In Google Apps domains: Is it possible to grant domain-wide delegation of authority to third-party apps while the "Allow users to install Google Drive Apps" setting in the Admin Console is disabled.1
To be specific: I am trying to find out if there is a workaround the Admin Console Settings. The enterprise social network already has the capability to work with Google Drive but none of my files show up because of the App settings in the Admin Console.
Apps that are published in the "Google Apps Marketplace" (https://www.google.com/enterprise/marketplace) can be installed by a domain administrator for all users in a domain. This will bypass the setting you mentioned.
Related
We are working on a Migration App for Google Drive (Google Workspace) and are relatively new to Google APIs. I read that administrator need to grant domain-wide delegation of authority to third-party and internal applications so that they can access users' data such as read Google Drive files.
Control API access with domain-wide delegation: https://support.google.com/a/answer/162106
For delegating domain-wide authority to service account, a super administrator of the Google Workspace domain must complete 6 steps as described in the documentation link below:
Delegating domain-wide authority to the service account: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
As I understand these 6 steps have to be manually performed by Super Admin of the Google Workspace. I would like the super administrator should be able to do these steps easily and quickly. Can this process be automated or guided using some sort of Consent Grant screen in Web Portal.
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
I am asking this because I would need to get list of all users in that Google workspace and have read access to their google Drive files.
Directory API: Authorize Requests" using Admin SDK: https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
Scope for only retrieving users or user aliases: https://www.googleapis.com/auth/admin.directory.user.readonly
Thanks!
I am afraid it is not possible at this moment to manage the domain wide delegation settings through APIs or any different way to automate the process. The Google Workspace Directory API is the only possible way you can use to manage Admin console related settings using the Google APIs, however there is no API method that can make changes like this.
Now, about this:
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
The only possible way is by adding the application to the domain wide delegation settings, but again, only the admin can add the app manually to their Google Workspace admin console.
Since this is a feature that is not available yet, you could submit a feature request in the Directory API to suggest this as an actual feature and maybe Google can make it available in the near future.
Reference:
Admin SDK: Directory API
Feature request
Apple have changed their store guidelines to include Sign-In For Apple:
Apps that exclusively use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option.
If my app uses Azure ActiveDirectory B2C and allows social logins via this service (e.g. Facebook, Google) then am I required to support Sign-In For Apple? I know this is possible (see Use Azure Active Directory B2C to enable ‘Sign in with Apple’ in your apps but I don't know if my app will be blocked from releasing until I do.
The user can just create an account on AD B2C. Apple also say:
Sign in with Apple is not required if:
Your app exclusively uses your company’s own account setup and sign-in systems.
But does this include a sign-in system that supports third-party social logins?
From https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Mailbag-Use-Azure-Active-Directory-B2C-to-enable-Sign/ba-p/566489
Using Sign in with Apple will be soon be required for all apps in the
Apple App Store which support third-party sign-in. This is indicated
at the very bottom of Apple’s recent update to its App Store review
guidelines. This requirement will be enforced once the service is out
of beta and commercially available.
This new policy means that if you implement any third-party or social
login (like Facebook, LinkedIn, or Twitter) in your iOS or Mac apps,
those apps will also need to include Sign in with Apple as an option.
By using Azure AD B2C to enable social login in your applications, you
can be ready for this requirement when it becomes mandatory later this
year.
I want to use Microsoft Graph to send our company mobile app push notifications as discussed at Microsoft Build 2019.
I am following Integrate with Microsoft Graph notifications. It directs me to create a "Developer Account" to use the Partner Portal but my company already has an Enterprise Azure account with Microsoft and we leverage Azure AD.
I've tried the "Onboard" step but then I read "To get started, sign in to the Partner Center dashboard using your Windows developer account (you cannot use an Azure AD account)". I'm very confused.
Also, the Partner Portal shows no items under the menu no matter how I signed in. I tried using a personal account and my AAD account and I get the same result. No menu items at all.
I'm not sure where you're getting a "Developer Account" from but the first step is registering your application. This gives you an Application Id and Secret which is required to authenticate against Graph:
In order for your application service to integrate with Microsoft Graph notifications, you need to register your app with the Microsoft identity platform to support Microsoft accounts or work or school accounts, and declare the API permissions that are required.
With regards to the windows developer account, this is explained in the documentation:
If you don’t already have a Windows developer account, you’ll need to create one. For details, see Opening a developer account. You need to do this even if you don’t plan to build a Windows UWP application. If you’re building a school or work application as part of an enterprise, you can associate your developer account with the appropriate Azure AD account that is used for managing your enterprise submissions. For details, see Associate Azure Active Directory with your Partner Center account.
I'm using using Jenkins' Google login plugin for user authentication. I've installed and configured the plugin as mentioned in documentation and working as well. However users from only one google app domain can login to jenkins and access it(jira link). We have users from couple of domains. Another issue with this plugin is- not able to control user authorizations. All users can do anything. I've attached screenshot showing jenkins google login plugin configuration
Is there any workaround or alternative for this?
Since version 1.3 (November 21st, 2016) the google login plugin allow multiple domains separated by comma.
Check the changelog:
https://wiki.jenkins.io/display/JENKINS/Google+Login+Plugin
And the PR:
https://github.com/jenkinsci/google-login-plugin/pull/3
According to Google Cloud Platform that's not possible and the only suggestion is to set "Allow anyone with a Google account" if you are using multiple domains:
Understanding authentication for your end-users
...
Allow only members of a Google Apps domain to access the application. This is ideal for “intranet” applications where access is
limited to the users in your domain.
This method can only restrict to a single Google Apps domain. This
will not work if you use multiple domains with Google apps. If you are
using multiple domains, then select “Allow anyone with a Google
account” and extend your application code to restrict access to
end-users that are from your set of Google Apps domains. Your
application can use the value of the user_organization of the
signed-in user (rather than parsing the email address) to determine
the domain name of the user.
Also, this issue is already registered in https://issues.jenkins-ci.org/browse/JENKINS-32536 and it is still Open and Unresolved
I'm toying around with a sandbox dev account on salesforce. I'm trying to create an app with OAuth settings similar to these instructions, but I can't find any option to enable OAuth settings.
Here's a walkthrough of what I see:
Where was "Enable OAuth Settings"?
Make sure to add the new app under "connected apps" instead of "apps"