I've got an alexa skill configured with Auth Code Grant account linking.
After the user token expires, alexa asks again for account linking and, as far as I understand from all the setup, Alexa should renew the token form my oauth server.
any ideas would help.
thanks
Related
How can I use a Google Workspaces (gsuite) user's application specific password to sign into Google's OIDC (OpenId Connect) auth endpoint and request an OIDC ID Token for that user?
Background:
Google turned off support for programmatic password-based authentication to gsuite and Google Workspace saying:
“Blocking sign-ins from less secure apps helps keep accounts safe. For these reasons, Google is limiting password-based programmatic sign-ins to Google Accounts.” Google: Control access to less secure apps
As an alternative to LSA (Less Secure Apps) Google suggests that apps can use "application specific passwords" to programmatically authenticate to Google.
An app password is a 16-digit passcode that gives a non-Google app or device permission to access your Google Account. To help keep your account secure, use 'Sign in with Google' to connect apps to your Google Account. If the app that you’re using doesn’t offer this option, you can either: Use app passwords to connect to your Google Account ... Gmail: Sign in using app passwords.
Google recommends using an App Password as one solution for applications that require programatic sign ins to Google accounts:
Can’t use an app with my Google Account: Use an App Password Google: Less secure apps & your Google Account
This clearly indicates that Google intends for applications to programmatically sign into Google Accounts using app passwords but forbids programatic access for regular passwords. I can find no documentation on how to do this.
My question is: how can I use an app password of a user to sign into Google's OIDC (OIDC Connect) auth endpoint and request an OIDC ID Token for that user?
I can find examples of this being done for Google Workspace SMTP to access email. For instance Google only allows nodemailer to programmatically access gmail via the SMTP protocol using an app password. This however does not help me because SMTP being a email transfer protocol can not issue OIDC ID Tokens.
Out of scope answers:
This is not a question asking how to create GCP service accounts and use domain wide delegation to enable them to impersonate a Google Workspaces user and thereby request an OIDC ID Token for that user.
It is not a question asking how to create an OIDC confidential
client and then given that OIDC confident client access to your
Google account to request an ID Token.
I am not looking for these answers.
Currently, I am working on linking my Alexa skill with my website. I'm stuck. I've followed YouTube tutorials and looked at the documentation. I basically want users to click on the account linking button, be taken to a login page and then have that authorize the users with their own private data. Do I need to create a oauth server? Is there anybody I can talk to who has already done something like this? I created a html page to log users in using an api call but I haven't gotten any further. Any help is appreciated.
There are two questions that you asked here. Addressing them consecutively:
Do you need to an OAuth server for account linking? --> Yes. You either create your own authorization server which uses OAuth2.0 or you can rent it from providers. There are various OAuth server providers like auth0, okta etc.
If you have created an html page for login, then it needs to connect with your auth server in the backend and you need an API to do that as well as connect with the LWA server to complete account linking with Alexa.
The auth server will basically generate an auth code upon authenticating the user and subsequently it will generate an access token. Both these URLs must be mentioned in the Amazon Alexa developer console.
Then you need to make the calls to LWA to complete authentication with Amazon. This will generate an LWA auth code and subsequently an access token.
This LWA access token along with user auth code generated by your auth server will be used to enable the skill from your website.
Feel free to contact me if you have more queries! Good luck.
I'm a bit of a salesforce / web noob, but am testing out the customer 360 external identity licences, along with customer users. My main goal is to authenticate a customer user using OAUTH, get an access token, then use the Salesforce web APIs to access some relevant bits of info for the customer user. However I just can't seem to figure out how to get the customer user authenticated despite being able to do the same just fine for my personal admin user account.
I have the following setup:
a bunch of external identity licences
a profile with the external identity user licence assigned, with the API enabled setting checked.
a connected app setup with relaxed IP restrictions set, all users may self authorize set, OAUTH settings enabled, device flow enabled, and the full access OAUTH scope selected.
an end customer contact with an associated end-customer user, assigned to the external identity profile and thus external identity user licence.
And I'm POSTing to the test token endpoint (https://test.salesforce.com/services/oauth2/token).
I've tried two auth flows, password and device flow for IOT as I want to integrate this with a command line app (which the IOT flow is good for apparently), and while both succeed for my personal salesforce user credentials, they both fail for my test user account credentials.
The server response for the password flow is as follows:
{
"error": "invalid_grant",
"error_description": "authentication failure"
}
End-customer users don't appear to have a security token so I've just been using the password on its own. I can't seem to find a way to generate a security token for these types of users but suspect this could be the issue for this flow.
When trying the device flow the returned verification uri is always https://test.salesforce.com/setup/connect but attempting to login on this page as the customer-user fails with this error:
Please check your username and password. If you still can't log in, contact your Salesforce administrator".
I am definitely providing the correct customer user credentials here so have no idea why this fails.
Does anyone have any ideas on how to get this working?
#eyescream nudged me in the right direction so here's the solution for anyone in the same position as me.
Authentication of external identity customer users is not done using the normal OAUTH REST endpoints (https://test.salesforce.com/services/oauth2/token or https://login.salesforce.com/services/oauth2/token).
Instead you have to setup an experience cloud site, add your customer user profile to the sites list of member profiles, then authenticate using a site specific AUTH endpoint.
For example, if your experience cloud URL is https://sandboxname-companyname.instanceid.force.com, then your OAUTH token endpoint would be at:
https://sandboxname-companyname.instanceid.force.com/services/oauth2/token
Extra things to note:
customer user accounts cannot authenticate using the username-password flow.
the device flow for IOT (or command line apps) will return a verification URL that customer users cannot log in to (https://test.salesforce.com/setup/connect). You can instead use the experience site connect URL (https://sandboxname-companyname.instanceid.force.com/sitename/setup/connect)
I am working on graph api to get user's liked pages videos. I have read https://developers.facebook.com/docs/ and requested for user_action.videos from Facebook. Now things becomes more confusing for me when i read about 1- OAuth Authentication, 2- temporary/long-lived access token and 3- test user as well.
1- As i believe as per my reading that OAuth Authentication for user is not required as it is done by FB SDK automatically. Is it right and if its wrong then how to authenticate user while using FB login dialogue as there is no URLRequest call in latest FB SDK login button?
2- After login through dialogue, I am getting an access token which is an expiry token and to keep user logged into my App; I have to convert that expiry token to long-lived token for 60 days every time when token is going to expire?
3- Is there any need for creating Test User in Facebook developer portal. Is there any role of it in development?
Any help would be greatly appreciated.
I have a website where people can post blogs. I want the blogs to be automaticly posted to a Linkedin account connected to the website. So the person posting the blog is not the owner of the linkedin account.
I use the Sharing API from LinkedIN to do this, but this requires the administrator of the linkedin account to refresh the Oauth token every 60 days. I know this is a security thing to prevent illegal use of accounts. But in this case its always my own linkedIN account. Is there a way around this? mabe by using the app key and secret instead of the acces token?
The LinkedIn API docs (https://developer.linkedin.com/documents/handling-errors-invalid-tokens) say:
In the case the access token is already expired, your application will
go through the same authorization flow as previously described.
However, the login dialog will be shown to the user as they will need
to grant access to your application again.
so there's no way around that. But what you could do is go through this flow before the access token has expired. The docs say:
Simply have your application go through the authorization flow in
order to fetch a new access token with an additional 60 day life span.
When the following conditions exist:
User is still logged into Linkedin.com The current access token isn't
expired (within the 60 life span) We will automatically redirect the
user back to your redirect_uri without requiring them to reauthorize
your application. If they don't exist, we'll prompt them to login and
then redirect them.