Questions to OAuth consent screen - how to edit+support email+verification - oauth-2.0

Some questions to OAuth Consent Screen:
Is any data that I input while configuring OAuth Consent Screen editable? For example if I decide to change my app's name, can I edit that?
Does the OAuth Consent screen need to be submitted/verified/published in order to use it to test features like achievements or leaderboards?
When choosing the support email, can I choose it from the list if I add that email to the project, or do I need to be logged in with that email and do the whole process from that account?

Is any data that I input while configuring OAuth Consent Screen editable? For example if I decide to change my app's name, can I edit that?
Yes you can edit the consent screen on google cloud console for the project. The app will need to be verified again if you change things like name, description, or any of the URLS like privacy and home page.
Does the OAuth Consent screen need to be submitted/verified/published in order to use it to test features like achievements or leaderboards?
Not sure on this one. My guess would be no if your just testing something it doesn't need to be verified until you are in production.
When choosing the support email, can I choose it from the list if I add that email to the project, or do I need to be logged in with that email and do the whole process from that account?
oauth-2.0.
You need to create a google user with that email address. then you can add that user to your project and set them as the support email. They need to have access to the project you cant just add anyone.

Related

FusionAuth - Invite based user on-boarding with social logins

We create users with their email address. We send email to each user with a link to change password api with changePasswordId. When user clicks the link, he will be redirected to change password screen where he can set the password and access the application. This works.
But, now we want to allow users to register with their social Idps upon receiving invitation/verification email. Can't see any fusionauth documentation on this part.
Questions are as follows
How to let user select their social Idp while verifying their email?
Can a user have multiple logins with different Idps for one application in FusionAuth?
Is there any linking api which links all external user accounts with their fusionauth user account?
The flow we are expecting is :
Invite User -> User clicks link -> User will be presented with set
password and social logins-> User chooses google -> Google
authenticates user and returns token back to fusion auth -> fusion
auth links user's google account with already created (invited) user
account. -> Next time user logs in with google account -> Fusion auth
identifies the user and allows him to access the application.
Updated :
Let me try to explain our situation and need, with less focus on the password setup task:
We need to set up new users that are associated with google based education accounts on custom school domains. Teachers and students that might have addresses like first.last#middle.school.com We need to take the class roster from Google Classroom, initialize accounts for each student in our backend via our API which also creates FusionAuth user and app registrations for each.
Schools don't often want kids setting passwords on vendor sites. When we send the account confirmation / verification email to the new cohort of students they would ideally be directed to the approved and configured method for that domain (perhaps Google, Microsoft, other SAML or password). If we can't get selective about the confirmation method shown after the student provides her invited email address then we could present multiple confirmation options on the same screen and let the teacher direct the students to the correct choice.
But in summary we need to avoid requiring password setup and support confirmation with the invited social account when required by the school.
If I understand your use case correctly, what you want is to add the "Login with Google buttons" to the Setup Password workflow. This is different than the Email Verification workflow, so if you are looking for a way to log users in with their social profiles during Email Verification, that's something completely different. In fact, I don't think that is a use case because after the user verifies their email, they need to log in again and they can do that using their social profile.
Unfortunately, FusionAuth doesn't fully support the ability to allow someone to use the Setup Password workflow using a social login. It might be possible though using the Email Templates and Theme editor in FusionAuth. I haven't tested this, but you could try it and see if it works.
What you would do is to pass in a URL parameter to show the social login buttons during the Setup Password workflow. This would be something you could do in the email template for Setup Password like this:
Click this link to setup your password:
<a href="https://example.com/password/change/${changePasswordId}?showSocial=true">
Setup Password
</a>
Then, using the Theme editor in FusionAuth, you would add some code in to show the buttons like this (the ?? part is to handle when the parameter is missing):
[#if showSocial?? && showSocial]
show social buttons here
[/#if]
You could give that a try and see if it works for your use case. If it doesn't work, you can always open a feature request for this on our GitHub issue tracker and we can see if it receives enough upvotes to get on the roadmap. You can also engage FusionAuth professional services to build this feature for you as well.
For your other questions, you can have as many logins with external IdPs as you want for a single user. The user is unique by their email address.
I'm not sure what you mean by "linking api", but if a user logs in with an external IdP, their tokens from those external providers are stored on the user object. You can look up those values and then call third-party APIs with their access_tokens.
UPDATE 8/27/2019
Ah yes. The social login buttons do require all of the OAuth parameters, so this solution won't work because those parameters aren't part of the Setup Password workflow.
I guess I'm confused on how this actually works and whether or not this is a workflow FusionAuth should be handling. Social logins aren't generally used for account verification. They are normally used for account creation. For example, you could just send the student to FusionAuth before their account is created, they login with their Google classroom account, and then they have a FusionAuth account. Is there any reason the student can just login in after their account is created? Is that not essentially the same thing?
Could you do something where students that have accounts in Google Classroom are created in FusionAuth with a randomly generated 32 character password (for security) since they will be logging in with Google regardless. You can then just send them an email with a standard login link.
For students that login in with a username and password to FusionAuth directly, send them a Setup Password email. This will let them pick their own password.
In terms of account Linking, FusionAuth links accounts automatically based on email address (the unique login identifier actually). Therefore, you don't need to call any extra API to associate the social login with a user.
I might still not be clearly understanding the use case, so feel free to contact us directly using the form on our website. We might need to setup a web conference to discuss your needs in detail.

IdentityServer4: How to show external providers consent screen?

Just recently starting using IdentityServer4 (IS4) playing around with samples and so on.
I have a setup where run IS4 (using the included sample UI MVC) configured with Google as an external provider. I also have an API setup, as well as a client (MVC web app). When authenticating, and the user clicks "Google" in the "External Login" section, he/she is redirected to Google as expected. However, after supplying the username and password, I expected to the see Google consent screen, but instead I am redirected back to the consent screen in IS4. Why is that? Should the end user not give consent that his/her Google profile information is being accessed, on a page which clearly is from Google (i.e. HTTPS and Googles certificate)?
I acknowledge that since I am also requiring consent from the user to access my API I might end up with 2 consent screens (one for profile info from Google, and one for API access from my own IS4 configuration), but if I did not have an API in my setup and simply wanted to use IS4 in a federated setup to provide ID tokens, I would not have a need for the consent of my own API and thus would expect only to see the consent screen from my external providers (e.g. Google, Facebook, Twitter, etc.).
I have my external provider configured like this:
services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.ClientId = "<my client id>";
options.ClientSecret = "<my client secret>";
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
});
Could someone please enlighten me :-)
Thanks
From Google' help:
To set up your project's consent screen and request verification:
Go to the Google API Console OAuth consent screen page.
Add required information like a product name and support email address.
Click Add Scope.
On the dialog that appears, select the scopes your project uses. Sensitive scopes display a lock icon next to the API name.
To select scopes for registration, you need to enable the API, like Drive or Gmail, from APIs & Services > API Library.
You must select all scopes used by the project.
When you're finished adding details to the OAuth consent screen, click Submit for verification.
A Verification required window displays.
Add scopes justification, a contact email address, and any other information that can help the team with verification, then click Submit.
Note: The consent screen
settings within the console are set at the project level, so the
information that you specify on the Consent screen page applies across
the entire project.
So, what you need is to disable consent for your client in IdSrv and enable it in Google.
Additionally, as described in this answer,
By design, the consent screen is not shown in the scenario with account selection and profile/email scopes only requested..., since the account selection UI already shows the email and profile (name/picture) information that will be shared with the app.
As added by #Mike Wilcox:
When including a sensitive/restricted scope, if not verified for the scopes added, you will see a not verified screen during consent oauth flow. You can pass through by clicking advanced - > go to [app_name] (unsafe)
There is a playground: https://developers.google.com/oauthplayground/ where you can test this out.Click on the settings icon in the top right and then check the "Use your own OAuth Credentials" box to then enter your app creds. You can add scopes and test out there.
You don't have control when you redirect to external idp since it is a delegated authentication. I don't know how Google have implemented their OAuth flows but the following might be reasons as to why consent screen is not shown:
You are not requesting any scopes that require user consent
The user already gave consent to access to his/her info to your client (you should be able to check this in Google account pages)
Your client is configured to bypass consent screens (this is possible in IDS4 by setting RequireConsent flag to false, but I would doubt you can do this in Google as a 3rd party OAuth client)

Google login page - Sign in to continue to companyName

I have modified the user agent to be able to login to Google. When the user tries to login, he sees the following screen:
The company name I hid is clickable. Upon clicking it, there pops a small dialogue box with some Developer Info.
1) Is there any way to disable that link?
2) If not, is it possible to modify the text inside the dialogue box? Because currently, personal email id of a developer is displayed which we don't want.
Any help or relevant link would be appreciated.
EDIT:
Just like YouTube is disabled, I want my company's name to be disabled as well..
It seems that apart from YouTube no other company has this link disabled. I checked on MakeMyTrip, GoIbibo, TripAdvisor, StackOverflow and Quora. As YouTube is such a huge company, they might have got the screen customized from Google, just my hunch.
You have two options:
The best option is to create the project in a different Google account so your personal email won't show.
In the Email field on API console "OAuth Consent screen", you can select the Google group email (so create a group).

Can i add only a login function to my app? Swift/Parse

I have an app in which i want to only add a logIn button. No signUp.
I am thinking of it like this please tell me if this can work?
SaaS based. So if a business wants to use app, they must sign up on website.
once they do, they can download app where i will give them their logIn Credentials.
Therefore if someone downloads my app from the app store they cannot register unless they are a SaaS customer. Only LogIn with the credentials i provide after signing up and paying for the service.
This being said, if this is doable. i used the parse swift signup code to get my classes working on parse.com
If i go into the users class, i can add new usernames and passwords. (Great!)
If i delete the SignUp code now from my app, and add the LogInUserinBackground code will it still work for logging in users so long as i add their credentials on the Back-End?
Thank you for all responses! Much Appreciated.
Yes, that can and will work.
You can of course remove the ability to create users via the app and only support the creation via the application. Just set the user up via the website, assign the username and password and you are ready to go. Of course you have to create some kind of login form inside the app - what you cannot do is customize the application one user downloads to one specific SaaS customer so that he gets logged in fully automatically. At least once the user has to enter the user credentials in the app.
And as far as I am informed that is even allowed by the app store guidelines - you only have to make sure apple gets a demo account when submitting the app in the end.

How to force account login for a single account user with Google's OAuth 2.0?

Sometimes when a user logins into a site with Google's OAuth 2.0 they choose the wrong account to login with. Normally this isn't a problem if the user has more than one account registered with the browser, google will automatically show the user select screen:
But if a user has only one account and is logged in, this screen is skipped. Instead I need Google's sign in panel to always appear, so that I can be sure the user has the option to try and enter the correct account. I tried using approval_prompt = "force", but that forces the acceptance of permissions rather than simply showing the login page.
How can I force Google's OAuth 2.0 to always show the login screen?
(and never automatically skip it)
Add the parameter prompt=select_account to your authorization request.
This will cause the account chooser to always be shown, even if the user is only logged in to one account. Users will be able to select from their accounts, or add a new one.
For example: https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.com&scope=profile+email&access_type=offline&prompt=select_account

Resources