Using WSO2AM 2.1.0 we have a question.
By default the applications of the store are created by subscriber and each subscriber can see only own application (what makes sense).
However here we have an environment where admins want to create a clientapplication configuration and then just pass client credentials to the clients (or developers). In this case - is it possible for admins could see/access applications of other admins?
Edit: I thought I could see applications of other users in the carbon console logged in as an administrator (under service providers). but apparently I see only mine .
Thank you in advance
Have you enabled the application sharing feature?
https://docs.wso2.com/display/AM220/Sharing+Applications+Between+Multiple+Groups
Related
Assume that there is an application, SPA, that uses Google OAuth2.0 to access the Google Drive API.
Reading the docs, the application flow seems familiar enough on the client-side specially with Google's JavaScript library for authentication. However, I have stumbled upon a roadblock during application registration phase.
When creating the credentials for our client application, I am redirected to fill out the form at the OAuth Consent Screen first. There, among other things it demands us to declare whether the application is in Testing or In Production phase, so it can decide whether the app will be available to everyone or to Test Users only.
Assume I create a project for our application and set it on testing at first and then change it to production once I am ready to publish (with a new set of credentials as well).
My question is this. What if development continues on the application for new features while one instance of the app is in production? During development and testing I would need to restrict the application to my Test Users alone. Since the OAuth consent screen is project specific, not credential specific, will I require multiple projects on the console for every environment in which the application is running?
As in,
Project MyAppTesting will permanently remain in testing mode and will denote our development/testing branch.
Project MyAppProduction is always in production and denotes my production branch.
Similarly for the mobile client:
A MyMobileAppDev project having credentials configured with the debug keystore hash
A MyMobileAppProd project having credentials configured with the production keystore hash.
(both sets of credentials share the same package name).
Is this the idiomatic way? I failed to find any documentation on the matter. Please advise.
What #JohnHanley stated is the best way and the best practice when deploying application/s in GCP.
You can create multiple projects and create different Oauth for each of the projects. Check out this link on service accounts.
In addition to that, there are also some pros and cons when it comes to billing.
Pros:
Users consider having multiple billing accounts with respective projects assigned for each account to be able to see their billing details separately. In this way you can monitor the billing for each of the respective projects for each account.
Cons:
Attaching all the projects to one billing account, however, the billing reports will show all of the sum of the cost for all the projects, but you can still use the filter menu to be able to see the charges for each project.
I'm currently building a web application that works with the Gmail API. I'm waiting for approval from Google's security team to have a proper OAuth connection, but I noticed that users can pre-approve your application by searching within the API Controls settings by your App ID.
This setting is located in the Google Account via: Admin Panel > Security > API Controls > App Access Control.
I noticed that if a user does this before they try to connect your app it doesn't go against your 100 account limit within Google Developer Console while in beta.
My question is, could you have this as permanent solution to get around the Google OAuth application if Google never approves you? Of course, through this method the user is still giving permission, just curious if this has been done by anyone before.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Help
I installed WSO2 APIM 2.6.0 using a distributed deployment (pattern 2) and I enabled Application Sharing in order to allow a group of users (with the same organization value) to be able to manage the organization applications.
For testing purpose, I created a user "user1" with organization "myorg". Then logged in with user1 and created an application "app1" with the group "myorg". After that, I logged in with another user belonging to the same organization and I am able to see the "app1" application. I'm also able to manage the application subscriptions, however I cannot edit and delete the application event if I assign the admin role.
Is there any way to able users from the same organization to modify shared applications?
Application owners are able to share their Applications with others users who belong to the same group. Still, application edit privilege is granted to the app owner only, others can only view the application. This behavior is expected.
If you need to grant application edit privilege to another user, admin has to change the ownership of the application. Then the new owner can edit the application.
Note: The owner changing UI is available in 2.6.0 as a WUM update only and will be there in the next public release. However, this is available in the admin API in the latest released versions.
WSO2 experts
I downloaded the WSO2 AppFactory, but couldn't login into the web console with admin/admin. Has the default password changed?
Regards,
Terry
Please try with the following credentials
Username:admin#admin.com
password:admin
If you just tried with a downloaded 'binary' set-up of WSO2 App Factory; this will only allow you to log in to the Carbon admin console of the App Factory (If you just clicked on and visited the URL, that was printed on the server console). This Carbon admin console does not have any App Factory specific functionality which you might expect [WSO2 Carbon is the underlying platform which is used by all of the WSO2 products].
Since App Factory runs having few other servers alongside (such as WSO2 AS, WSO2 ELB, Jenkins, Redmine etc) this set up that you are running will not provide the same User interfaces or functionality which you have observed within the setup provided with https://appfactorypreview.wso2.com/samlsso .
I just thought to leave this answer, because; you would get disappointed after spending your time expecting the same Application (User Interfaces) available with the online setup (which I have mentioned with the hyperlink) by running the binary setup(wso2appfactory-1.0.0.zip) that you have downloaded from the WSO2 Web site.
WSO2 folks,
I'm looking at WSO2 Application Server, and I created a web app to invoke System.exit(), which brings down the whole app server. I'm asking because the apps from multiple tenants could be running on the same Application Server, and we need to prevent a malicous tenant from killing the whole JVM.
My first thought was to use a SecurityManager to restrict the access, but I'm not sure where should I set the SecurityManager, and how should I code the SecurityManager to ensure a secure app server.
Is SecurityManager the correct approach, or is there some other way to accomplish my requirement?
It has been protected using Java Security Manager and system is configured with policies ,which do not allow such calls.