How to detect google enterprise account? - oauth-2.0

Google enterprise accounts does not have the common domain "gmail", example tom#miracle.com, hela#bran.com. So there is no way of telling if an account is a google enterprise account or from a different email provider just by looking at it.
Is there any api provided by google of knowing if the account (say tom#miracle.com) is a google account or not

We can detect if the account belongs to google or any other enterprise by doing a simple DNS look up of the MX data.
One such example is
GET: https://dns.google/resolve?name=miracle.com&type=MX

You can't tell from an email address: bob#example.com could be a consumer account, a managed user account, or even both (if it's a conflicting account).
Once the user has authenticated, you can identify managed user accounts by checking the hd claim.

Related

Fetch customer Id using email & Create new Google Ads Manager account

I'm using Google Ads API PHP library in my system. But I didn't found following 2 API's in provided API list here https://developers.google.com/google-ads/api/docs/account-management/create-account:
API to find out whether user has already exist Google Ads account using email? If found then returns his 10 digit customer ID.
If user Google Ads account not found then create new Google Ads account (manager account on behalf of customer through our PHP script). So that after creating, I can link it under my manager account.
I have seen same process on few sites. Whenever user visits system, he entering his email address, name, etc.. then script searches for his existing Google Ads account if found return customer id or some data & auto logged-in to system otherwise creates new Google Ads manager account for him.
Please let me know any API or solution for these 2 cases.
1- You can use https://developers.google.com/google-ads/api/docs/account-management/get-account-hierarchy to find out all the ads account under the manager account.
2- You can use https://developers.google.com/google-ads/api/docs/account-management/create-account to create google ad account under manager account

Google Oauth recognizing G-Suite account

I am trying to add Google Sign In to my application. I want to limit who can sign in to a list of allowed companies (ie. a company that has a billing account with me). I intended to do this by limiting sign in to only G-Suite accounts. Is there any way to check if a user is trying to log in with a G-Suite account and is there any way to uniquely identify who owns the G-Suite (some kind of corporate identifier inside google)?
For G-Suite you can use the Hosted Domain (hd) parameter within OpenID Connect.
Be sure to heed the details as this only manipulates the UI and does not ensure the Authorization request. The APP must code the verification.

Grant MS Graph access permissions from one account to others - is it possible?

My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant

How do I enable any domain to log into my Azure Active Directory app

My current application supports Microsoft and Google oAuth verification sign in. The idea is to give users the option of signing in with their personal accounts for ease of access. This is working fine with google, but AAD will only allow users with emails that end in the App ID URI domain to sign in
eg: App Id URI = someOrg.com/guid and their sign in = someUser#someOrg.com.
Attempting to sign in with a Microsoft account like an outlook or hotmail account redirects to a page saying
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
Is there a way to allow AAD to accept any Microsoft account in the login, or can it only accept users in a single domain?
Basics
Yes! Checkout https://aka.ms/aadv2. The v2 endpoint allows both personal Microsoft and Azure AD accounts to be signed in from a single app reg. You'll need to hit this special endpoint (can be done using the MSAL libraries) and setting your app audience in the Azure portal.
Details...
By default and using the following URLs (note the common piece):
https://login.microsoftonline.com/common/v2.0/authorize
https://login.microsoftonline.com/common/v2.0/token
If set to common, your app can sign in any domain and personal Microsoft accounts.
Other options
For the sake of covering everything, here's the other options:
common->organizations: Only allow Azure AD accounts
common->consumers: Only allow personal Microsoft accounts
common->[tenant_id]: Only allow accounts from the specified tenant
MSA as a guest
The edge case you may need to address is a personal Microsoft account added as a guest to an Azure AD tenant. When the user hits common, they'll be signed in as a personal Microsoft account; however, they may intend to sign into their domain. You can build around this by introducing a "enter your email" screen, then passing this as a hint to Microsoft via the common endpoint.

What Google Account is associated with an OAuth Client ID?

We have some old configurations which make use of an OAuth Client ID, and we're trying to determine which Google Developer account created it.
We have both the client ID and secret. Is is possible for us to determine which Google account they're associated with? We'd prefer to not have to switch to a new account. Any help is appreciated, thanks!
Is this client ID still used on some website for sign-in? If so, you could try to sign-in with an account that hasn't authenticated yet, and in the auth window click on the App name to get the developer info including the email address, which should match the Google account you are looking for.

Resources