I'm trying to set up authentication for a webapp using Auth0 and a Google Enterprise connection.
The applications needs to be able to access the user's profile, contacts, and gmail.
When I tried this using a Social connection in Auth0, I configured it to ask for Contacts and Gmail permissions. The consent then shows up as expected:
Configuration using Social Google Connection in Auth0
But when I try the same thing using an Enterprise Connection in Auth0, the Contacts and Gmail permissions are not available. And so, the consent screen won't ask for them either:
Configuration using Enterprise Google Connection in Auth0
What am I missing here? How do I setup authentication so that it
only allows in users from my Google Apps directory,
but also: requests the correct permissions for those users?
You should use connection_scopes in Lock or connection_scope in Auth0JS or the /authorize call to pass on any scopes you want to request to the Identity Provider.
Related
How can I use a Google Workspaces (gsuite) user's application specific password to sign into Google's OIDC (OpenId Connect) auth endpoint and request an OIDC ID Token for that user?
Background:
Google turned off support for programmatic password-based authentication to gsuite and Google Workspace saying:
“Blocking sign-ins from less secure apps helps keep accounts safe. For these reasons, Google is limiting password-based programmatic sign-ins to Google Accounts.” Google: Control access to less secure apps
As an alternative to LSA (Less Secure Apps) Google suggests that apps can use "application specific passwords" to programmatically authenticate to Google.
An app password is a 16-digit passcode that gives a non-Google app or device permission to access your Google Account. To help keep your account secure, use 'Sign in with Google' to connect apps to your Google Account. If the app that you’re using doesn’t offer this option, you can either: Use app passwords to connect to your Google Account ... Gmail: Sign in using app passwords.
Google recommends using an App Password as one solution for applications that require programatic sign ins to Google accounts:
Can’t use an app with my Google Account: Use an App Password Google: Less secure apps & your Google Account
This clearly indicates that Google intends for applications to programmatically sign into Google Accounts using app passwords but forbids programatic access for regular passwords. I can find no documentation on how to do this.
My question is: how can I use an app password of a user to sign into Google's OIDC (OIDC Connect) auth endpoint and request an OIDC ID Token for that user?
I can find examples of this being done for Google Workspace SMTP to access email. For instance Google only allows nodemailer to programmatically access gmail via the SMTP protocol using an app password. This however does not help me because SMTP being a email transfer protocol can not issue OIDC ID Tokens.
Out of scope answers:
This is not a question asking how to create GCP service accounts and use domain wide delegation to enable them to impersonate a Google Workspaces user and thereby request an OIDC ID Token for that user.
It is not a question asking how to create an OIDC confidential
client and then given that OIDC confident client access to your
Google account to request an ID Token.
I am not looking for these answers.
We have a system that is using its own authentication system and I need to make it use our Google Workspace accounts to integrate with Google SSO so that when the user gives their credentials to the webpage, it will be authenticated in both google account and on our web app account.
Google default workflow redirects the user to its own form, so we have the problem of the password not being passed to our server.
Crossed my mind the fact that this would be too insecure to exist, but remember that all users that would log in to our website would have an account created in a workplace totally managed by us.
how could I auth the user this way?
Why not use "Sign-in with Google" -> OpenID Connect to access to the website. That way it will authenticate with Google.
Or add the website as a custom SAML application in the Admin console, and use Google as the IDP since the users will be provided by your organization.
I'll try to connect to the content api for shopping via API.
I'de tried some different oAuth ways (e.g. "three-step-method" with access key and baerer-token) but for a spezific integration I need the "credentials-oAuth".
Currently I tried as following:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=[my client id]&
scope=https://www.googleapis.com/auth/content&
redirect_uri=[some random request bin -> added in Authorised redirect URIs ]&
response_type=code
If I call this via Postman, I'll be redirected to the login page of Google. But why?
How can I solve this problem?`
BG
David
Shopping API data is private user data. In order for your application to access private user data it must have the permission of the user who owns that data.
We use OAuth2 to do that. The user must consent to your application accessing its data. In the below image the application Google analytics windows is asking the user for permission to access their Google analytics data.
If I call this via Postman, I'll be redirected to the login page of Google. But why?
You are seeing a login screen with Postman is simple the user needs to be logged in before they can grant access to their data.
How can I solve this problem?
You dont as there is no problem the user must login to grant your client application consent to its data. This is working exactly as it should
Service accounts
Update to answer comment Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
I'm working with a company that is using the Google Apps free subscription. This company has a web site. They want to let users who have Google Apps accounts in their domain to authenticate into the web site via OAuth.
My question is, where do I find the ClientId and ClientSecret needed to do OAuth?
Thank you!
OAuth 2.0 for Client-side Web Applications will allow you to authenticate users using Oauth2. This will allow the users to grant your application access to their private data.
You will need to go to Google Developer console and create credentials on this page Credentials
Open the Credentials page in the API Console.
Click Create credentials > OAuth client ID.
Complete the form. Set the application type to Web application. Applications that use JavaScript to make authorized Google API requests must specify authorized JavaScript origins. The origins identify the domains from which your application can send API requests.
I'm building a system with a web and a iOS app. The web part require authentication that can be used on the mobile part and vice versa.
I want to add support for google sign in on the web and on the mobile part. For test i've used the code from
https://developers.google.com/identity/sign-in/ios/start-integrating
for iOS and
https://developers.google.com/identity/sign-in/web/
for the web part.
scope are the same on Application and web (email, profile)
Expected flow
User sign in with google and grant access from mobile (or web)
user go to web site (or application)
user sign in with google
no need to grant permission again
What i got
User sign in with google and grant access from mobile
user go to web site
user sign in with google
same permission are asked again
How can i avoid asking permission again? from the documentation (https://developers.google.com/identity/sign-in/web/cross-platform-sign-in)
seems to be possible to obtain the expected flow but in practice i am unable to obtain it. iOS and Web are in the same google developer project.
I've made this work as expected following this guides: https://developers.google.com/identity/protocols/CrossClientAuth
https://developers.google.com/identity/sign-in/ios/offline-access
what you have to do is the following:
first add
[GIDSignIn sharedInstance].serverClientID = #"SERVER_CLIENT_ID";
in your iOS appDelegate. When the user authenticate through the app you can now retrive a token valid for your server_client_id via serverAuthCode attribute of your GIDGoogleUser object.
Send the token to the server and validate it on the token endpoint (/oauth2/v3/token) redirect_uri must be empty while grant_type must be authorization_codeotherwise you will have a 400 response.
Your server is now authenthicate and when the user will log on the website permission will not be asked again.