Microsoft Live app multiple domains - oauth

I have a web application which runs on one server, but multiple domains (like ab.c, a-b.c, ab.d, a-b.d etc.) are pointed to this application. I would like to use other systems' (e.g. Google, Facebook, Microsoft) authentication. Google and Facebook are working fine, but it looks like Microsoft Live allows only one domain per application. Is that correct? If yes how to handle this? Does it exactly means I have to create separate application on MS developers site and I have to choose different Client ID for authentication based on user's referrer?

Related

Gmail API OAUTH2 verify Desktop application

At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.

Cannot get joined teams using Graph for external users using mail identity

I am attempting to use "v1.0/me/joinedTeams" to get all the joined teams for the currently authenticated user in my asp.net service. This works fine for external accounts that use a Microsoft identity (have a live account) but the same call returns a 400 Bad Request when I attempt to use an external account that uses a mail identity (no live account). The request is the same regardless of external account type. The token generated when authenticating as the mail identity external user looks correct when I inspect it.
I have been able to implement a workaround where I instead use the SharePoint REST service to get the groupId for the team site the user is apart of and then use the Graph call "v1.0/teams/{groupId}" to get that team. However, I need to do this for all the teams the external user has access to which slows things down quiet a bit.
I am aware of what looks like a bug in Graph when trying to make any Graph calls with any external user type, described here: https://github.com/OneDrive/onedrive-api-docs/issues/1039. I have also implemented the workaround for this issue which requires first accessing each site the user has access to by making some arbitrary call using the REST service. Then any subsequent calls using Graph should work. I do this for external accounts with a mail identity before trying to make the joinedTeams call but still run into the 400 response.
These workarounds will suffice in the short term but they increase my execution time significantly, especially when there is a large number of teams the external user is apart of. Any insight on a solution is greatly appreciated.
/me/joinedTeams is not available for personal Microsoft accounts. Se the table on this page

Multiple installations of Client-Server app and OAuth redirect

We develop .net core based web server app with web browser client. This app will be installed on our client's dedicated servers. Our app will include, among others, contacts and calendars and we want to allow users sharing data between our and cloud agendas (via Azure graph-api, Goods api) .
We registered our app in Azure (for now, we assume it will be very similiar for Google) and got some codes (client, secret etc.). Now, we are not sure, what's corrent auth/usage flow.
Client side - a new browser window will be displayd to the end user, asking for grand types and login, but then the server should ask for an access token, as it will interoperate then. As I understand - this is done by using "redirection_uri" going to the server address.
The main problem here is that when registering our app in cloud environment, limited redirection address list is defined and checked later with "redirect_uri" parameter. Our application will be installed on customers' servers and we don't want to force them to register their own applications in the cloud's administrations as they even will not have their own cloud subscriptions.
Edit 2020-11-18:
I'll try to describe again what is our task we want to find solution for:
We develop web app with browser based clients
We sell this app to other organizations and they will install it on their own servers and will have their own customers (final customers) using this app
These organizations don't have to have O365 subscriptions
We, as developers, want our internal app calendars and contacts (among others) to be connected to final customers' Azure/Google calendard and contacts.
It means, that the synchronization itself will be between organization's instance of our app and their customer's Azure/Google calendars/contacts.
I'm sure this must be quite common problem but I have't found any reliable answer.

Trust between 2 web applications

We develop a web application that needs to integrate with another third party web application.
Let's call them MainApp and ThirdPartyApp.
There is a trust between our company and the third party app owning company, meaning we know and trust each other. Both apps will be administered by the same client.
Both applications have their own database of users and login mechanism.
Both applications are hosted on different servers.
We need both apps to be able to call each other (web pages and rest APIs).
All the communication between both apps must be seamless without interaction from the user.
So once a user is logged into one application, it shouldn't prompt another login to access the other application.
When a request is made to the other application, it should be able to map to a user in its own database.
So the request isn't made on behalf of the calling application, but on behalf on the user currently logged into the calling application.
If it can help, we agreed on using the same UserCode in both applications.
My question, what are the best practices to implement this kind of trust between 2 applications?
Is there an OAuth grant flow that fits this scenario?
You'll find examples of Single Sign On approaches online; one such example:
https://www.codeproject.com/Articles/1140228/Implementation-of-Single-Sign-On-SSO-in-ASP-NET-MV
In this approach, by having a common configuration in both applications, you can achieve what you are looking for. One of the requirements is to have the same machine key in the config (example from article):
<machineKey validationKey="E4451576F51E0562D91A1748DF7AB3027FEF3C2CCAC46D756C833E1AF20C7BAEFFACF97C7081ADA4648918E0B56BF27D1699A6EB2D9B6967A562CAD14767F163"
decryptionKey="6159C46C9E288028ED26F5A65CED7317A83CB3485DE8C592"
validation="HMACSHA256" decryption="AES" />
Obviously it goes without saying forms authentication is required. if users are on the same domain, potentially you could use windows/Forms Active Directory?

Graph Web application authentication single sign on

I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/
Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.

Resources