I have created a domain trough the Directory API in Java. Now I need to verify this domain before I can add users to it. Can this be done through the Admin SDK Api's?
Related
I'm trying to build a plugin for a WordPress App, that uploads file to the users Google Drive space. I don't want the end user to create the Cloud Console Project. but rather just have him give consent so the plugin can access the needed data from his Google Drive account.
When I create OAuth 2.0 Client IDs in the Google Cloud Console (Web Application), Google asks for Authorized JavaScript origins and Authorized redirect URIs. Since the plugin will be portable and can be installed on different websites I can't define this.
How can this be solved that an OAuth2 Authentication by the user can be done, without knowing the URL where the app is running?
Thanks
You cant. Redirect uri must be configured properly, to point webserver the code authorization is running on.
You will need to instruct your users in how to create their own client.
Also as this is a WordPress application, you would need to share your client id and secret with the users. This is also against googles TOS.
possible workaround.
If you put up an authorization server on your own server. The users of your app could then login though that. A refresh token will be returned to their website running your app and stored locally. Your code could then run using the refresh token to access their data.
However you are then going to be responsible for verifying an app with google drive scopes.
My question is how a 3rd party developer would login users through my Identity Platform? I looked at the documentation but found nothing.
Essentially I want to use Identity Platform as an OIDC Provider, but I don't know if that's supported.
Cloud Identity Platform is based on Firebase Auth product (literally because the documentation and the Javascript to add are still in Firebase perimeter!).
This product allows you to delegate the authentication to a third party, either Firebase auth if you use login/password authentication, or to connect Identity Provider (IdP).
There is several built in IdP like Google, LinkedIn, Facebook, Twitter,... and you can add custom Auth0 provider (SAML) and OAuth2 provider (OIDC).
The platform only allow you to perform an authentication and then redirect the user to YOUR app. Then, it's to YOUR app to ensure the correct authorisations and roles of the user.
All of this for saying to you:
Think about firebase Auth feature: originally, it has been designed to authenticate user that wants to connect to Mobile App, on Android. Today it's the same thing but, in addition, for your web app
It's designed for YOUR application with YOUR roles and authorisations. By the way, if your target is to allow your 3rd party developers to log into Google Cloud console thanks to this authentication mode, it's not possible.
But, stay tuned, awesome things are coming soon on this field
John is right, more details would help. But if I had to guess you are referring to the fact that Google Cloud Platform IAM does not handle Identity part only authorisation. You could, however use G Suite or Google Directory Sync (which can integrate with LDAP server or Active Directory.
You can refer to the link below which shows you how you can integrate with OIDC:
https://cloud.google.com/solutions/authenticating-corporate-users-in-a-hybrid-environment
For a reporting application deployed on AWS it is required to enable SSO for the users to access it -
The users are to access the application from their office PCs only within the company network.
The application endpoints are protected by an API gateway to only allow access from internal company network.
Once the user clicks on the URL for the reporting application, the app should authenticate the logged in user with the enterprise AD to ensure that the logged in user is a valid one and that they belong to the correct AD groups that are allowed access to the application.
If the authentication and authorization check is passed then the application should allow access to the user or else prompt up a login page to enter the credentials manually.
Can you advise what would be the best approach to set this up ? We have ADFS deployed on our company infrastructure (not sure of the version) so was wondering if we could use that or instead rely on Windows Kerberos authentication to get tokens to allow the user access.
What would be a better approach or more importantly what would be faster to setup. Completely new to SSO and ADFS in general so appreciate your responses.
Thanks!
Raunak
I would recommend you to use ADFS as it is much easier to integrate web apps with ADFS compare to Kerberos.
Kerberos might be tricky. I see you mentioned the reporting app will only be used from company's internal network, but you may still get into the troubles with Kerberos because it requires certain browser setup on the end user machines. On Windows you will have to ensure some IE settings:
IE -> Internet Options -> Security -> Local intranet -> Custom Level -> Make sure you have "Automatic logon only in Intranet zone" is selected.
IE -> Internet Options > Advanced -> make sure "Enable Integrated Windows Authentication" is on
It is very likely that you will also need to add your reporting application URL to the list of intranet sites and trusted sites on each user's PC (in case you use a custom domain name for your app, i.e. not an local server name in your domain)
Other browsers than IE may need a different setup, you can read more details here
I believe it is also a bit more complicated to work with the AD groups as you can only get a user name from a Kerberos token. Then you will have to make an additional call directly to AD to find user's groups. With ADFS you can get groups right from the token (as claims).
Here is a good manual on how to integrate your web app with ADFS: https://auth0.com/docs/connections/enterprise/adfs
I have a custom c# windows forms application. How can I authenticate to Office 365 SharePoint Online in order to issue HttpWebRequest to customer web-sites using ACS tokens.
User will provide username and password and based on that I want to generate an ACS token that will allow the application to make requests on customer web-site. Also I want to be able to regenerate the token if it's expired, without reprompting username and password if possible.
if this will be a provider hosted app, then no problem is easy to do it but how can I achieve this from a custom application which is not a SharePoint app?
You will have to rewrite the code which supports [SharePointContextFilter] attribute which does the work in provider hosted app. Or port your web forms application to a provider hosted app template and deploy.
I want to upload a file to a website via a desktop app and then take the user to the website. The website has a web service, but requires authentication as does the web site. Is there a way to do this without forcing the user to authenticate twice (once in the desktop app and once in the web browser)?
Unfortunately, you can't prefill an input of type file for security reasons, which makes sense since the user won't want you uploading arbitrary files from his/her computer. But if they have a desktop app, is there some way around this?
Or maybe make the user log into the web app first and then the authentication cookie can be reused?
Any other ideas?
Thanks,
Ben
I would use the dekstop app as a client to the website app via an api.
So, login via the desktop app. The api returns a authentication token (as Carlos suggested) which might be a md5 hash stored in your database for a certain period of time, possibly matched to the clients ip address.
The desktop app can then make calls on the api (like uploading a file) as a authenticated user (by using the auth token).
When loading the website, perhaps the url is http://website/login/{auth_token} where the auth token is added to the url. The api can check to see if its a valid auth token and consider the user logged in.
You could generate an authentication token that could later be used on the website.
It all depends on the type of authentication of the service and the site. Is it integrated Kerberos, WS-Auth, is it Basic/Digest HTTP, is it forms/cookie ?
This answer will most likely not work in the very general users-on-the-wide-open-web scenario, but in intranet contexts, using Windows Authentication (on an ASP .Net solution), would provide this.