I am using a vanilla configuration of the firebase Auth SDK. It is currently asking for all of these scopes.
I do not need profile picture or name, and would love to remove them. Is it possible?
Simple answer is No name, and picture permissions are granted to your application when you request the profile scope as part of signin.
explanation
Assuming you are following the example found here. If you check the lines called addScopes.
provider.addScope('profile');
provider.addScope('email');
This is where you define what permissions your applicating needs. The email and profile scopes are part of Google sign in (Open Id Connect) The profile scope give you access to some basic profile information about the user. Part of basic profile information is their picture.
These two claims are actually returned by the user info endpoint. This is the response from the userinfo endpoint when I authorized only with the profile scope.
{
"family_name": "Lawton",
"name": "Linda Lawton",
"picture": "https://lh3.googleusercontent.com/a-/AOh14GhroCYJp2P9xeYeYk1npchBPK-zbtTxzNQo0WAHI20=s96-c",
"locale": "en",
"given_name": "Linda",
"id": "1172004755376"
}
This is all default, so its not something you can change.
full example
// Using a redirect.
firebase.auth().getRedirectResult().then(function(result) {
if (result.credential) {
// This gives you the OAuth Access Token for that provider.
var token = result.credential.accessToken;
}
var user = result.user;
});
// Start a sign in process for an unauthenticated user.
var provider = new firebase.auth.OAuthProvider('google.com');
provider.addScope('profile');
provider.addScope('email');
firebase.auth().signInWithRedirect(provider);
Related
I am failing to add an OpenId account to B2C using Microsoft Graph. What needs to be done to do an add operation?
B2C Setup as TestB2C
In Azure B2C the OpenID Connect (to my companies Azure AD) is setup as an Identity Provider.
For this example, take the blurred out B2C above to be TestB2C.onmicorosoft.com and the target openID is "Corporate AD".
Graph Call To Insert User into B2C
{
"accountEnabled": true,
"displayName": "OmegaMan",
"mailNickname": "OmegaM",
"identities": [
{
"signInType": "userName",
"issuer": "TestB2C.onmicrosoft.com",
"issuerAssignedId": "OmegaMan#Corporate.com"
},
{
"signInType": "emailAddress",
"issuer": "TestB2C.onmicrosoft.com",
"issuerAssignedId": "OmegaMan#Corporate.com"
},
{
"signInType": "federated",
"issuer": "Corporate.com",
"issuerAssignedId": "6ab...34"
}
],
"passwordProfile" : {
"forceChangePasswordNextSignIn": false
}
}
The issuerAssignedId is from the settings placed in the Identity Providers section for the OpenId Connect. When I attempt to insert said user, I get this current error:
...
"error": {
"code": "Request_BadRequest",
"message": "A password must be specified to create a new user.",
...
Which for a federated user does not make sense. Note, that in a different add operation for an "email user", this process works; with different settings. What is missing to then add a federated user?
For a federated user, "accountEnabled" is false.
I was able to circumvent the user "Sign-Up" after user insertion. The issue turned out to be, that to have proper federation occur, the proper values need to be in place.
"identities": [
{
"signInType": "federated",
"issuer": "https://login.microsoftonline.com/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/v2.0",
"issuerAssignedId": "YYYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
What was happening was that I was using "issuer": "myDomain.com" which was not resolving correctly to do a login; to which the user then had to "SignUp" via the federated IP and ended up with two logins.
By changing issuer from a DNS readable name, to the Microsoft login url with my AD directories' ID (the number provided when switching domain in Azure, XXXX-XXX ... btw) and also a proper issuerAssignedId, found from the originating AD issuer, it worked and the user was added.
so I'm making the integration with google sign in from a web-site, so basically the flow here is:
google sign in -> get the token id and send to an auth rest api -> rest api get the user Name, profile picture and email then signup the user.
My problem is that I'm not beeing able to discover how to get the user name and profile picture. Even with the userinfo.email & userinfo.profile scopes, the token id only stores in the payload the UserId and the email. Here is what my token id payload is looking now:
{
"iss": "accounts.google.com",
"azp": "######",
"aud": "######",
"sub": "######",
"email": "gsalomaoc#gmail.com",
"email_verified": true,
"iat": 1639009337,
"exp": 1639012937,
"jti": "######"
}
I was expecting the profile picture and the first&last name to bee sent at the payload. Can any one give me a hand to figure out how to get this fields?
Appreciate any help.
You can use this:
www.googleapis.com/oauth2/v1/userinfo
instead of:
oauth2.googleapis.com/tokeninfo
Try it out: https://developers.google.com/oauthplayground/
Source: How to get user profile picture from Google Chat Bot using Google App Script?
In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.
I'm trying to use the Sample Graph API app to change a user's password but I'm getting:
Error Calling the Graph API Response:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
Graph API Request:
PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM
JSON File
{
"passwordProfile": {
"password": "Somepassword1$",
"forceChangePasswordNextLogin": false
}
}
I've tested updating the user's displayName and that works fine.
{
"displayName": "Joe Consumer"
}
AD Application Permissions
I've configured my app permissions as described here.
Check out this article. Seems like it has the same symptoms.
Solution 1:
If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
Go to Azure Management Portal and click Active Directory.
Select your custom AD directory.
Click Applications and select your Application.
Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
Finally save the changes.
Solution 2:
If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator. As of now, you can only add this role via the Azure AD Powershell module.
Find the service principal using Get-MsolServicePrincipal –AppPrincipalId
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
Use Add-MsolRoleMember to add it to Company Administrator role
$clientIdApp = 'your-app-id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.
Try below settings, works for me.
Used the below JSON
{
"accountEnabled": true,
"signInNames": [
{
"type": "emailAddress",
"value": "kart.kala1#test.com"
}
],
"creationType": "LocalAccount",
"displayName": "Joe Consumer",
"mailNickname": "joec",
"passwordProfile": {
"password": "P#$$word!",
"forceChangePasswordNextLogin": false
},
"passwordPolicies": "DisablePasswordExpiration",
"givenName": "Joe",
}
Also make sure you assign the application the user account, administrator role which will allow it to delete users link here
Does any one know how to retrive D.O.B through Google OAuth api? I am able to get other information like name, email, gender by setting the scope as https://www.googleapis.com/auth/userinfo.profile. But I am not able to get D.O.B with this scope.
I definitely get it for my account:
{
"id": "108635752367054807758",
"name": "Nicolas Garnier",
"given_name": "Nicolas",
"family_name": "Garnier",
"link": "https://plus.google.com/108635752367054807758",
"picture": "https://lh4.googleusercontent.com/-K1xGP8W20xk/AAAAAAAAAAI/AAAAAAAABhY/Cs_4qr30MxI/photo.jpg",
"gender": "male",
"birthday": "0000-08-25",
"locale": "en"
}
all I did is authorize for the https://www.googleapis.com/auth/userinfo.profile scope and then sent a GET request to https://www.googleapis.com/oauth2/v2/userinfo
First make sure that the Google+ account that you are testing with has set a Birthday (of course), then try the request on the OAuth 2.0 Playground for instance: https://code.google.com/oauthplayground/#step1&apisSelect=https%3A//www.googleapis.com/auth/userinfo.profile&url=https%3A//www.googleapis.com/oauth2/v2/userinfo
It seems you have to send 2 requests:
https://www.googleapis.com/plus/v1/people/me (oauth v1)
https://www.googleapis.com/oauth2/v2/userinfo (oauth v2)
to get both google plus profile data and google account data (there are date of birthday and also locale if you need it)
I use scribes and it works ok. Set two scopes ("https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.me") and send two requests for both REST links