I’m working on an app that will be deployed to a fleet of corporate Windows laptops that are bound to Active Directory. Part of the app would need to allow the user to access the company's intranet URL. Would it be at all to automatically authenticate that user for their intranet without forcing another login? They've already logged into their AD account when logging into the laptop so I want to avoid it if possible. I've searched and haven't been able to find any information that covers this case.
Depending on your security strictness, the username package could be a good fit for you.
Related
At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.
I have a WPF application who uses the azure AD with open id to authenticate users and the WPF application then uses the refresh_token to renew the access_token and use that access_token to call our protected API.
I now want to create a SPA, is it possible to get SSO working between these two applications - so if the user is signed in on the WPF application they will automatically be signed in on the SPA application as well without the need to re-enter any credentials?
Absolutely, it will work, you just have to configure 2 applications. Actually it's what OAuth is used for.
The answer depends a little on how you have implemented things. In both cases the 2 apps will each do a redirect to sign the user in, and you need 2 different OAuth client registrations, as agua from mars says ...
OPTION 1 (PREFERRED) - DESKTOP APP USES SYSTEM BROWSER
This will enable SSO to work due to a shared Identity Provider cookie. Also, password autofill for one app will also work for the other app, so that re-logging in is not too painful. However, the Login UX is a little strange, since the user has to switch to the browser to sign in.
OPTION 2 - DESKTOP APP USES WEB VIEW
This is easier to code but can be more problematic in Login UX terms, since the web view acts as a private browser session, which may require the user to sign in again. Also password autofill may work less well.
ONLINE DEMO
To see both cases working together you could run both samples from my Online Quick Start Page. You can run the SPA from an online URL, but the desktop app is NodeJS based and needs to be run from your PC.
You will see that after logging into one of them, there is a redirect when starting the other, but authentication will be automatic.
So I was following the below (classic) tutorial for spring boot with facebook:
https://spring.io/guides/tutorials/spring-boot-oauth2/
Everything is working fine, however I can't find documentation to help me implement my specific use case. So here it goes:
I'll have two facebook apps: one for the owner and another for the regular user
These two facebook apps will ask for different permissions (ex: for owner app it'll ask for permission to post in the fanpage and for the regular user it'll only for basic user info)
There will be two real application being one mobile (iOS and Android) and another browser based application (that's not really relevant)
REST API will be secured based on roles, meaning that the owner will have the OWNER role and the regular user will have the REGULAR_USER role, so that, for example, the regular user won't be able to call the API to post on the fanpage
Both applications will make it possible to login with or without facebook, because I need an users table to store more information and so
Eventually regular user can login as owner if he/she downloads the **owner* app
So, to summarize, I need:
Two facebook apps to be backed by same spring boot application
The ability to authorize an user with APP ID X and assign OWNER role and the ability to authorize an user with APP ID Y and assign role REGULAR_USER
To be able to configure (in the YML) two different facebook apps
The user to be able to merge existing account with facebook if he authorizes later on
I guess that's it. I'll edit later if I find more useful information to provide.
Thanks!
There is Dave Syer's project that shows how to set up an Authorization Server and multiple Resource Servers in the same app.
Similar question with solution: OAuth2 SSO for multiple resource servers with spring boot and jHipster
Previously, my installed application (desktop application) is using gdata-java-client with ClientLogin mechanism, for user to access Google service.
In order to provide seamless experience, the desktop application will store users previous entered username and password in encryption format. Whenever they wish to access Google service, the desktop application will automatically help users to fill in username + password information. (Even after application restarting) Users just need to single button click to access Google service.
The login code is as follow : http://jstock.hg.sourceforge.net/hgweb/jstock/jstock/file/808b03e824bf/src/org/yccheok/jstock/gui/Utils.java#l1520
I plan to migrate code to google-api-java-client, and use OAuth 2.0. Since my desktop application has no control over users entered username and password, users will be prompted with the following Windows every time they wish to use Google service.
The user flow doesn't seem seamless any-more, as users need to deal with the browser window, every-time after application restarting. Is there any way for my desktop application, to remember their login information, so that they need not to respond to browser window every-time the application restarting?
Great question. Yes, we are working on this right now. The feature request is here, and the changeset under review is here. Our plan is to make it be available in the next version 1.11.0-beta some time in July. For now, feel free to patch in FileCredentialStore from the changeset into your application and try it out. More documentation about the OAuth 2.0 support in the Java client library can be found here (which will be updated for 1.11.0-beta with information about FileCredentialStore).
Take a look at https://developers.google.com/accounts/docs/OAuth2InstalledApp. This a general guide for your type of application - installed on client machine.
The tell you These applications, in general, cannot keep secrets. But if you already store users' credentials - will it really change something for you?
coming from over a decade of web application where cookie/session are the only form of auth-technology, I wonder what I could use to build, if it does not already exists, a re-usable authentication layer for an iOS application.
Something that I could plug and switch on/off for my next built applications.
I am not talking about a strict security mechanism, but at least a module which could allow to have different users, where they can play with the application and apply local changes to it. At application start up, user would be prompted to enter user and password, then trough all the application lifecycle the user is 'remembered', and then forgotten at app shutdown.
The module could perform several authentication. The simplest mechanism I would like to start with is user and password stored into app, but I would like to extend in the future by adding authentication trough a central server, or a web service, or whatever is possible with it.
thanks
Mac OS X and iOS Secure Coding Guide