I have an app that works with multiple Oauth2 sources, google being one of them. I want to be able to get the principalID or basically OAuth2AuthenticationToken.getName to be the email address rather than the long number that google provides. This is because I want to map this ID to some app specific user information and having to find out the long num for every user is a bit of a pain. Alternatively is there an easy way to get the identifier for every user?
Related
In the Teams client, you can search for any open federated users using the top search box. It'll give an option to search externally, which will return a federated user if the address matches. I'm trying to find a way to replicate this in an application, and haven't come up with a way to get it yet. Here's what I've tried so far:
People Search (e.g. https://graph.microsoft.com/v1.0/me/people?$search="user#domain.com") doesn't return anything.
User search (e.g. https://graph.microsoft.com/v1.0/users) only returns users in the same AAD (as expected)
What I'm really interested in getting is the AzureAD guid (user's unique ID) and I can't find a way to get that without having an app to query the user's specific tenant. Is this something that's possible to get through graph, or will it need to be Tenant specific? Thought is that if the Teams client can do this for open federated users, then shouldn't an app have access to the same data?
So I sort of found an answer to this in creating a multitenant graph application. I never really understood how those worked, but it finally clicked. To set one up, in your home tenant create an AAD app as usual, set it as multitenant, and assign it the API permissions you need (User.Read.All, User.ReadBasic.All etc.). It'll show up in app registrations, and you can auth using secrets/certs etc. Then in a target tenant, have someone hit this URL: https://login.microsoftonline.com/TENANTID/adminconsent?client_id=APPID where TENANTID is the target tenant's ID, and APPID is the appid from your AAD. Once consented (user/admin depending on permissions), the app will show in the "Enterprise applications" section of the target tenant's AAD.
Once you have this, you'll be able to search users on that target tenant. The challenge here is that you'll need to know the tenant ID you're searching, and have a user specifically grant permission to do it, rather than it being a federated search. Not ideal, but that's about all you can do with graph.
What would be useful here would be to have the same capabilities as the Teams client to get federated user information as an application in any tenant. Since the client can do this interactively, any open federated organization should be searchable by a graph application (perhaps using an "include external" flag in the search). I wouldn't expect anything other than the user GUID and presence, but for my case (ACS/Teams interop) that would be enough.
I am making a web application that will automate some actions on Google AdWords. The web application can be used by anyone that has an AdWords account.
I am a bit puzzled by the AdWords API, as it is a different from other Google APIs, in terms that it needs two additional config parameters: developerToken and clientCustomerId, a per their documentation:
https://developers.google.com/adwords/api/docs/guides/first-api-call
When constructing the AdWordsClient object, I need to provide the developerToken and clientCustomerId, in order to push data to AdWords.
My question is whether these two parameters (developerToken, clientCustomerId) need to be different for each user that will use my web application?
It seems that I am able to post data to different accounts with an unrelated developerToken, which does not make sense.
Can I get the clientCustomerId from an API endpoint, so I don't require my users to manually input tokens and ids to the web app, and do the complete authentication with oAuth?
My code is working, I am asking more of the philosophy why I need these two parameters, and if I can avoid asking the user to manually copy them from the AdWords dashboard into my application?
The developer token identifies a given Adwords API developer and is used for RMF enforcement, rate limiting and the like. As you mentioned, this is different from other Google APIs, which I think has to do with the fact that it's not a publicly available API. You always have to use the developer token that was given to you as part of your API sign-up process and are not allowed to use another developer's one (thus there's no possibility to have a user of your application enter it on their own).
The clientCustomerId parameter refers to the specific Google Ads account that you want to interact with. As a given user (identified by the OAuth2 access token that you include in your request) might have access to a whole lot of different accounts, this always needs to be included.
As for how to obtain a list of accessible account given a user's credentials, you can use the CustomerService.getCustomers endpoint for that purpose. Quoting the docs, it will "return details of all the customers directly accessible by the user authenticating the call."
I am using google's oauth2 to allow users to register/login into my site (php library). The first time a user attempts to login I get the user's email address and google+ id which are provided by the Google OAuth2 API (with the user's permission).
In a different part of the site I need some information from the user's youtube channel. I am using the incremental authorization to get the extra permissions as it is recommended (and described here: https://developers.google.com/identity/protocols/OAuth2WebServer#incrementalAuth ).
The problem is that I don't have a unique identifier for the user between the calls, in order to keep track of him/her in my side of the application. A user, for example might have multiple youtube channels and each one can be associated with a different google+ account/id and a different email address, which most of the time is not a real address but a provided email with the format 'username-XXXX#plus.google.com'.
I was wondering if google's apis can return a unique identifier for the 'parent' account of a user across different apis.
Thanks in advance.
I am using Twitter as an OAuth provider for ASP.NET MVC 4 web site. I would like to be able to follow up with a registered user at a later date, either by email or via a tweet. Outside of having the user follow me on Twitter, do I have any other options to communicate with the user?
Here is what I unsuccessfully considered:
It appears that there is no way to get access to the email address since Twitter OAuth API does not return it.
It appears I cannot send a direct message unless a user
follows me on Twitter.
"Read/Write/DirectMessage" permissions seem
too intrusive -- all I want to do is send a user a message that a
new product is released -- I don't need any of the write
capabilities that this level of permissions provides.
To recap, if a user used Twitter to sign in to my website, what are my options to contact that user at a later date?
Thanks.
Twitter's solution for this sort of person-to-person communication is the Direct Message, however, Twitter has (rightfully) decided that both parties need to consent to this channel being available. This decision is intended to reduce the amount of spam in the Twitter ecosystem.
Posting public tweets that mention the username will get your users' attention, but it is also broadcasting their relationship with your company to the entire Twitter ecosystem. You will, essentially, be advertising their relationship with your company without their permission. This approach will bring you headaches sooner or later.
Email is probably a better choice for the sort of announcement to existing customers.
I am thinking to embed google calendar in my website to achieve the following and was wondering if this is doable in google calendar. Otherwise I have to go find another solution.
I have groups of users with one super user, and rest are regular users as follows:
GroupA
Super User 1
Regular User 1
Regular user 2
etc
Group B
Super User 2
Regular User 3
Regular User 4
etc
Each group have their own calendar. Users in each group can not see the other group's calendar. Only able to see their own group's calendar.
Super users of each group have all access to the calendar (add, modify, delete) and have the ability to control how much access regular users have in their group. (read only? read/write etc)
All users are registered to my website, therefore I am thinking to use only one google calendar account (my own account) to create a calendar for each group. Which leads to a question of authenticating my website to google's API. I need the authentication process to be automatic, hidden away from the user and be done on the server side.
My site is built using PHP/Mysql
Q1:
I have tried the Javascript client library provided by google, however it require the user to type in username/password to log into google so that the authentication (OAuth2) process can work. As mentioned in previous paragraph, I only want the user's to log into my website, they do not need to login again into google account. This should be done on serverside.
I even went as far to create a login form with information prepopulated (hidden from the user, the username/password will be visible in "view page source") and send the request to https://accounts.google.com/ServiceLoginAuth, and make the form automatic submit once the user successfully login into my website. However this causes cross domain issues.
Q2:
I may potentially have 10's of thousands of groups registered on my website. each group may have couple hundred users. Can one single google account create that many calendars?
Q3:
Once the calendar is embedded into my website, it seems to be read-only. Is it possible to make it interactive so super users in each group can add/delete/modify events?
Any ideas/suggestions is much appreciated.
Thank you
No answers? It seems like your question is straightforward. If I understand correctly, you want to access calendars from several Google accounts/users. Each user needs to authorize this access, but they only need to do so once. You could generate these requests and send them out via email, for example. When the user grants permission, Google forwards a grant code to your specified callback_uri. The grant code is extremely volatile. It's used to request a token from Google that apparently lasts indefinitely. So there's no requirement that users continually log into Google.
In Google's calendar/simple.php example. The token is stored as a SESSION variable. Even though the token is persistent, the SESSION variable is not. Users have to grant authorization every time the SESSION variable expires. Storing persistent data in a volatile variable is absurd and probably gives the wrong impression about the OAuth2 token mechanism.
I spent a lot of time writing documentation that I couldn't find anywhere else. Please take a look if you think it might help: http://www.tqis.com/eloquency/googlecalendar.htm
What you're asking isn't possible in Google Calendar.
If you're looking to support thousands of groups and each group needs it's own calendar, then you're saying that you'd need thousands of calendars with access control and you'd need authentication to the calendar to be transparent.