Password validation for Google G Suite Users - oauth-2.0

This FreeRadius module authenticates an Azure AD user using his/her username & password based on OAuth2:
free-radius-oauth2-perl
I would like to achieve the same process but authenticating Google accounts instead. Specifically, Google accounts managed through GSuite (now: Workspace). For Azure, there is a "token_endpoint" URI which you can use to send the user's name and password and it will return a token if the user is valid and the password is correct.
For Google, I found this: Google OAuth OpenID
But it states that the only implemented grant_type is authorization_code which is not what I need (I need password)
I also looked at the Admin SDK for Workspace but I only found a signOut method, not a signIn or similar.
Any idea how to validate that a Google account exists and its password is correct?

Related

Apgigility OAuth2, link between User and Client/AuthorizationCode

I'm struggling with OAuth2 authorization, authentication and user linking.
What I've done so far:
I've created a client and it's secret.
All redirects and so on are working. Grant type password works for own native app (e.g. Android and iOS)
But for access token, user_id is NULL if grant type is Authorization code.
How can I assign a user to access token or authorization code?
Is there a module for Apigility to provide login screen? I only get asked for "allow" or "disallow" application but I'm never asked for a username and password.
Update:
Question is related to provide OAuth2 access third party pages, e.g. IFTTT. They open /oauth/authorize page and somewhere I have guide user to a login?! to determine related user? Is there an existing module for this?
Third party sites, e.g. IFTTT do not use password grant type for security reasons. And compared to other pages the workflow is: Is user authenticated? Yes: Show Accept/Decline button. No: User has to login and will be redirected afterwards to /oauth/authorize page. So is there a common way in apigility to check if user is logged in and if not, redirect to a login mask?
To authenticate with username and password using OAuth2 you should use the grant_type=password.
I'm not sure if there is a login screen in Apigility. But I don't think it should have it, because Apigility already allow this by one or more endpoints through OAuth2, more specifically by OAuth2 Server Library for PHP.
How to do
Add the grant type to client:
On your client table (oauth_clients.grant_types column) set "password".
Create a new authentication adapter type=oauth2.
Create a post to the authetication url like below.
url=localhost:8080/oauth, where localhost:8080 is where the apigility is running and /oauth is the configured auth adapter url.
payload:
{
"username": "USERNAME",
"password": "PASSWORD",
"grant_type": "password",
"client_id": "CLIENT_ID"
}
When login successfully it will return the access token.

How to get creation date of gmail account in Google OAuth 2

I am working on Google OAuth 2.0, to get information about the users logged in through Google OAuth 2.0. There is a variety of scopes available like
For getting the user basic profile there is OAuth scope available called profile which is internally converts to a URL https://www.googleapis.com/auth/plus.profile and for knowing the logged in user's email id there is a Oauth scope called email which results in URL https://www.googleapis.com/auth/userinfo.email.
Now my question is: How to get the creation date of the gmail account of an user?
Is there any OAuth scope available for getting how old the gmail account of logged in user?
According to Google API People resource , It doesn't have a property to check the creation date. It might be a security risk as when user forget the password, Google asks for the registration date of account.

Redirect user to gmail after login

I have employees on google apps id like to authenticate (with their google apps username and password) at login.mydomain.com > authenticate without being redirected to the google login page > send them to gmail.
Would I do this via Oauth 2.0 or OpenID? A simpler method perhaps?
Of course you can use oAuth.
you could use Google Accounts as your identity provider, and configure your resource-server (your application, I guess) to redirect your users to Google account, and give their creds there.
The flow: your users will try to access your resource-server (your app?), then, since it is protected by oAuth, they will be redirected to Google Accounts for authentication and authorization. after authentication, oAuth mechanism will redirect your users back to the original URL (your app)
HTH

OAuth2 - Authorizing against another OAuth sever

I am building an OAuth server and understand the concept of the "Resource Owner Password Credentials" grant method. The user supplies a username and password and the grant_type is set to "password".
However, when the users authenticates using a social network such as Facebook, what grant_type should be specified and what is the suggested flow for handling this type of authentication?
The grant_type would be similar to password, but instead checking the username and password I would be checking the user_id returned from the social network.
I have checked the standard but it does not mention this type of flow.
How should an OAuth server authorize against another OAuth server?
There are different implementations about this. Most of the websites doesn't need any grant_type however, some of them are still using grant_type as password. When the user connects to facebook (installs your facebook app), if the user needs to be registered you can assign him/her a random password or you can still ask the user to register with password. So, the grant_type will be password still.

Google Openid authentication and identification of Domain Admin

I have implemented Google openid authentication for my web application (ruby on rails) , now once authenticated how am i suppose to get the status of that particular user ? like if the user which has been authenticated is a domain admin or not ? i have googled it a bit and came up with Google provisioning ApI and ClientLogin authentication process.... but in case of Clientlogin authentication one has to provide username#domain.com plus the password in the function...
In all i want to know, is their a way to know that a person authenticated by Openid is a domain owner or not ??
According to the open-id specs these are the attributes you can retrieve from your open-id provider (Ex: Google).
http://www.axschema.org/types/

Resources