We have an instance of IdentityServer4 running and use it internally for our apps. Those app clients have the property RequireConsent set to false. The result is, you go to the apps website (app1.website), you are redirected to the identity server website (identity.website), where you log in, and redirected back to app1.website.
We also allow 3rd parties to build apps or integrations against our system. In their case, every user needs to approve the app on a consent screen, before they can get the refresh token for that user. There are 2 ways this can play out:
The 3rd party has a user management on their own, in that case they only need 1 user who initiates the connection, and this user's token is used for every further interaction with our system.
The 3rd party doesn't have their own user management, and instead relies on our identity server to authenticate users. This is something, we want to encourage more in the future, as it helps our partners to build their apps faster, since they don't need to deal with the whole user flow, like confirm email, forgot password, ...
However, the problem in option 2 is, that our app (which is B2B) has a user structure that is similar to slack. When one user in an organization approved an app, others should be able to use it without the need for a consent screen (especially since not all users are allowed to approve apps).
In the current scenario, if the organization owner, Alice, approved the 3rd party app X and told Bob to use it, Bob would still see a consent screen. If Bob were also an organization owner, he could approve the consent screen, but if he were just an intern in the company, he wouldn't be able to use the app X.
What I'd really want is to approve a 3rd party app on an organizational level. In azure active directory, what I'm looking for seems to be called Tenant Admin Consent. There is a similar question How do I trigger the admin_consent flow using IdentityServer 4 for a multi-tenant app? - however, We aren't using IdentityServer 4 as a middleman, but it's the final user management instance.
How can I configure / extend IdentityServer4, so that if the second user, from the same organization, tries to use an app, their refresh token will be automatically generated, without a consent screen?
Update: It's not about replacing Option 1 with Option 2. Big providers will keep their custom user management. But small app providers should be able to re-use our user management features. Once an app is "tenant wide" connected, any user from that tenant should be able to access it, as if the app config was RequireConsent=false (other tenants would still need to connect it with a consent screen first)
Related
We are building a web app that lets Office365 customers create a realistic plan for their week, by showing them how much time they actually have to work each day (it's called Weekly if you're interested).
The problem we are running into however is that some companies, primarily large ones, block apps entirely from making Microsoft Graph calls to their users. What's tricky is that we send them to Office365 to grant us permissions, their company blocks the access request, and we never see those users again, so currently don't have any way of knowing what happened.
We'd like to be able to display our own message that says something like "Your company has blocked access to our application, please contact your IT department for help".
Is there any way of knowing before sending the user over to grant access that their company (the domain) even allows apps? If not is there some way to send the user back to the requesting app with some details about why the grant failed (did the user not grant permissions, did the company block access, etc.)?
Thanks for your help!
If the administrator disables the ability for users in the organization to consent then the error message will be something like:
AADSTS90093: An administrator of {tenantDisplayName} has set a policy that prevents you from granting {name of app} the permissions
it is requesting. Contact an administrator of {tenantDisplayName}, who
can grant permissions to this app on your behalf.
https://apps.dev.microsoft.com/portal/tools/errors?errorName=graph_user_unauthorized
So I was following the below (classic) tutorial for spring boot with facebook:
https://spring.io/guides/tutorials/spring-boot-oauth2/
Everything is working fine, however I can't find documentation to help me implement my specific use case. So here it goes:
I'll have two facebook apps: one for the owner and another for the regular user
These two facebook apps will ask for different permissions (ex: for owner app it'll ask for permission to post in the fanpage and for the regular user it'll only for basic user info)
There will be two real application being one mobile (iOS and Android) and another browser based application (that's not really relevant)
REST API will be secured based on roles, meaning that the owner will have the OWNER role and the regular user will have the REGULAR_USER role, so that, for example, the regular user won't be able to call the API to post on the fanpage
Both applications will make it possible to login with or without facebook, because I need an users table to store more information and so
Eventually regular user can login as owner if he/she downloads the **owner* app
So, to summarize, I need:
Two facebook apps to be backed by same spring boot application
The ability to authorize an user with APP ID X and assign OWNER role and the ability to authorize an user with APP ID Y and assign role REGULAR_USER
To be able to configure (in the YML) two different facebook apps
The user to be able to merge existing account with facebook if he authorizes later on
I guess that's it. I'll edit later if I find more useful information to provide.
Thanks!
There is Dave Syer's project that shows how to set up an Authorization Server and multiple Resource Servers in the same app.
Similar question with solution: OAuth2 SSO for multiple resource servers with spring boot and jHipster
I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified against AD) or their Facebook/Twitter account. What I'm still in the dark about is if the application/authentication flow I came up with is actually feasible. This is how it should work:
User logs into the SSOP with his AD account (using a custom form where he enters these credentials). The SSOP verifies these credentials against AD and logs the user into the SSOP accordingly. The SSOP then offers the user to start any of the applications he has access to (based on his group memberships in AD). These applications are built by various third parties and are not all .NET based. Clicking one of these applications in the SSOP should log the user into this application using the credentials authenticated against AD that were used to enter the SSOP. I currently do not know how this should be done, e.g. by using claims or some sort of auth token? Obviously the receiving application should support whatever option we choose, which means we're looking for a best practice of some sorts.
The social login part of the SSOP should work somewhere along the following lines: The user logs in using his social account. The first time he does, he also has to enter his AD account credentials so we can link his social account to a specific AD account. Every subsequent time the user logs in with his social account the SSOP should log in the linked AD user. That way the SSOP always uses a valid AD account to authenticate to the applications it offers the user. This also makes it easier to administrate the user base since these are all stored in AD. The social login links and any other SSOP specific data is stored in a custom data store (MS SQL db).
I've been looking into the ThinkTecture IdentityServer, but have yet to figure out how it can be used in this scenario or if this scenario is even feasible.
So, the question basically is: is this authentication flow even possible or remotely best practice? If so, where to begin? And if not, what is?
I am trying to achieve the following:
an authenticated user uploads a video on my web application
my web app stores the video, logs it in our database etc. then connects to a Google account and makes a request to upload the video to a Youtube channel within that google account
I've created the Google account, enabled the youtube API, configured OAuth 2.0 access etc, but I'm not sure that any of the documented workflows meet my requirements. (For example I don't want any user interaction as part of the authentication process).
It looks like a Service Account ( https://developers.google.com/accounts/docs/OAuth2ServiceAccount ) is what I need, however these accounts dont appear to support all Google APIs, or at least not youtube.
Does anyone have any advice / has anyone implemented something similar?
When you say ... "For example I don't want any user interaction as part of the authentication process", how will that work.
The user might not be logged in to Google, or might be logged in to multiple accounts so will have to choose which account to use for your app. So the potential for user interaction is unavoidable.
Once the user has authorised your app, logged on to your app (ie. accessed it and you've stored his user id in the session), then future accesses will be devoid of user interaction; at least until he logs off.
The difference between service accounts and user accounts is not the auth flow. The difference is that with a user account, the API access is by the user via your app (so the video will be "owned" by the user. With a service account, your app IS the user (so the video will be owned by you).
I'm not saying that Service Account is wrong for you, just that your reason for going that way is not quite right.
I've got a company web app. I have integrated it without much problems with Twitter.
This means, when a staff of our company creates a new product, it posts onto the company's profile on the Twitter web site as well.
However, Facebook is another story. Facebook encourages registrants to sign up as "individuals".
For example, on the registration page:
You are not allowed to put generic emails such as (support#company_email.com, sales#company_email.com)
You may not have the first and last name as a company entity. For example Foo Distribution or Foo Inc
Their automated system simply rejects any clever attempts to register as a "non-individual". With Twitter, it was a breeze. Since Twitter allows / encourages companies to register an account with them directly, and not as individuals.
Moving along on Facebook, I found out that I can create a 'page'. Which I can use for the company. It has the option of allowing other "individuals" to be admin of the page. However, this would mean that each staff would need a Facebook account.
I don't really like this approach, since some of our staff may be negligent with their Facebook passwords. I rather have our web app have one 'method' of accessing Facebook's API isntead, the way it is done with Twitter.
How else would you go about this?
I'd make yourself the admin of the page, install an app that you develop, and then let your users make posts to the page through that app. This way, you're controlling access to the page while letting your users still have access to it.
You'll need to use an offline_access-enabled access token for this to work continuously (permissions documentation), and if that token changes, you'll have to log in yourself and refresh that token (it can change when you change your password or uninstall/reinstall the app). Additionally you'll need a manage_pages permission, and you'll need to use the access_token for your page that you can find in /me/accounts to make posts to the page.