we developed a very simple Tab app that will bring out application to Teams. We wanted to use Single Sign On so not to require the user to register with our app but to authenticate her/him immediately by taking the name and the email from the requested token. We followed thoroughly this Doc page Single Sign-On and all works well in the account that the app was developed. But when we try to install on another account, we couldn't get the token. microsoftTeams.authentication.getAuthToken(authTokenRequest) returns error that the app is not authorized. The strange thing is that no consent screen is presented to the user so I really don't know how to let the user authorize the app. I thought this is part of the flow. Any ideas? Thank you.
Please note that the app is allowed to work in "Accounts in any organizational directory".
Related
I'm developing an app with a team - I am on the business end (not a coder). The app calls for sign-in with google functionality.
The team integrated this, but currently it requires that the user select his/her google login account, then manually enter their password if they're not already signed into their google account in the default browser.
This is a problem, as many google users (including myself) don't know my password by heart as its complex - it also requires the user exit the app which isn't ideal. Is there a way to make this more streamlined? I believe I have seen this with facebook logins where the user only needs to click 'accept' and they are returned to the app and logged in - no need for password.
Thanks for any input.
Bonus questions:
How did the browser know the user's existing login accounts?
This sign-in with google page is loading in the language of my current country rather than language of the user's google account. Can this be changed?
As far as I am aware, the user must be signed into the default browser in order to get the behavior you looking for. Once signed in, entering a password will no longer be needed unless the login is expired. I think this behavior is by design and is for security purposes.
Bonus questions:
Most probably it is using cache/cookies.
According to Google documentation, seems like there is no way to change the language (but I might be wrong).
TLDR: I've been struggling with the new Sign in with Google functionality and especially the part how I can let the user stay signed in. What I understand from the docs is that Google only tells "this is a user who would like to sign in" but basically I would still need to create my own backend to track that user.
Note this question is about the new Sign in with Google functionality, all the guides/questions I can seem to find are about legacy sign-in and this is quite well described here:
https://developers.google.com/identity/sign-in/web/server-side-flow
What confuses me most is basically already stated in the beginning of the guide:
https://developers.google.com/identity/gsi/web/guides/overview?hl=en#user_sign-in_to_your_site
You'll manage per user session state for sign-in to your site.
User sign-in status to their Google Account and your app are independent of each other, except during the sign-in moment itself when you know that the user has successfully authenticated and is signed into their Google Account. Users may remain signed-in, sign-out, or switch to a different Google Account while maintaining an active, signed-in session on your website.
I understand the basic principle behind OAuth and the part where you have to exchange the authorization code for an access token and you can verify this access token (which is perfectly described in the legacy guide), but this is now only required for OAuth2 in order to access personal data. If I understand correctly this access token can be used as an identifier for a specific session (as alternative to a password or session cookie).
With the new sign in policy you will only get a JWT which identifies the user. Also apparently the only way to get a JWT is as a response when the user clicks the Sign in with Google button and selects the account in the consent screen (which ideally should only occur once).
What I actually want to achieve is that when a user enters the site I want to send a request "Hey Google this user is visiting my site, do you recognize this session and is it still valid".
Maybe I'm thinking way too difficult, but what I just don't understand is how can the new Google Login actually help me remember and validate users?
After some more digging around I found a lead on this page: https://developers.google.com/identity/gsi/web/guides/migration#object_migration_reference_for_user_sign-in
Basically what I am looking for was provided by the depreciated GoogleAuth.isSignedIn.get() function, but the notes clearly show:
Remove. A user's current sign-in status on Google is unavailable. Users must be signed-in to Google for consent and sign-in moments.
Combined with the prior statement:
You'll manage per user session state for sign-in to your site.
To validate the assumption I did some testing with other web services where I logged in using Google, revoked the log-in access for that website from the Google console and when revisiting that website I was still logged in to the website.
My conclusion:
Google login only verifies the initial login
Google basically responds with "Yes this is a valid user"
I have to keep track of the user session using cookies/databases myself
It seems this used to be possible, but not anymore. Here's my dilemma: I'm creating an iPad educational software app, and I want to let students log in with their Google Apps for Education accounts using OpenID-Connect.
... I guess my first question is: is the current Google+ SDK the right way to perform login against GAFE? What about the forthcoming "Google Classroom"?
So say I do this - the student pushes the "login with google button", the sdk performs an app switch to safari and lets the user log in to their google account, push the permissioning buttons, and app-switches back to my app, and the user is now logged in. Fine. At the end of the class period, the user logs out of my app and hands in their device. The next period, though, another student logs in, and because the first user has forgotten to also log out of google in safari, the second user has access to their account.
... My second question is: is this a valid concern? Seems like this would be a pretty common usage pattern.
... Third question - can I get around this? Can I make Google+ sdk use an internal UIWebView, or no web stuff at all? This is what seems like used to be possible, but no longer...
EDIT: Spoke to google tech support for apps-for-enterprise (thx M!) and they say that there is no way to authenticate against google openid-connect without going through a browser. This is, I believe, a security problem - students being kids, they will forget to log out of the browser, and the next kids will get into mischief. Oh well.
The GPPSignin class describes itself as:
It provides single sign-on via the Google+ app (if installed), Chrome
for iOS (if installed), or Mobile Safari.
Internal web views are not mentioned. You may need to implement OAuth2.0 on your own to allow your internal UIWebView to manage authorization.
Google publishes an API which includes a method to signOut. You can use it at your app's discretion in addition to the SDK requirement that a user be able to sign out manually.
https://developers.google.com/+/mobile/ios/api/interface_g_p_p_sign_in
Say that you have an iOS app, and a user that has one or more Twitter accounts set up on their device. Is it possible to load part of Twitter's mobile site into a UIWebView within the app with the user automatically signed in as one of those accounts?
Obviously, accessing the accounts would require the user's permission, which is fine. And probably after the first time, the site would remember the user anyway. But it would be nice to not force the user to enter their credentials again.
I know that I can use Reverse Auth to get OAuth tokens for an iOS Twitter account, but I haven't found anything concrete to allow me to exchange those tokens for authentication on twitter.com.
Well, according to Twitter's Taylor Singletary, it's not possible. Boo.
I've got a company web app. I have integrated it without much problems with Twitter.
This means, when a staff of our company creates a new product, it posts onto the company's profile on the Twitter web site as well.
However, Facebook is another story. Facebook encourages registrants to sign up as "individuals".
For example, on the registration page:
You are not allowed to put generic emails such as (support#company_email.com, sales#company_email.com)
You may not have the first and last name as a company entity. For example Foo Distribution or Foo Inc
Their automated system simply rejects any clever attempts to register as a "non-individual". With Twitter, it was a breeze. Since Twitter allows / encourages companies to register an account with them directly, and not as individuals.
Moving along on Facebook, I found out that I can create a 'page'. Which I can use for the company. It has the option of allowing other "individuals" to be admin of the page. However, this would mean that each staff would need a Facebook account.
I don't really like this approach, since some of our staff may be negligent with their Facebook passwords. I rather have our web app have one 'method' of accessing Facebook's API isntead, the way it is done with Twitter.
How else would you go about this?
I'd make yourself the admin of the page, install an app that you develop, and then let your users make posts to the page through that app. This way, you're controlling access to the page while letting your users still have access to it.
You'll need to use an offline_access-enabled access token for this to work continuously (permissions documentation), and if that token changes, you'll have to log in yourself and refresh that token (it can change when you change your password or uninstall/reinstall the app). Additionally you'll need a manage_pages permission, and you'll need to use the access_token for your page that you can find in /me/accounts to make posts to the page.