Our company uses Sign in with Google to log into various third party applications (e.g. Atlassian Jira/Confluence, Coda, Dropbox, Hubspot etc.).
I have been able to use the Admin SDK to get API access to each user's email, calendar, drive via the domain-wide delegation. Is it possible to delegate access to all the third-party apps that are connected to the user's Google accounts too?
Ideally, I want to be able to use the third-party APIs (just the way I'm able to use Gmail, Drive, Calendar APIs) on behalf of the users—without having the users grant my application explicit access (via OAuth) for each third-party app.
It really depends on the third party app. As you noticed your users can give you (scoped) access to some other app (GSuite apps for your example) but there are more apps out there!
What prevents your user to give you access to other third party apps is the third party apps implementing this.
Let's say your users log in to spotify using a Google account for which you have scoped access to say, gmail. Your app picks up that there is a new service in town by reading the registration email from spotify and prompts the user to give access to say manage playlists and play music apt to the email begin written.
If spotify does not implement an API where the user can grant access to an app this can't be done. Also the user must grant access to some resources, say playlists, and everything else will not be available to you.
Each user must grant access, usually in form of a token that is negotiated between the service you want to call on behalf of the user, say spotify, and your app.
In our example it's spotify that grant access once you present your token and the only way to get a token would be to ask the user a grant which is usually done through some OAuth dance.
GSuite has many apps and you can set up different policies but spotify is a different app/company and is not covered by your domain-wide delegation so you really need to ask the user and the user has to grant you access.
If by any chance the third party app has some strange deal with GSuite that's another story but this is the general case.
Related
I am providing sign in with google functionality on my application. Users are able to successfully login using that but my application is not showing in "Manage third party apps" section of user's google account when they login. So they do not have an option to revoke access for my app. Any ideas on what I am doing wrong here I want my app to be listed in users "Manage third party apps" section when they login successfully.
I think you are miss understanding what third party apps is. You may want to consult Manage third-party apps & services with access to your account
For example, you may download an app that helps you schedule workouts with friends. This app may request access to your Google Calendar and Contacts to suggest times and friends for you to meet up with.
Third party apps use Oauth2 to request your consent for the application to access your data. When you consent to this the application in question is given a token (refresh token) which will allow them to access your data until you revoke that access. They can access this data without you being there. So they could have something running every night to harvest your data. They have access even when you are offline. The way you revoke it is though the security page on your google account.
Sign-in does not grant any access in that manner. For signin to work you the user must be behind the machine when it is running. The application you signed into cant access your data when your offline.
There is no way for you to know which applications you have signed in using your google account. Unless they also requested some Oauth2 consent.
So again sign in is Open IdConnect and does not make it by itself a third party app. They have no access to your data after you are gone. Signin only works when the user is behind the machine.
As like oAuth we can synchronise users authentication information with third party applications or websites, I want to integrate iCloud calendar service with my rails application. From where on button click user is asked to provide their iCloud credentials and after verifying user my rails app should allow that user to access his iCalendar events(Dynamic event generation).
I already tried to add iCloud calendar account with chronofy but it's not recognising my APP-SPECIFIC-PASSWORD.
So is this possible, preferably with some kind of oAuth setup as we do it with Google Calendar? or are their any API which can carry out my task, if so where can I find documentation on the API?
Apple do not provide a public OAuth mechanism for iCloud so its not possible to access their API directly
I am creating an iOS app for internal use. We have a Google Domain. As part of the functionality of the app, I want to be able to search for all users in that domain. This can already be done in Gmail, the Apple Mail app, and others.
I found that you can use the Admin SDK for users.list to do exactly what I want to do. I created a Client ID for the iOS app and authorized my app to perform users.list.
However, now I get a permissions error for users who sign in with OAuth2:
I found that you can create a service account to make API requests on your behalf if you delegate it to have the authority. I'm not sure if this is what I want to do since this seems more like something for a secure server to do rather than an app. I'm also not sure how this integrates with a user (from our domain) who signs in with OAuth being able to list our users.
Is it possible to list/search the users in a Google domain purely through OAuth / frontend app?
Aside from caching your own list, I think there are two ways to give users the ability to list all users:
A. Undocumented call to this GAL API:
https://www.google.com/m8/feeds/gal/your-domain-goes-here/full?alt=json (source). You can test this in the Google OAuth Playground by selecting the scope for the Contacts V3 API or using the string https://www.google.com/m8/feeds/.
B. In the Admin console, create an "all users" group. Assign to a newly created Admin Role. Grant the admin role "read" in Privileges > Admin API Privileges > Users > Read (checked).
I am trying to achieve the following:
an authenticated user uploads a video on my web application
my web app stores the video, logs it in our database etc. then connects to a Google account and makes a request to upload the video to a Youtube channel within that google account
I've created the Google account, enabled the youtube API, configured OAuth 2.0 access etc, but I'm not sure that any of the documented workflows meet my requirements. (For example I don't want any user interaction as part of the authentication process).
It looks like a Service Account ( https://developers.google.com/accounts/docs/OAuth2ServiceAccount ) is what I need, however these accounts dont appear to support all Google APIs, or at least not youtube.
Does anyone have any advice / has anyone implemented something similar?
When you say ... "For example I don't want any user interaction as part of the authentication process", how will that work.
The user might not be logged in to Google, or might be logged in to multiple accounts so will have to choose which account to use for your app. So the potential for user interaction is unavoidable.
Once the user has authorised your app, logged on to your app (ie. accessed it and you've stored his user id in the session), then future accesses will be devoid of user interaction; at least until he logs off.
The difference between service accounts and user accounts is not the auth flow. The difference is that with a user account, the API access is by the user via your app (so the video will be "owned" by the user. With a service account, your app IS the user (so the video will be owned by you).
I'm not saying that Service Account is wrong for you, just that your reason for going that way is not quite right.
In general, what's the best practice to authenticate a user via 3rd party (say Twitter) using iOS's ACAccountStore and then tie it to an existing user in my own service assuming that they were logged in already? Can I access and store the account credentials remotely over ssl, or is there a better way?
And if they had to re-login via Twitter, I could just search for the user with that twitter handle to know what backend user is tied to this account, yes?
And lastly if I wanted to be able to login via a browser later on, I would get new oauth credentials for the webapp as well, but could search for a user with the same Twitter account info and store these credentials as well, and know that they all refer to the same person, correct?
What you're asking involves many levels of a system "stack" that are custom to a particular environment. What is "correct" vs "incorrect" is dependent upon the environment you've set up and are connecting to from your iOS app.
So from what it sounds like you're leveraging iOS's Twitter functionality to create a Single Sign On (SSO) experience. There are several guides on Twitter's site for doing what you want to accomplish:
Integrating with Twitter on iOS: Single Sign On
Using Reverse Auth to Get OAuth Tokens on iOS - you can then store these server-side
Migrating tokens to system accounts - how you get OAuth tokens from your webapp to iOS.