Can an app external to a G-Suite organization manage its SSO settings?
I started by trying to create a client ID/secret for my app as per https://support.google.com/cloud/answer/6158849
A prerequisite for getting a client ID/secret is configuring the app's Consent Screen as per https://support.google.com/cloud/answer/6158849#userconsent
When looking at the "Add Scope" modal, I only see:
Admin SDK ../auth/admin.reports.audit.readonly
Admin SDK ../auth/admin.reports.usage.readonly
How do I get a scope that would allow my app write access to another G-Suite organization's SSO settings?
I am not trying to manage my G-Suite organization's SSO settings.
What you want cannot be achieved essentially because you cannot manage someone else's G-Suite organization's SSO settings. Therefore, no scopes are available for this option.
But if you have access to the domain mentioned, you can use this scope which is the global scope for access to all domain settings.
https://apps-apis.google.com/a/feeds/domain
According to the documentation:
To request access using OAuth 2.0, your application needs the scope information, as well as information that Google supplies when you register your application (such as the client ID and the client secret).
The old admin settings API is still working for SSO settings, just tried. You can manage the SSO settings of any organization that has enabled your project ID with the scope https://apps-apis.google.com/a/feeds/domain/ via a Marketplace install (they install your app) or a manual install as described here
Related
I'm trying to build a plugin for a WordPress App, that uploads file to the users Google Drive space. I don't want the end user to create the Cloud Console Project. but rather just have him give consent so the plugin can access the needed data from his Google Drive account.
When I create OAuth 2.0 Client IDs in the Google Cloud Console (Web Application), Google asks for Authorized JavaScript origins and Authorized redirect URIs. Since the plugin will be portable and can be installed on different websites I can't define this.
How can this be solved that an OAuth2 Authentication by the user can be done, without knowing the URL where the app is running?
Thanks
You cant. Redirect uri must be configured properly, to point webserver the code authorization is running on.
You will need to instruct your users in how to create their own client.
Also as this is a WordPress application, you would need to share your client id and secret with the users. This is also against googles TOS.
possible workaround.
If you put up an authorization server on your own server. The users of your app could then login though that. A refresh token will be returned to their website running your app and stored locally. Your code could then run using the refresh token to access their data.
However you are then going to be responsible for verifying an app with google drive scopes.
I have a private Drive app that uses the Google Workspace Marketplace SDK. It uses a service account that gets access to the necessary OAuth scopes after an admin has installed the app in the Marketplace. The list of OAuth scopes it should get access to can be configured in the App Configuration page of the Google Workspace Marketplace SDK.
It has happened more than twice now that Google unexpectedly removes the OAuth scope needed by the app (https://www.googleapis.com/auth/drive.file) in the App Configuration and all that is left are the default userinfo.email and userinfo.profile scopes. This seems to occur whenever the add-on is uninstalled and then reinstalled in the Google Workspace Marketplace.
Is there a reason why Google would do this? Can this also happen for public Google Worskpace Marketplace add-ons?
It would be very unpractical as it means we would have to check regularly whether it has been removed and if it is removed before a customer installs it, the add-on won't work and will have to be reinstalled/configured with help.
I'm currently building a web application that works with the Gmail API. I'm waiting for approval from Google's security team to have a proper OAuth connection, but I noticed that users can pre-approve your application by searching within the API Controls settings by your App ID.
This setting is located in the Google Account via: Admin Panel > Security > API Controls > App Access Control.
I noticed that if a user does this before they try to connect your app it doesn't go against your 100 account limit within Google Developer Console while in beta.
My question is, could you have this as permanent solution to get around the Google OAuth application if Google never approves you? Of course, through this method the user is still giving permission, just curious if this has been done by anyone before.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Help
For a reporting application deployed on AWS it is required to enable SSO for the users to access it -
The users are to access the application from their office PCs only within the company network.
The application endpoints are protected by an API gateway to only allow access from internal company network.
Once the user clicks on the URL for the reporting application, the app should authenticate the logged in user with the enterprise AD to ensure that the logged in user is a valid one and that they belong to the correct AD groups that are allowed access to the application.
If the authentication and authorization check is passed then the application should allow access to the user or else prompt up a login page to enter the credentials manually.
Can you advise what would be the best approach to set this up ? We have ADFS deployed on our company infrastructure (not sure of the version) so was wondering if we could use that or instead rely on Windows Kerberos authentication to get tokens to allow the user access.
What would be a better approach or more importantly what would be faster to setup. Completely new to SSO and ADFS in general so appreciate your responses.
Thanks!
Raunak
I would recommend you to use ADFS as it is much easier to integrate web apps with ADFS compare to Kerberos.
Kerberos might be tricky. I see you mentioned the reporting app will only be used from company's internal network, but you may still get into the troubles with Kerberos because it requires certain browser setup on the end user machines. On Windows you will have to ensure some IE settings:
IE -> Internet Options -> Security -> Local intranet -> Custom Level -> Make sure you have "Automatic logon only in Intranet zone" is selected.
IE -> Internet Options > Advanced -> make sure "Enable Integrated Windows Authentication" is on
It is very likely that you will also need to add your reporting application URL to the list of intranet sites and trusted sites on each user's PC (in case you use a custom domain name for your app, i.e. not an local server name in your domain)
Other browsers than IE may need a different setup, you can read more details here
I believe it is also a bit more complicated to work with the AD groups as you can only get a user name from a Kerberos token. Then you will have to make an additional call directly to AD to find user's groups. With ADFS you can get groups right from the token (as claims).
Here is a good manual on how to integrate your web app with ADFS: https://auth0.com/docs/connections/enterprise/adfs
We have an app in the Google Apps Marketplace (the new one, i.e. using OAuth2) which needs to get a list of users in the domain.
We're currently using the Provisioning API for this (which we know is deprecated, but there seems to be no better option). Lately however, we're starting to get "You are not authorized to access this API" 403's, for some domains.
Does anyone know why we're suddendly getting 403's, a bug perhaps? There seem to be some other bugs as well, for example the scope https://apps-apis.google.com/a/feeds/user/#readonly doesn't work, but https://apps-apis.google.com/a/feeds/user/ does.
Does anyone know when it will be possible to start using the new Admin SDK Directory API to get a list of users? This isn't possible now because even when an administrator installs the app, it would only work if they go to their domain security settings and manually check "Enable API Access", see the related question here: How can I access user info on a domain without the domain administrator enabling API access?
You can start using Admin SDK Directory API. The question you linked to was regarding the case where an admin explicitly disables API access. When they install and an app, we re-enable that setting and let them know.
Not sure about the 403s but that is an older API that is replaced by the Admin SDK.