I have a ruby on rails application that authenticates the users through Yammer and then redirects them to the right tenant depending on their network name.
Workflow essentially goes like this:
User is presented with sign-in/sign-up page
Authenticate through the Yammer API and redirected back to a callback URL (yammer.example.com/auth)
The callback controller then looks at the auth response, and determines the network that the user belongs to.
I redirect to that tenant on the subdomain (eg my-network.example.com) and sign the user in
There are some other things that go on here in the background (creation of other users in the network, user matching etc.) but the problem I am having is with the actual network name and subdomain creation and redirection.
The way that the subdomain is currently parsed is to use the SLD of the users network name.
As an example network_name: "example.com" returns "example" as the subdomain for us to create/redirect to.
This was all working great until we started testing with paid Yammer accounts, their network names seem to not play nice with our current code.
This is what we are currently using:
if PublicSuffix.valid?(auth.extra.raw_info.network_name.mb_chars.normalize(:kc).to_s.downcase)
yammer_domain = PublicSuffix.parse(auth.extra.raw_info.network_name.mb_chars.normalize(:kc).downcase)
subdomain = yammer_domain.sld.gsub(/[^0-9A-Za-z]/, '')
else
subdomain = auth.extra.raw_info.network_name.downcase.gsub(/[^0-9A-Za-z]/, '')
end
I'll admit that this is not the cleanest at the moment because I have been hacking a little trying to catch when a network name is not a correct domain and fixing it there. I am normailizing all characters and then parsing the SLD using the PublicSuffix gem.
If it is not a valid domain then I try and normalize the characters and strip everything out that we don't need (so something like L'oreal would just become loreal).
This still seems to throw an error and not parse correctly.
So my question is:
Is there anything different about how the network names are set up with paid accounts vs. free accounts? Is there a more reliable way to return the network name to parse for subdomains using the Yammer API?
Is there anything different about how the network names are set up
with paid accounts vs. free accounts?
No there isn't.
Is there a more reliable way to return the network name to parse for
subdomains using the Yammer API?
If I understand what you're trying to do correctly, I don't think "network_name" is the correct JSON object to use. The network admin can decide to change the network name any time and that would screw your app.
I'd recommend you use "network_domains". The value of this JSON object contains a list of all yammer networks the logged-in user is a member of, and the first item in the list is ALWAYS the primary network of the user.
For example, the result of a GET request to api/v1/users/current.json would contain something like:
network_domains":["jet.usa.cc","jet.onmicrosoft.com","jet2.onmicrosoft.com"]
In the above example, jet.usa.cc is the primary network of the logged-in user. The network domain name cannot be changed, it's a constant. You may extract the value of the primary network in your RoR app and use it as you wish.
Related
I'm learning about Google OAuth, and it says that my project has no appropriate credentials.
So I go to the Developers Console and click on the OAuth consent screen. I type my domain name into their question:
Authorized domains To protect you and your users, Google only allows
applications that authenticate using OAuth to use Authorized Domains.
Your applications' links must be hosted on Authorized Domains.
I have verified my domain, but I get "Must be a top private domain." The link takes me to some kind of java programming statement. Actually if I click on the Domain verification tab (again) there are no domain names listed, but I know I added it.
Q: How do I add my domain for being used with OAuth? Must I qualify it as a Top Private Domain or am I going down a rabbit hole?
Google oauth requires a top level domain for security purposes. A top level domain is the first one before the .com .net .biz, in other words it only has one dot. There are exceptions such as .co.uk.
Subdomains are controlled by the parent domains and are not necessarily owned or controlled by you. Imagine you have a Wordpress account at domain.wordpress.com. Wordpress closes your account and returns domain to inactive. A different user claims the domain user and domain.wordpress.com. If Google allowed subdomains they would be forced to believe the new user was you. (Since there is no requirement of public notification of the change)
Edit (a more generalized statement in response to a comment.)
If you own the domain, you have full control over it, and the ownership records are public. To prove your virtual identity as owner of the domain when subscribing to many services require a DNS record, that is created by you, as a challenge created by the provider, that can be read by the provider, prior to services being created. In the event of a change in ownership the original claimant, you, is sent a new record to the provided email address to add to your DNS server to prove you still own the domain. If you cannot prove you still maintain ownership of the name, as in the case of an expired domain hijack, all services are canceled.
Edit
The most probable problem is: Your domain verification is failing.
Start the verification process again. This will give you a new TXT record to add to your DNS.
Go to your DNS providers page and add the record. While there look for the refresh value on the SOA record.
Convert the SOA refresh from seconds to hours. Divide by 3600.
Wait that amount of time + 4 hours for replication.
Use nslookup (or dig) and look for the TXT record. Be sure to use Google's DNS server at 8.8.8.8(server=8.8.8.8).
If the record is not found, wait some more, if (hours waiting > 72) break; else repeat check.
If nslookup was able to find the record, complete the verification process; if not contact your DNS provider(The client record hold can be an issue).
If at this point everything went well, You should have an authorized domain.
If not (domain disappears, contact Google support), It my have to do with the privacy settings on the domain. Most quote public domains have contact information.
You must use a TLD (top level domain). If you have a subdomain, it is owned by the person who owns the TLD. For example, you might have a blog at myamazingblog.wordpress.com, and wanted to use OAuth with it. Unfortunately, this would not be possible, since you do not own wordpress.com (the TLD).
Try testing on a different device or clearing cache.
For me it turned out I had everything correct (just with my example.com domain) but my iOS safari was caching something and it kept giving me the ‘not whitelisted’ message. Which led me to think I needed to add dev.example.com as well - which isn’t necessary.
So try going to the site on another device or browser to see if it works.
I have a scenario where I have a web site that will be used by multiple customers.
But I do not want to publish the web site to each customer domain's. Instead I will publish the web site to an azure web site for example mywebsite.azurewebsites.net and I want all the customers domains to redirect to this mywebsite.azurewebsites.net but I need to know which customer is this so I can display the correct content. for example I am thinking about appending or sending a hidden custom parameter in the query string or such.
What I need to know is
How can I redirect all the domains to mywebsite.azurewebsites.net
How can I pass a hidden parameters in the redirect for example any request from the customer domain e.g "www.cust1.com/Home/Index" will be redirected to "mywebsite.azurewebsites.net/Home/Index?username=testuser" and "www.cust1.com/Home/Index?querystring=ffff" to "mywebsite.azurewebsites.net?querystring=ffff&username=testuser"
I do not want to publish any web site content on the customer web site that means the customer domain root directory will be empty.
There are quite a few different ways you can do this.
The first thing you need to determine is: How are you going to handle the redirection to mywebsite.azurewebsites.net?
Are you going to place code directly on the customers website to
redirect?
Do you have the access to the customers DNS's allowing you to forward their site to mywebsite.azurewebsites.net?
Do you want to create a CNAME record and point it to your Azure Website?
Method #1
If you have access to the customers website then this becomes the easiest method.
As you described above, I would simply redirect the user back to your site with some type of custom url i.e mywebsite.azurewebsites.net/customer1 .
When the user hits this page you could then set a cookie in their browser so that you know where they came from and then redirect them to the home page at mywebsite.azurewebsites.net. This would happen almost instantly and the customer would never notice.
Method #2
If you are able to forward the domain or they can only redirect the user to the main website at mywebsite.azurewebsites.net, you can simple look for the referring url when the request comes in. Then as you do above, based on the referring URL you can then set your cookie and show the proper content.
Method #3
This is assuming you have access to the customers DNS records and are able to create a CNAME record for www.customerwebsite.com -> mywebsite.azurewesbites.net
In that case, when the user visits the site you would just pull down the HOST and then set your content based on that.
The specific code is here:
string url = HttpContext.Current.Request.Url.AbsoluteUri;
// http://localhost:1302/TESTERS/Default6.aspx
string path = HttpContext.Current.Request.Url.AbsolutePath;
// /TESTERS/Default6.aspx
string host = HttpContext.Current.Request.Url.Host;
// localhost
You can find more information here: How to get the URL of the current page in C#
Let me know if you have any questions or end up implementing any of these solutions.
I am trying to configure a LinkedIn application for a multi tenant site. I will have 20+ tenants using the same application and the number is going to increase every time.
As per Linkedin API documentation (https://developer.linkedin.com/docs/oauth2) we need to ensure following points
We strongly recommend using HTTPS whenever possible
URLs must be
absolute (e.g. "https://example.com/auth/callback", not
"/auth/callback")
URL arguments are ignored (i.e.
https://example.com/?id=1 is the same as https://example.com/)
URLs
cannot include #'s (i.e.
"https://example.com/auth/callback#linkedin" is invalid)
Can i configure redirect url as https://*.mysite.com/auth/linkedin/callback instead of specifying url of each tenant separately.
You cannot do a subdomain based wild card mapping as the IP should know the RP.
You can change the logic after you get the authorization callback, so you set the cookie and then you will have to redirect the user back to the tenant URL instead of the base URL.
Anyway, after successful authorization, you will be redirecting the user to an action, just figure out the subdomaina and the construct the URL and do the redirection
HTH
EDIT
Since the use of the URL or other approaches seem to be a hack, can you please try to have a facade like application (or Gateway like one) that has a URL that is registered in linkedin and then on receiving the response, it can use a state or other factor to redirect to the tenant URL. This can use a 302 and it will be invisible unless the user is on a very slow network. This approach does not require any hack like approach.
Here state can be a function that takes a tenant info and generates a dynamic hash that is stored for tracking and redirection.
I have a restful API that is going to accessed by multiple organizations. Their data is going to always be separate. I am using rails 4.0, emberjs, and phonegap. There are going to multiple devices accessing the API for a single organization at any point in time.
My question is how to properly design my API with these multiple organizations and devices in mind.
Current Solution:
The user must authenticate with the organization name and password. This is done over HTTPS with basic auth. After that the user is given a token that ember stores and is used for each subsequent request. Since there are multiple devices multiple API tokens can be associated with an organization. Rails uses the token to get the organization id with every request so the url /members only outputs the members related to the organization the token belows to. Thoughts on this?
Requiring every restful resource to be started with organization/id/resource seemed insecure and unwieldy to me so that is why I chose my current solution.
A Better Way?
What is a better way of doing this? Should I give each organization a subdomain and pass that back along with the token and use the token only for security and the subdomain for identifying the organization? Or should I just stick with organization/id/resource?
You are right, the token itself should not contain any "organization" part - it's insecure, as well as adding subdomain in the way you've proposed.
Instead of that you can add Organization field to the Token object (or table - depends on how you track tokens). Once you received the token you're able to get the Organization.
There's a subset of users which will not have access to the system I'm implementing in the beginning but I need a mechanism for them to capture data for one specific part of the process.
An authorized user creates the original record for a Person with some basic details i.e. First name, last name etc.
I then create a 'DataRequest' record which has a unique guid and the external user is sent an email with a path which is effectively http://sampleapplication/Person/Complete?guid=xxxx
The external user adds additional details like Date of Birth, Eye colour etc, submits and saves to the DB. The DataRequest for that guid is then expired and cannot be accessed again.
The Complete action doesn't have any authorization as these external users do not have user accounts.
My preference is to force these users to use the system but at this stage I'm not sure it's practical.
Is this a bad practice?
Should I be implementing some additional security on this like a one time password / passcode contained in the email? Are there alternative approaches I should consider?
There's nothing wrong with opening up a section of your site to the public. Tons of websites have secured and unsecured sections. However, there's also nothing saying that you have to expose your secure site at all. You can create another site that merely has access to that change those records and make that site alone, public.
As far as securing the information of the user, passcodes by email are the invention of some developer somewhere with limited mental ability or a severe lack of sleep. If the link is only available by email (not discoverable by search engines and not easily guessable), then anyone with the link will also have the passcode, making the passcode to access the link redundant.
You should however log when the email is used to finish the record and then disallow further uses.