis com v1beta stream update endpoint is invalid or cannot be parsed please include fieldname in your request 401 unauthorized authorization failed be sure you attached an authorization token with the request and that the token is valid and hasn t expired 403 the delivery endpoint must be an https url your delivery endpoint i e the endpoint you expect risc events to be delivered to must be https we do not send risc events to http urls 403 existing stream configuration does not have spec compliant delivery method for risc your google cloud project must already have a risc configuration if you are using firebase and have google sign in enabled then firebase will be managing risc for your project you will not be able to create a custom configuration if you are not using google sign in for your firebase project please disable it and then try to update again after an hour 403 project could not be found make sure you are using the correct service account for the correct project you may be using a service account associated with a deleted project learn how to see all service accounts associated with a project 403 service account needs permission to access your risc configuration go to your project s api console and assign the risc configuration admin role roles riscconfigs admin to the service account that is making the calls to your project by following these instructions 403 stream management apis should only be called by a service account here s more information on how you can call google apis with a service account 403 the delivery endpoint does not belong to any of your project s domains every project has a set of authorized domains if your delivery endpoint i e the endpoint you expect risc events to be delivered to is not hosted on one of them we require that you add the endpoint s domain to that set 403 to use this api your project must have at least one oauth client configured risc only works if you build an app that supports google sign in this connection requires an oauth client if your project has no oauth clients it s likely that risc will not be useful for you learn more about google s use of oauth for our apis 403 unsupported status invalid status we only support the stream statuses enabled and disabled at this time 404 project has no risc configuration project has no existing risc configuration cannot update status call the https risc googleapis com v1beta stream update endpoint to create a new stream configuration 4xx 5xx unable to update status check the detailed error message for more information access token scopes should you decide to use access tokens for authenticating to the risc api these are the scopes your application must request endpoint scope https risc googleapis com v1beta stream status https www googleapis com auth risc status readonly or https www googleapis com auth risc status readwrite https risc googleapis com v1beta stream status update https www googleapis com auth risc status readwrite https risc googleapis com v1beta stream https www googleapis com auth risc configuration readonly or https www googleapis com auth risc configuration readwrite https risc googleapis com v1beta stream update https www googleapis com auth risc configuration readwrite https risc googleapis com v1beta stream verify https www googleapis com auth risc verify need help first check out our error code reference section if you still have questions post them on stack overflow with the secevents tag send feedback except as otherwise noted the content of this page is licensed under the creative commons at...
|