I need to setup an oauth2 authentication system for Moodle. I already configured all the stuff on the Moodle side and the auth works good. I can create a new user without any problem.
But my nightmare is mapping fields on Moodle side, for instance I need to map externalIds field of google to the id field of Moodle but I spent many hours trying this that seems impossibile.
I already tried to configure manual field mapping on Moodle settings (externalIds -> idnumber or id -> idnumbers) but not working
I'm using this scopes list: openid profile email
After a lot of try with google oauth2 playground I'm asking your help.
Thansk
I already tried to configure manual field mapping on Moodle settings (externalIds -> idnumber or id -> idnumbers) but not working
I expecting to register a new user account with all the fields that google already sent me plus externalIds
Related
One of the websites we used to get data from requires now log in via Google, I have been granted access, and want to update the app to continue working.
I've set up credentials (clientId, clientSecret) as well as service account - whichever is easier tbh.
The url I'm trying to access looks like "https://xxxxxxxxxxxxxx.appspot.com/view/company_name"
When logging in manually, I'm being informed that:
To continue, Google will share your name, email address, language preference and profile picture with iap.googleapis.com.
Trying to get it working first on:
https://developers.google.com/oauthplayground/
But each time I select scope (guessing here) Google OAuth2 API v2 (userinfo.email, userinfo.profile) and get the tokens I end up receiving following error message:
Invalid IAP credentials: Expected JWT to have 3 parts separated by a '.' but there are 2 parts
Could anyone tell me all the things I'm doing wrong here?
I have followed some articles, but all are not clear as google oauth interface is changed.
Verified some articles, and understood something. With this understanding in mind, followed below steps:
Opned URL: console.developers.google.com
Created new project with name: My Super App
Clicked on Google+ API under Overview section, and Enabled the same.
Here is my doubt whether I am doing correct or not
Selected OAuth ClientID option under Credentials section.
Configured Consent screen With email address, and Product name.
Under Create Client ID section, provided below details:
Application type: Web Application
Name: My Super Client App
Authorized Javascript origins: http://localhost:44300/ - sometimes, I have used this option. Later on, now, I am not using this option. Please suggest me if it is mandatory.
Authorized redirect URIs: http://localhost:44300/signin-google
ClientID, ClientSecret have been generated. Used in My MVC app.
But, I am unable to use Google OAuth.
Please suggest me where I'm doing wrong.
Go to your Project properties and under the Web tab you'll see the Project URL. In place of the https://localhost:44300/ given in the article replace it with the one specified in Project URL or, if you've overridden that one, use the one specified in the Override application root URL.
In other words, you shall change the URL here:
Just a suggestion but perhaps you need to enable the api on your google developer console. I did a quick google and this covers it - http://www.c-sharpcorner.com/article/how-to-configure-google-sign-in-for-Asp-Net-mvc-5-part-sixt/
please follow Asp.net/mvc :MVC5 :Google OpenAuth from where the below steps are taken:
Creating a Google app for OAuth 2 and connecting the app to the project
Navigate to the Google Developers Console.
Click the Create Project
button and enter a project name and ID (you can use the default
values). In a few seconds the new project will be created and your
browser will display the new projects page.
In the left tab, click
APIs & auth, and then > Credentials.
Click the Create New Client ID
under OAuth. In the Create Client ID dialog, keep the default Web
application for the application type.
Set the Authorized JavaScript
origins to the SSL URL you used above (https://localhost:44300/
unless you've created other SSL projects) Set the Authorized
redirect URI to:
https://localhost:44300/signin-google
Click the Consent screen menu item, then set your email address and product name. When you
have completed the form click Save.
Click the APIs menu item, scroll
down and switch on Google+ API.
Copy and paste the AppId and App Secret into the UseGoogleAuthentication method. The AppId and App Secret values shown below are samples and will not work.
I'm trying to use the Google Calendar API in one of my projects. To do so, I need to set up OAuth access in the Google API console.
But when creating the consent-form (which is required to use OAuth), I get a meaningless error message:
The translation is as follows:
A problem occured. Please check your data and try again . If you have
not given any details, the problem may solve itself . In this case, we
recommend that you wait and try again later.
I have set the E-Mail address and project name. The optional fields were left blank.
So far I have not been able to solve the problem. I tried to wait for hours/days. I tried three different browsers. I also tried to contact Google support. All without success.
After days of trying, this is the solution:
Create another Google account
Using your old account, add the new account as an owner to your Google API project in the console
Log in with your new user account and accept the invitation
Create the OAuth consent form with the new user account
I have no idea WHY this worked, but it did.
I am using the Google API to create a spreadsheet on google drive.
My app has a link that says 'Download To Google Doc'
The app sends a file to google docs and shares it with the user.
The user can then see it in google docs.
This all works good.
The problem is the identity of the service account sharing the doc.
It is a generated id. I want it to be branded to my app.
Is this possible?
-
You can't change the service account email address, nor can you supply a real world user name to it. The service account email address is created by Google in the Google Developer console.
The only way to change the email address would be to delete it and create a new one but again you would be stuck with the one Google Created. I suspect that the client id and email address are a pair used for identification of your application. Similar to client id and client secret, but I cant verify that.
I do see your point it would be nice if we could.
Google Service Accounts do allow you to impersonate an existing user account (for some services). I haven't tested it on Google Drive, but I have used it with the Webmaster tools API. The instructions can be found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
To sum them up, when creating the service account credentials you can specify the "sub" parameter with "The email address of the user for which the application is requesting delegated access." The account you're requesting access for must exist and have permission to access to the services you're requesting.
In the link above Google provides examples for Java, Python and HTTP/REST, here's the Python example:
credentials = SignedJwtAssertionCredentials(client_email, private_key,
'https://www.googleapis.com/auth/sqlservice.admin',
sub='user#example.org')
I'm using the Ruby google-api-client gem (0.9.pre3) and the ServiceAccountCredentials constructor does not pass the 'sub' parameter to its parent class so it has to be specified in another step:
client = Google::Auth::ServiceAccountCredentials.new(json_key_io: json_key_io, scope: scope)
client.update!(sub: 'user#example.org')
client.fetch_access_token!
service = Google::Apis::WebmastersV3::WebmastersService.new
service.authorization = client
Using this code I can authenticate using my service account and I have access to the sites
I am trying to automate the entire process of creating a google apps account through my company's reseller account with google, without any human having to manually enable anything.
Here's a quick scenario of what I am doing.
Create Customer (Domain) with Reseller API
Create Subscription with Reseller API
Create Admin Account for the Sold Domain
I am having trouble automating step 3.
There are 2 different APIs that can accomplish this tast, Provisioning (depricated) and Directory.
I have already successfully created user accounts with the Directory API, but this step requires you to enable API access for that domain, and that can only be done manually by a human - So thats a break in automation flow, and wont work for what I am trying to accomplish.
I was instructed by google tech support to use the Provisioning API, wich is deprecated, because it supposedly allows you to create an admin user without the need to enable the API access manually per domain. When I attempt to do this, I face this error:
Uncaught exception 'Zend_Gdata_App_HttpException' with message 'Expected response code 200, got 403 <HTML> <HEAD> <TITLE>You are not authorized to perform operations on the domain mydomain.com</TITLE>
Here's the code im attempting to run:
// .....
$customerid = "somedomain.com";
$client = Zend_Gdata_ClientLogin::getHttpClient("mylogin#foo.com", "mypassword",Zend_Gdata_Gapps::AUTH_SERVICE_NAME);
$gdata = new Zend_Gdata_Gapps($client, $customerid);
$gdata->createUser('Admin', 'Firstname', 'Lastname', 'somerandompassword', TRUE);
//......
When I consulted google tech support, they told me I needed to enable the provisioning api following the same instruction I posted earlier (enable api access per domain). I have done this on both my reseller domain, and the customer domain Im trying to provision on (just to test, becasue the entire point is to be able to make an admin account WITHOUT enabling it on the customer domain.) - But it still returns this error.
Here's my settings -- as you can see, its enabled.
In google's docs, under "Enabling the Provisioning API", it has some instructions, but they appear to be out of date and dont really reflect sections available in the current google apps admin panel.
Im at a loss. Am I missing something obvious, or is it just not possible to do at this time?
Just for reference, I have found a few other people asking a similar question, but with less detail:
Google Reseller Customer Admin User Creation Admin SDK How
How to create the domain administrator of a Google Apps domain purchased via the reseller API
EDIT: Added image showing settings, and code sample.
try to delete "TRUE" parameter in createUser , it's works for me.
$customerid = "sampledomain.com";
$client = Zend_Gdata_ClientLogin::getHttpClient($email, $password, Zend_Gdata_Gapps::AUTH_SERVICE_NAME);
$gdata = new Zend_Gdata_Gapps($client, $customerid);
var_dump($gdata->createUser('trial', 'Firstname', 'Lastname', 'somerandompassword'));
in Google app console
domain settings ->user settings
check the box "enable API access"
in Google app console --> advanced tools --> Manage third party OAuth Client access
Add the scope :
https://apps-apis.google.com/a/feeds/user