I'm having some issues with the above api that I can't seem to solve and would appreciate any help: I'm trying to build an oauth url with the scope of https://www.googleapis.com/auth/adexchange.seller+https://www.googleapis.com/auth/adexchange.seller.readonly and i'm not prompted for those permissions when redirecting to the oauth urls.
I've taken the developer console URIs and only changed the client_id and redirect_uri and it still doesn't work, so I believe the problem is with my google developer console application?
e.g. the google developer console URI which prompts me to authorise for "View and manage your Ad Exchange data" and "View your Ad Exchange data" is:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/adexchange.seller+https://www.googleapis.com/auth/adexchange.seller.readonly&response_type=code&access_type=offline&redirect_uri=https://developers.google.com/oauthplayground&approval_prompt=force&client_id=407408718192.apps.googleusercontent.com
Now if I only change the client_id and redirect_uri to use my application i only get prompted to "Have offline access" which in turn does not allow me to access any data as it says that this user does not have any adx account.
Both cases I'm authenticating with the same user (I also tried with other adx users), using a "client id for web application" credential.
Thanks
Amnon
If anyone ever has this problem: the issue was caused because I once tried to authenticate with a google credential for installed application and for some reason until I revoked the access for the application from google.com/settings it wouldn't prompt me for the correct scopes. after revoking everything started working as expected.
Amnon
Related
I'm a bit of a salesforce / web noob, but am testing out the customer 360 external identity licences, along with customer users. My main goal is to authenticate a customer user using OAUTH, get an access token, then use the Salesforce web APIs to access some relevant bits of info for the customer user. However I just can't seem to figure out how to get the customer user authenticated despite being able to do the same just fine for my personal admin user account.
I have the following setup:
a bunch of external identity licences
a profile with the external identity user licence assigned, with the API enabled setting checked.
a connected app setup with relaxed IP restrictions set, all users may self authorize set, OAUTH settings enabled, device flow enabled, and the full access OAUTH scope selected.
an end customer contact with an associated end-customer user, assigned to the external identity profile and thus external identity user licence.
And I'm POSTing to the test token endpoint (https://test.salesforce.com/services/oauth2/token).
I've tried two auth flows, password and device flow for IOT as I want to integrate this with a command line app (which the IOT flow is good for apparently), and while both succeed for my personal salesforce user credentials, they both fail for my test user account credentials.
The server response for the password flow is as follows:
{
"error": "invalid_grant",
"error_description": "authentication failure"
}
End-customer users don't appear to have a security token so I've just been using the password on its own. I can't seem to find a way to generate a security token for these types of users but suspect this could be the issue for this flow.
When trying the device flow the returned verification uri is always https://test.salesforce.com/setup/connect but attempting to login on this page as the customer-user fails with this error:
Please check your username and password. If you still can't log in, contact your Salesforce administrator".
I am definitely providing the correct customer user credentials here so have no idea why this fails.
Does anyone have any ideas on how to get this working?
#eyescream nudged me in the right direction so here's the solution for anyone in the same position as me.
Authentication of external identity customer users is not done using the normal OAUTH REST endpoints (https://test.salesforce.com/services/oauth2/token or https://login.salesforce.com/services/oauth2/token).
Instead you have to setup an experience cloud site, add your customer user profile to the sites list of member profiles, then authenticate using a site specific AUTH endpoint.
For example, if your experience cloud URL is https://sandboxname-companyname.instanceid.force.com, then your OAUTH token endpoint would be at:
https://sandboxname-companyname.instanceid.force.com/services/oauth2/token
Extra things to note:
customer user accounts cannot authenticate using the username-password flow.
the device flow for IOT (or command line apps) will return a verification URL that customer users cannot log in to (https://test.salesforce.com/setup/connect). You can instead use the experience site connect URL (https://sandboxname-companyname.instanceid.force.com/sitename/setup/connect)
Can anyone help me to figure out solution for the below problem?
Summary:
I am getting 403 for Microsoft Graph Calendar Read API.
Detail
I am using microsoft identity platform with implicit grant flow mechanism to log user from his microsoft account into my application.
I am requesting in scope parameter with these permissions "profile User.Read Calendars.Read Calendars.ReadWrite"
Below things works after successful login.
1) It asks for the permission to grant
2) Microsoft oauth2.0 login.
3) Profile picuture read.
But for some reason when i try to read "calendar" I get 403 for only one account in whole tenant. I have gone through below link for error description, but couldn't find out solution
https://learn.microsoft.com/en-us/graph/errors
can anyone point me, where i need find solution for the above issue? Is it account issue or do I need to modify api request. Below api i am using to read calendar
https://graph.microsoft.com/v1.0/me/calendar/calendarView?startDateTime=${sd}&endDateTime=${ed}
For this problem, first you need to check if the token you got contains the correct permission, you can decode your token in this page. I test request this graph api with implicit grant flow, it works fine and I put my access token to decode we can see it contains the two calendar permissions which we expect.
Here I list some points which you need to pay attention to when you request this graph api:
1. As you mentioned in your question, you request in scope parameter with "Calendars.Read Calendars.ReadWrite" permissions, so did you add these two permissions to your AD application ? If you didn't add them, please add them in your AD application (please add them in "Delegated permissions" but not "Application permissions", I test it if we add them in "Application permissions" it will show 403 error because implicit flow requires "Delegated permissions").
2. After add the two permissions, don't forget grant admin consent for them.
I'm building a system with a web and a iOS app. The web part require authentication that can be used on the mobile part and vice versa.
I want to add support for google sign in on the web and on the mobile part. For test i've used the code from
https://developers.google.com/identity/sign-in/ios/start-integrating
for iOS and
https://developers.google.com/identity/sign-in/web/
for the web part.
scope are the same on Application and web (email, profile)
Expected flow
User sign in with google and grant access from mobile (or web)
user go to web site (or application)
user sign in with google
no need to grant permission again
What i got
User sign in with google and grant access from mobile
user go to web site
user sign in with google
same permission are asked again
How can i avoid asking permission again? from the documentation (https://developers.google.com/identity/sign-in/web/cross-platform-sign-in)
seems to be possible to obtain the expected flow but in practice i am unable to obtain it. iOS and Web are in the same google developer project.
I've made this work as expected following this guides: https://developers.google.com/identity/protocols/CrossClientAuth
https://developers.google.com/identity/sign-in/ios/offline-access
what you have to do is the following:
first add
[GIDSignIn sharedInstance].serverClientID = #"SERVER_CLIENT_ID";
in your iOS appDelegate. When the user authenticate through the app you can now retrive a token valid for your server_client_id via serverAuthCode attribute of your GIDGoogleUser object.
Send the token to the server and validate it on the token endpoint (/oauth2/v3/token) redirect_uri must be empty while grant_type must be authorization_codeotherwise you will have a 400 response.
Your server is now authenthicate and when the user will log on the website permission will not be asked again.
We are trying to use Google's OpenID Connect for a business web app but are concerned that the user will leave the app open and an unauthorized user will sign-in because the user is still signed into Google so OpenID Connect just let's them right in.
We've tried using max_auth_age=0 parameter. This has been replaced by max_age in OpenID Connect.
I do see that Google App's control panel at admin.google.com does usually re-prompt the user for a password while any other login won't. But looking at the authorization URL I don't see anything that would be triggering this to happen.
Here is our current authorization URL:
https://accounts.google.com/o/oauth2/auth?prompt=select_account&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww....com%2Fauth%2Fuserinfo.profile&state=%2F&redirect_uri=https://www.foo.com/callback&response_type=token&client_id=...
Perhaps if we added a certain scope that could trigger Google to go into high security mode, but I haven't found anything so far.
There's no way to control re-authentication as indicated in: Google OpenID Connect: Receiving a 500 error when supplying the "max_age" parameter to an authentication request nor step-up as recorded in: https://groups.google.com/forum/#!topic/google-federated-login-api/KT6pSp4VNaQ
Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.