I am implementing DocuSign's OAuth flow by following their OAuth2 doc.
With demo developer account is it normal that only users specified in the Admin Dashboard are able to complete the OAuth flow?
I'm assuming so but no reference is made on the docs.
Re:
With demo developer account is it normal that only users specified in the Admin Dashboard are able to complete the OAuth flow?
Yes, that is normal. Perhaps you are thinking of Single Sign On (SSO). That feature uses OAuth too, and it includes dynamic account creation as needed.
The OAuth part is the same in either case. Without SSO, the users are first added via the web admin tool (or via the API). Then they can login.
If you want to use SSO, it must be set up by the DocuSign support team. Contact your sales rep to start the process.
I have a working integration with docusign, any docusign account should probably work. I have a demo app and I'm using a live docusign account to complete the Oauth flow. But anyway, have you done some test?
Related
I wanted to know if there is a way for a custom developed web app to tell if an Azure AD SSO also had MFA. Ultimately, I'm trying to block access to a website if there was no MFA during the SSO process. I would essentially be creating a multi-tenanted application. Their documentation doesn't offer anything in this regard, and I know that MFA status isn't available via Graph yet, so I can't check if the user even has it enabled or enforced yet. Thanks!
What tokens are your web app receiving? For example with JWT tokens the amr (authentication mechanism reference) claim can be checked for the MFA claim. See https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
It is possible to authorize some MS apps using OAuth and login form. If the user logins and allows the permissions the app wants then as a developer you can read (and write) some data via API.
Is it possible with https://botframework.com? I don't want my clients to have to write down the client_id and client_secret in my administration. I just want them to give me permission via logging in and let me download this data.
I've read MS docs about OAuth and have seen that the possible scopes doesn't include the bot platform.
To demonstrate what I mean here is a demo application from the docs.
I recommend you to check AuthBot.
AuthBot is a .Net library for Azure Active Directory authentication on
bots built via Microsoft Bot Framework.
In short, when using AuthBot, your users will receive a link that they will open and perform the OAuth flow. The users won't have to write the credentials in the bot (which could be a security concern) and instead will be done in the MS login page. Then a callback (already provided by the library) will be called and the conversation with the user will be resumed.
You can also check AzureBot as an example of a Bot that uses AuthBot and that retrieve information only available if you are logged.
I'm working on an OpenID Connect implementation, that is going to work as a single sign-on for multiple
applications. I get how to sign out a user from a single application or simply revoke refresh
tokens for further renewal of access tokens. But from looking at Google's implementation; when you sign out from Gmail you are immediately signed out from all other Google apps like; YouTube, Google + etc.
How is such behavior accomplished?
OpenID has the concept of single sign out - but the spec is still in draft:
http://openid.net/specs/openid-connect-session-1_0.html
IdentityServer v3 does not implement this spec right now - but it is planned for RTM.
Just need a very basic detail clearified.
If I'm trying to implement au OAuth authentification system for my website, it mean my website is REQUIRED to have a facebook, google and twitter account ?
For example: I have no intention for my website to have a twitter presence, but I want twitter users to be able to use OAuth to login on my website without registering manually.
I really need to open a twitter account to get my clientID and secret key code ?
Yes, it looks like you need a Twitter account in order to create a Twitter application, but it doesn't have to be an account for your website. For instance, if I want to create a "Sign in with Twitter" button on my, page, I can just log into the dev site using my personal account and create an application. Follow the steps here. In particular following the "application settings" link will prompt you to login, and then you can create an application.
Facebook likewise requires you to have an account and create an application. They then provide API keys that can be used in the OAuth login flow. They have two ways to get a token: a server side flow that provides a longer lived token, and a client side that gives a shorter one. For more details see this page.
With Google, if you use their OAuth 1.0 flow, you can do a login without creating an application (https://developers.google.com/accounts/docs/OAuth). However, it looks like their preferred way is their OAuth 2.0 flow through Google+. See this page.
We want to use Google Doc API to generate Document (In our own business account) when our end users do some actions on our site.
The problem is that we've tried to implement the OAuth 2.0 protocol, as suggested in the v3.0 protocol documentation. The apiClient::authentication method do a redirection. This is a major problem because our users doesn't know the access to our own business account.... and we don't want to give them access anyway ;)
(In other word, we're not creating an application that allow our users to edit their own data, but to interact with our data, like a database.)
I've read that the point of OAuth 2.0 was to avoid that we manage the credential of our users. I'm personally O.K. with the concept, but in our case, we don't want to get authenticated in the google account of our users ...
So, what would be the best approach to get a valid authentication without any interaction from the end user ?
What you describe is not how 3-legged OAuth was designed to be used.
3-legged OAuth is all about delegated authentication where a user (who knows his password) can grant limited and revokable resource access to application. That application never sees the user's password. There is a bunch of work involved to safely allow the application to impersonate the user.
What you probably want is to use the (2-legged) OAuth flow, where the consumer_id/consumer_secret credentials are embedded in your application. Here your application is not impersonating your end user and there would be no browser redirection involved.
Here's some further info on using 2-legged OAuth in Google Apps:
http://googleappsdeveloper.blogspot.com/2011/07/using-2-legged-oauth-with-google-tasks.html
And this is a good description of 3- vs 2- legged OAuth:
http://cakebaker.42dh.com/2011/01/10/2-legged-vs-3-legged-oauth/
You will need to use a SERVICE ACCOUNT. Basically you are hard coding access to this account into your server application. Then you use sharing to give access to the to account for the content you want. For example you can share a Google Doc or an Analytics profile with the SERVICE ACCOUNT.
Here is a complete example implementation of setting up a service account, logging and and then using it.
Updated 2018-12-12: https://gist.github.com/fulldecent/6728257
Why not get one OAuth authorization for your business account and have all users use that account. Since it sounds like you want everyone accessing the data for one account, the details can be hid from the end user.
The access token would be shared by all users and they would all hit the same account back end without any authorization for each user's own account.