I have external project in the google console that is unverified and 100 users cap is not exhausted.
If anybody will get access for some scopes of my project via oauth consent screen, can I request access token via service account ('sub' => 'that-user#gmail.com') for that user and that scopes?
And what will happen if project is verified by google assessors?
Related
I have implemented SSO for my application. I am using AWS Cognito as Service Provider and Azure AD as Identity Provider. IdP is configured through SAML in Cognito. Below is the URL generated
https://<my_custom_domain>.auth.us-east-1.amazoncognito.com/oauth2/authorize?identity_provider=<IdP_Name>&redirect_uri=<Callback_url_passed_in_Cognito>&response_type=TOKEN&client_id=<Client_Id>&scope=aws.cognito.signin.user.admin%20email%20openid%20profile&state=transit
In my application, when a user tries to log in initially with their MS 365 account it asks for user credentials.
But after logout from the app, if the user attempts to log in again with a different account, it is not asking the user to enter credentials or pick up an existing account. It directly makes the app login for the previous account.
Note: If in my browser there are multiple MS 365 accounts signed-in then only my app asks for which account to use. If there is a single MS 365 account present then my app uses that one without asking the user to Sign-in with a different account.
Since you have specifically mentioned SAML for Cognito and Azure AD integration, this answer is based on that.
When SAML service provider (SP) initate a SAML auth request with Azure AD, it can specify ForceAuthn param as true. With that Azure AD should always prompt user to authenticate. Please refer this document. So that is supported in Azure AD.
But as far as I know, Cognito doesn't support to include that parameter in the SAML AuthnRequest. Same concern has raised in this question as well.
Even though I haven't tried, I think you should be able to use Sign-out flow in Cognito SAML configuration along with Azure AD single sign-out. So I believe it should sign out the user from Microsoft and should prompt for the credentials when user try to sign in again.
I tried to reproduce the same in my environment and got the below results:
Note that:
SSO allows users to authenticate once and access applications without re-entering credentials.
Single Sign-On allows users log in only once to access application without having to enter the login information each time.
Hence, if there is only a single MS 365 account present then it doesn't ask user to pick an account.
For sample, I configured SSO and tried to access below endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=XXXX
&response_type=code
&redirect_uri=redirecturi
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The browser prompted to Pick an account when there were multiple accounts only like below:
Alternatively, you can make use of prompt=login in the authorize endpoint and enter the credentials to access the application. The prompt will be appear like below:
Otherwise, to ensure the Pick an account screen try creating a conditional policy which requires multi-factor MFA) or device compliance when user try to access the Application.
Reference:
Single sign-on - Microsoft Entra | Microsoft Learn
In WSO2 Identity Server, I've a user whose credentials are shared between some people.
When I login using these credentials, everyone else logs out
Is there anyway to change this ?
When you are having JWT access tokens configured, it revokes the previously issued access token and issues a new access token when the same user tries to log in to the same application again. Because WSO2 IS has a constraint that the same user, same application, and same OAuth2 scope combination could have only one active access token.
To mitigate the issue you are facing while trying to login to the same application from different devices, you can configure "Access Token Binding Type" as "SSO Session Based". Then it will allow you to have access tokens per each SSO session on each browser/device.
You can find this configuration under the OAuth/OpenID Connect Configuration section of the service provider. Also, read more from the documentation.
When trying to login via my AWS Cognito's login page via Azure AD with email#live.com credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.
Steps:
Created an Azure AD Enterprise Non Gallery Application.
Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
Enabled the AzureAd identity provider under App Client Settings on Cognito.
Allowed OAuth Flows: Authorization code grant, Implicit grant.
Invited an existing xxx#live.com user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.
Problem:
When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: xxx#live.com, after clicking next, instead of a password prompt the page throws a 404 error.
Also tried with inviting another user with email: xxx#mydomain.com, this also results in the same 404 error.
Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Azure AD SSO SAML2.0 integration doesn't work well with personal accounts.
Integrating with OIDC on the other hand works really well.
Azure AD integration with AWS Cognito.
I have an existing suite of postman tests that previously ran against REST services hosted in Azure using Azure AD for Auth. Using the token endpoint (https://login.microsoftonline.com/{{tenantId}}/oauth2/token), I was able to obtain an Oauth token for an enterprise app (test app) that had deligate permissions for the application under test.
The apps have been moved to AWS and are now secured with Cognito. I have been unable to find an equivalent workflow that allows me to obtain a token without manual data being entered by the user.
The login endpoint requires me to manually enter the user name and password:
How do i integrate amazon cognito login in postman
and
I can setup an app and get an acceess token it does not give me permissions to the APIs, as I can not add the app to the user group with permissions.
https://lobster1234.github.io/2018/05/31/server-to-server-auth-with-amazon-cognito/
I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...