I am routing IBM BPM Process Portal URL from custom portal, when I Log in to custom portal it stores user ID and password in custom http header.
IBM BPM Process Portal not able to understand custom http header and shows login page to authenticate user again.
Is it possible to read custom http header in Process Portal in IBM BPM Std 8.5.7, so it will work like SSO.
Please suggest.
Thank.
This is not so much a "portal" problem as a "WebSphere" problem. The WebSphere container is in charge of authenticating the user. That is when a request comes in to an IBM BPM URL, the BPM code asks WebSphere "Hey, is this request authenticated?" If the answer is yes, it allows the user to get to the URL. If the answer is no, it does whatever WebSphere has been told is the right next action for an unauthenticated user requests.
What you really need is a "Trust Authentication Interceptor" or TAI. This is a piece of software you add to WebSphere that can use a different mechanism from the standard login page to Authenticate the user to the WAS container. If the other software is using a standard SSO technology then it maybe that the software creator already has a TAI you can install. If it is a "roll your own" solution someone needs to write one.
You can easily find many articles from IBM on how to write a TAI. Here is an IBM Redbook I found that touches on the topic.
-AP
Related
At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.
Can anyone provide a URL or tutorial to the help with setting up the Auth Settings tab in Luis.ai? I am building a tool that allows anyone without coding experience to create a Chat Bot exclusively based on Luis.ai and it's Cognitive Services API. I could ask users to provide their app id and subscription id; but I would rather have an Oauth login so they wouldn't have to share those keys with my service.
I asked Microsoft through there support over a week ago, and no response. I am just trying to understand if Oauth configuration is possible and how? Any insight would be much appreciated.
Spoke with Microsoft and currently the ability to Share the service without divulging the subscription key is not available; however if you visit this Microsoft URL and vote for the feature, they will consider it.
https://cognitive.uservoice.com/forums/551524-luis/suggestions/15365835-sharing-luis-applications
It is currently under review for implementation.
I set up a project on my main domain example.com and then moved it to a subdomain sub.example.com
Now when I try to use the same (default ASP.NET MVC or on my Discourse forum) project with OpenId and click on the Google button to log in with my Google account it throws the following error -
That’s an error.
OpenID auth request contains an unregistered domain: http://sub.example.com
I have tried Googling that message but apparently I am one of the first four people to see it. Any ideas here?
According to this page,
Google closed registration to new OpenID 2.0 clients in May 2014 and will be shutting down the OpenID 2.0 service in April 2015.
The reason why some hosts work and some don't is that although Google isn't adding new hosts, you can still use the ones that are already registered.
UPDATE :
Some people have asked for a simple explanation for how to fix this, or otherwise how to proceed.
Basically, you now have 2 options.
Use OAuth 2.0 (instead of openID protocols and older versions of OAuth)
or
Use Google+ login (which Google tried to "push" you towards)
For more details check the migration guide :
https://developers.google.com/+/api/auth-migration#userinfo
I would like to add some context to this thread together with a potential solution to developers that are currently blocked.
Back in February we announced the deprecation of OpenID 2.0 (OID2) scheduled for April 2015. We also announced that new OID2 relying parties (RPs) registrations† will no longer be accepted after April 2014.
Given that the API will be shut-down in less than a year’s time, our intention is to avoid having new RPs integrating with Google's OID2 API. Instead, we suggest to use our OpenID Connect API which we consider more secure and easier to implement.
Registrations were effectively closed on May 19th (as documented in the Google’s OID2 developer documentation). All RPs already using OID2 should not be affected by this the closure.
As for developers currently working on an integration with our OID2 API (presumably because they missed the announcement and warnings in our OID2 documentation), we will do our best to minimize the friction caused by the registration closure. If you are in such situation, please let us know by posting a registration request before June 15th. The post should contain a sample OID2 request used by your application, in case you prefer not to disclose such information, please post an email address and we will reach out. We plan to look into each case and try to get you unblocked in the best possible way.
† OID2 does not have a registration procedure for RPs integrating with an identity provider. RPs are associated to the realm value (e.g., www.example.com) used when contacting Google OID2 API. Thus, a RP is considered "registered" if its realm value has been used to contact our OID2 API.
You can easily change to OAuth 2, this article shows you how to register your app with Google and add the key to MVC. Scroll down to: "Creating a Google app for OAuth 2 and connecting the app to the project."
And you may need to add the Microsoft.Owin.Security.Google package via NuGet.
I had the identical problem but when using nodejs / expressjs
I have migrate my code using below url code and fixed that issue
Passport strategies for authenticating with Google using OAuth 1.0a and OAuth 2.0.
https://github.com/jaredhanson/passport-google-oauth
The sub-domains that fail are those that had never seen any user requests before. As per https://developers.google.com/+/api/auth-migration#timetable, Google is not allowing new domains in the OpenID2 API.
I have this exact problem, we use googles login to run a platform, its a brand new problem.
A few things I have discovered if this helps
Full domains trying to use openID never fail www.example.org and www.example2.com are not having this problem
Subdomains on the platform have this problem sometimes, but the same subdomains always fail and the others always work.
It started around Monday and is still happening now.
Take a deep breath and just change Startup.Auth.cs file
app.UseGoogleAuthentication();
to
app.UseGoogleAuthentication(
clientId: "000-000.apps.googleusercontent.com",
clientSecret: "00000000000");
refer to the http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on page.
Previously, my installed application (desktop application) is using gdata-java-client with ClientLogin mechanism, for user to access Google service.
In order to provide seamless experience, the desktop application will store users previous entered username and password in encryption format. Whenever they wish to access Google service, the desktop application will automatically help users to fill in username + password information. (Even after application restarting) Users just need to single button click to access Google service.
The login code is as follow : http://jstock.hg.sourceforge.net/hgweb/jstock/jstock/file/808b03e824bf/src/org/yccheok/jstock/gui/Utils.java#l1520
I plan to migrate code to google-api-java-client, and use OAuth 2.0. Since my desktop application has no control over users entered username and password, users will be prompted with the following Windows every time they wish to use Google service.
The user flow doesn't seem seamless any-more, as users need to deal with the browser window, every-time after application restarting. Is there any way for my desktop application, to remember their login information, so that they need not to respond to browser window every-time the application restarting?
Great question. Yes, we are working on this right now. The feature request is here, and the changeset under review is here. Our plan is to make it be available in the next version 1.11.0-beta some time in July. For now, feel free to patch in FileCredentialStore from the changeset into your application and try it out. More documentation about the OAuth 2.0 support in the Java client library can be found here (which will be updated for 1.11.0-beta with information about FileCredentialStore).
Take a look at https://developers.google.com/accounts/docs/OAuth2InstalledApp. This a general guide for your type of application - installed on client machine.
The tell you These applications, in general, cannot keep secrets. But if you already store users' credentials - will it really change something for you?
I am using Dotnetopenid for login.
I am logs in my application by using dotnetopenid provider suppose google.
At the time of logout I am ending the my application user's session by FormsAuthentication.SignOut(); but if I am not closing the browser and logs in using google it will not ask me for id-password and land me on secured page of my apllication.
Also, if i will try gmail.com it will directly lands me user account without asking id-password.
So how could I logout completely from my application and google too ?
thanks in advance
I think you are mistaking the Relying Party and the OpenID Provider. Using StackOverflow as an example, SO is the Relying Party and other sites (e.g. Google) are the OpenID Provider(s).
The Relying Party (e.g. SO) has no say in when the OpenID Provider (e.g. Google) chooses to "forget" the user for their own purposes.
EDIT: I was not familiar with the PAPE extension. However, if I understand correctly, it does not provide a way for the RP to say to the OP, "On your end, forget this user's authentication", which is what I think rehan wants. It just provides a way for the RP to demand another authentication for the RP's purposes.
I still see no way for (e.g.) SO to log a Google user out of Gmail after SO logs them out.
It sounds like what you're looking for is a Logout feature that will allow the relying party to also log the user out of the Provider at the same time.
DotNetOpenId doesn't offer this feature because OpenID itself doesn't have this feature in its spec. There's simply no way to do it right now. The OpenID community have had conversations about spec'ing out such a feature, but so far it's not there. If and when OpenID adds such a feature to its spec, DotNetOpenId will add support for it.
i had the same issue. So tried this.....when i logged out of my website which uses dotnetopenid, i also made a call to the following gmail logout link https://mail.google.com/mail/?logout&hl=en. This logged me out of gmail also.
https://www.google.com/accounts/Logout
try this one....