My user enters in their routing and account number as well as their bank website login credentials. I want to send that info to an API that tells me whether it's valid. Coinbase for instance uses such a service when you add an account (but they won't disclose which service they use).
Yodlee
http://interactive.yodlee.com/products/iav-api
and Intuit
https://developer.intuit.com/us#CustomerAccountDataAPI
I chose the latter, because I read that they're easier to integrate with and have lower pricing.
Related
On Google Workspace, I have created an email that I only need to check programmatically.
For that, I'm going to use Push Notifications but I'm not really sure about the authentication part.
Apparently, the only way for a service account to access (impersonate) a user's mailbox would be via domain-wide delegation, something Google doesn't recommend if there's another way.
Avoid using domain-wide delegation if you can accomplish your task directly with a service account or by using the OAuth consent flow.
My question: what other ways are there?
Is it technically possible for a service account to impersonate a single user?
Regarding the OAuth consent flow, how could I make it work (how would the user consent in this case) considering this would be server to server communication?
Is it possible to create google API KEY programmatically?
I did see the above question but I wanted to verify its functionality for my use case. I have a REST api deployed to Google App Engine that I want to introduce some api key mechanism for external users. I'm not making a website where I would just be trying to make sure it's only my code talking to my code from front-end to back-end, it's a public api that anyone with valid credentials is able to access.
Google Cloud Endpoints will only authenticate api keys generated through GCP, so my thinking goes that if it's possible to create a service account and associated ServiceAccountKey via http request, then it could be plausible to generate api keys (service account keys) for any prospective user by generating a service account per user and then giving them the relevant private key that will allow them to authenticate through Cloud Endpoints (jwt signing?).
It sounds like a good plan to me but in all likelihood I'm missing something that makes this a terrible idea. Thoughts? Has this been done before/proven?
TL;DR: Wrong way
First, API Key on GCP can only authenticate GCP Project, not user or service account.
Then, a service account key file is not an API Key. It's a secret identity that you can use for generating an OAuth2 JWT token (identity token) according with the Oauth2 flow. This identity token can be provided for an authentication (and it's valid only 1H)
In addition, you are limited to 100 service accounts per project, and the meaning of a service account is to authenticate app, not user. If you want to authenticate user, I recommend you to have a look to Cloud Identity Platform
Finally, API key generation has evolved very recently (about 1 month) and .... I would like to find the doc again, but it's a dead link. Maybe that the beta is not ready yet.
Note: Maybe the answer that I performed here (just now) can help you?
I have configured AWS to be use Google as an IdP with SAML logins. AWS is the RP.
I'd like to send a specific role directly to the service they are concerned with. The users in Questions are only concerned with billing and seem to be overwhelmed having to choose among the many AWS services.
Is there a way, with SAML logins, to specify that
users in the e.g. "billing" group should end up directly at: https://console.aws.amazon.com/billing/home
users in "DBA" group should end up directly at https://console.aws.amazon.com/rds/home
when specifically used with G-Suite?
When you configure your identity provider, you should be able to send an additional RelayState parameter. More information can be found here.
We are building complete serverless architecture using AWS services for all of our api's (using API Gateway + Lambda functions + DynamoDB) and to control our devices we are using aws-iot platform. Mobile to devices interaction will happen over the aws-iot. On mobile side for user management we are using firebase and all business logic is in Lambda function. Now we want to work with Alexa with our existing architecture flow, but we are confused with the account linking part. Do we have to implement our own auth server which will take care of authorization part or should we move to cognito user pool + login with Amazon, so that we will have user management and auth at the same platform.
Yes, you usually have to set up your own oAuth 2.0 if you want to do Account Linking with a user in your system. As you mentioned, there is also the possibility to use "Login with Amazon" (LWA) which makes things a little easier. However, you will only get a user's email address and name (often, this is enough).
If you don't want to set up your own oAuth server, there are also tool providers that can do user management for you, like Auth0. For example, Auth0 can be used to connect different identity providers like Facebook, Google logins, but also allows for username + password.
You can find a detailed step by step guide to set up Alexa Account Linking with Auth0 here. Let me know if you have any more questions!
The documentation states the following providers can be used for authentication Github, Facebook, Twitter, Google. I don't see how you'd be able to link in with Amazon / Alexa. Also I'm not sure why you would want to use Firebase and not AWS Cognito.
I have a client side application (developed in Java, not Android) that authenticate a user with an Amazon Cognito User Pool. To make things clear: that application display a username/password entry dialog, then authenticate with the Cognito user pool service using the SRP method; potential challenges are handled in that dialog (device id, password must be changed, two factors, etc). In the end, I have a series of tokens that allow the program to use AWS services with the user's credentials.
Now, I need the client application to communicate with a custom server side application. The client will have to prove its identity to the server application, which will then communicate with more AWS services. Here, I have two distinct use case:
1) The server only needs to know who the client-authenticated user is (in a safe manners, but without impersonating the user).
2) The client needs to delegate some or all of privileges of the user to the server; the server will then perform some actions on AWS services under that users behalf.
The server side application will most likely be developed in Java, running on an EC2 machine. I'm only interested in user authentification through the Cognito user pool source (that is, I have no interest in Facebook/Google/OpenID-based authentication flows).
It seems rather easy to achieve both objectives in very unsafe manners: just have the client application send to the server all the tokens it has been granted. But this is obviously not the way to go.
Yet, I'm having a hard time figuring out from Cognito User Pool/Cognito Identity Pool/IAM/STS documentation how this can be correctly achieved. I would expect for example the possibility for the client application to be able to generate some kind of "delegation token", which can be passed to the server; the server should then be able to validate that token and extract identity information from it (satisfying #1), or to impersonate the identity corresponding to the token in order to perform calls to AWS services (satisfying #2). Or maybe I'm thinking this incorrectly?
What you are pointing at is OAuth 2.0 code grant flow which is not currently supported by Amazon Cognito.
The current available safe way to do this is to pass the id token from the client to the server and then validate that token and extract identity information from it. This proves the identity of the caller as you can validate the signature of the id token.