How I can to delete endpoint profiles from Admin-UI? Because I have a lot of old endpoints which does not work and not valid list of endpoints a bit annoying
This possibility will be added in new version 0.10.0.
Here link to the ticket in jira.
You can use code from develop branch if it’s ability critical for you.
Related
I want to develop and publish a bot for Teams, to interface with my SaaS (I already have a Slackbot that I'm porting). I'm creating a Bot Channel Registration as per this guide and came across the choice of whether to auto-generate a new App Id and password, or manually registering one (described here). I already have an Azure AD app for my SaaS that is published to the AppSource marketplace (the integration currently mainly allows logging in with your M365 account and syncing users from AD). Is it possible, and would it make sense to use the same App ID for the bot I'm developing for the same SaaS? Or is it somehow not advisable? And relatedly, can I expand my existing listing on AppSource to also contain the new bot, or should this be a separate listing?
I noticed in the documentation for manual registration of a bot, that it says that bots only work with "Accounts in any organizational directory and personal Microsoft accounts (e.g. Xbox, Outlook.com)" - my existing app only works with organization accounts, not personal accounts (since it's a B2B app) - does that change things?
Perhaps consider the question the other way - is there any good reason TO re-use the app ? It's very easy and basically free to create an additional app, and that way you don't run the risk of possibly ending up with settings needed for one scenario that conflict with another scenario's requirements, now or in the future. Here are some other possible considerations though:
new apps require Publisher verification, since 9 Nov 2020. This won't affect you for an internal app, which can be consented to by a global admin.
If you need the user (or admin) consent for some set of privileges (e.g. delegated Graph access), then using the same app might make sense. An example, in a Teams context, might be a bot and a tab that both need to access something from the Graph on the user's behalf. You could get consent in one context, and use it to access the resources from both contexts.
In a nutshell, and especially without a really really good idea of both of your current and planned use cases, it's hard to give a really solid 'yes' or 'no'. My gut says go with a separate app for a separate, unrelated scenario though.
Reusing the same appid against any other B2B won't create any problem. Being said that you can't use the above app if you're planning to implement/use BOT framework with it, as it's registered for organization only.
If you plan to create BOT related app registration then i would
suggest you to create new app registration with Organization +
personal for you scenario.
Please see the documentation and it's disclaimer:
In the above document it's pretty clear if you create any other app registration (other than Organization + personal), then the BOT will be unusable.
I'm trying to create a bot that people can install in their workspaces and send/receive messages of some sort. The problem I'm running into is the documentation tells you to use the token generated for your workspace:
https://api.slack.com/bot-users#installing-bot
But this makes no sense, seeing as people would be installing the App/Bot on their workspace themselves, it's not like they would be giving me their token or anything. Surely I'm missing something. How am I meant to authenticate a bot against whatever workspace it is installed in a purely API driven way?
There is no "workspace agnostic" Slack token. Every token is linked to a specific workspace and user.
The usual approach is that you provide an installation routine with Oauth 2.0 for your Slack app. When someone installs your app with that routine a new token is created internally that your app needs to collect and store. This is how every Slack app works.
Note that the installation has to be done once only for each workspace. The token does not expire.
Its simply when you install your Slack app on your own workspace only. That can be done directly from the Slack app management window and requires no installation routine. But then you obviously need to manually copy the generated token to your app.
I have my gmail extension running successfully with some good number of users. Now I've added some new functionality to that which require some additional restricted gmail permissions. As this is an extension, so if I deploy new changes to that without verification of new scope, users (new and old both) who will use new functionality of extension will see unverified consent screen.
So, I want to know if it's possible to submit dev or test app for oauth verification, while using production version keep intact. Also in case of extension I can't add deploy new features to extension which is in production, so how to provide new feature extension code to google for reviewing.
You have a few different options:
[1] Use incremental auth. If you have added new functionality, then there should be a separate path you can send users through that will request the new scopes. https://developers.google.com/identity/protocols/OAuth2WebServer#incrementalAuth
You can then request app verification for the new scopes you register on the Google Cloud Developer Console.
[2] Flag protect your changes (make sure your changes are behind an experiment), where you control who will see the new behavior. You can then request app verification for the new scopes you register on the Google Cloud Developer Console.
[3] If you intend to switch between versions of your extensions, where each version is represented by a separate OAuth client ID or even a separate GCP project number, then you can certainly implement the new behavior using a new OAuth client ID and submit your app for verification for the project that your new client ID belongs to.
Note that for all options, any existing users who have already recorded grants for your old set of scopes should not be disrupted unless you request authorization for the new scopes.
I've taken over development of a Google Analytics API dashboard for a content management platform, and upgraded the code to use OAuth2 as the older oauth was disabled recently. The authentication flow and subsequent API calls are all working fine on my localhost for development.
The problem is when trying the code from a different domain. Google wants the redirect_uri to be whitelisted through the developer console, and if it isn't there, it throws Error: redirect_uri_mismatch
As this is a self-hosted (+ open source) package, people will be able of installing on their own servers, there is no way I'll be able of adding all possible redirect_uri values to the app key in the developer console.
After a bunch of Googling and trying to understand the docs, I get the impression there are 2 possible solutions.
Instruct users to go to the Google Developer console, and to create an app key of their own, before also going through the OAuth2 flow within the distributed app to provide the code access to the data in Google Analytics.
Use a redirect_uri value of urn:ietf:wg:oauth:2.0:oob with an Installed App key, instructing people to copy/paste the code back into the self-hosted app after authentication.
Neither of these are really appealing as it adds a bunch of complexity for the user (though option 2 sounds mostly doable). Are there other options, or am I simply overlooking something simple?
You actually don't have any choice in this matter. You must go with nr 1. When you state this is a dashboard and web application it leads me to believe this is some kind of scripting language. This means that the client id and client secret will be displayed to your users / customers. This is against googles terms of service.
Changes to the Google APIs Terms of Service Asking developers to
make reasonable efforts to keep their private keys private and not
embed them in open source projects.
You may not release your client id and client secret to your users they are going to have to create there own. Which nicely solvers your redirect URI problem they have to make there own.
Further reading Can I really not ship open source with Client ID?
I set up a project on my main domain example.com and then moved it to a subdomain sub.example.com
Now when I try to use the same (default ASP.NET MVC or on my Discourse forum) project with OpenId and click on the Google button to log in with my Google account it throws the following error -
That’s an error.
OpenID auth request contains an unregistered domain: http://sub.example.com
I have tried Googling that message but apparently I am one of the first four people to see it. Any ideas here?
According to this page,
Google closed registration to new OpenID 2.0 clients in May 2014 and will be shutting down the OpenID 2.0 service in April 2015.
The reason why some hosts work and some don't is that although Google isn't adding new hosts, you can still use the ones that are already registered.
UPDATE :
Some people have asked for a simple explanation for how to fix this, or otherwise how to proceed.
Basically, you now have 2 options.
Use OAuth 2.0 (instead of openID protocols and older versions of OAuth)
or
Use Google+ login (which Google tried to "push" you towards)
For more details check the migration guide :
https://developers.google.com/+/api/auth-migration#userinfo
I would like to add some context to this thread together with a potential solution to developers that are currently blocked.
Back in February we announced the deprecation of OpenID 2.0 (OID2) scheduled for April 2015. We also announced that new OID2 relying parties (RPs) registrations† will no longer be accepted after April 2014.
Given that the API will be shut-down in less than a year’s time, our intention is to avoid having new RPs integrating with Google's OID2 API. Instead, we suggest to use our OpenID Connect API which we consider more secure and easier to implement.
Registrations were effectively closed on May 19th (as documented in the Google’s OID2 developer documentation). All RPs already using OID2 should not be affected by this the closure.
As for developers currently working on an integration with our OID2 API (presumably because they missed the announcement and warnings in our OID2 documentation), we will do our best to minimize the friction caused by the registration closure. If you are in such situation, please let us know by posting a registration request before June 15th. The post should contain a sample OID2 request used by your application, in case you prefer not to disclose such information, please post an email address and we will reach out. We plan to look into each case and try to get you unblocked in the best possible way.
† OID2 does not have a registration procedure for RPs integrating with an identity provider. RPs are associated to the realm value (e.g., www.example.com) used when contacting Google OID2 API. Thus, a RP is considered "registered" if its realm value has been used to contact our OID2 API.
You can easily change to OAuth 2, this article shows you how to register your app with Google and add the key to MVC. Scroll down to: "Creating a Google app for OAuth 2 and connecting the app to the project."
And you may need to add the Microsoft.Owin.Security.Google package via NuGet.
I had the identical problem but when using nodejs / expressjs
I have migrate my code using below url code and fixed that issue
Passport strategies for authenticating with Google using OAuth 1.0a and OAuth 2.0.
https://github.com/jaredhanson/passport-google-oauth
The sub-domains that fail are those that had never seen any user requests before. As per https://developers.google.com/+/api/auth-migration#timetable, Google is not allowing new domains in the OpenID2 API.
I have this exact problem, we use googles login to run a platform, its a brand new problem.
A few things I have discovered if this helps
Full domains trying to use openID never fail www.example.org and www.example2.com are not having this problem
Subdomains on the platform have this problem sometimes, but the same subdomains always fail and the others always work.
It started around Monday and is still happening now.
Take a deep breath and just change Startup.Auth.cs file
app.UseGoogleAuthentication();
to
app.UseGoogleAuthentication(
clientId: "000-000.apps.googleusercontent.com",
clientSecret: "00000000000");
refer to the http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on page.