I'd like to use Google+ OAuth2 in my iOS application and I'm going to use iOS native library provided by Google (API: https://developers.google.com/+/mobile/ios/api/) but the app is to be developed for company internal use and I'd like to restrict G+ OAuth2 to the corporate domain (the company has Google corporate domain already).
So, is there a way to limit a list of google accounts for a user signing-in to the accounts in corporate domain only, like e.g. mycorpodomain.com?
I couldn't find that possibility in API doc.
The quick solution is to parse the users email address upon return and validate that it uses the whitelisted domain.
Related
I am creating an iOS app for internal use. We have a Google Domain. As part of the functionality of the app, I want to be able to search for all users in that domain. This can already be done in Gmail, the Apple Mail app, and others.
I found that you can use the Admin SDK for users.list to do exactly what I want to do. I created a Client ID for the iOS app and authorized my app to perform users.list.
However, now I get a permissions error for users who sign in with OAuth2:
I found that you can create a service account to make API requests on your behalf if you delegate it to have the authority. I'm not sure if this is what I want to do since this seems more like something for a secure server to do rather than an app. I'm also not sure how this integrates with a user (from our domain) who signs in with OAuth being able to list our users.
Is it possible to list/search the users in a Google domain purely through OAuth / frontend app?
Aside from caching your own list, I think there are two ways to give users the ability to list all users:
A. Undocumented call to this GAL API:
https://www.google.com/m8/feeds/gal/your-domain-goes-here/full?alt=json (source). You can test this in the Google OAuth Playground by selecting the scope for the Contacts V3 API or using the string https://www.google.com/m8/feeds/.
B. In the Admin console, create an "all users" group. Assign to a newly created Admin Role. Grant the admin role "read" in Privileges > Admin API Privileges > Users > Read (checked).
I'm using using Jenkins' Google login plugin for user authentication. I've installed and configured the plugin as mentioned in documentation and working as well. However users from only one google app domain can login to jenkins and access it(jira link). We have users from couple of domains. Another issue with this plugin is- not able to control user authorizations. All users can do anything. I've attached screenshot showing jenkins google login plugin configuration
Is there any workaround or alternative for this?
Since version 1.3 (November 21st, 2016) the google login plugin allow multiple domains separated by comma.
Check the changelog:
https://wiki.jenkins.io/display/JENKINS/Google+Login+Plugin
And the PR:
https://github.com/jenkinsci/google-login-plugin/pull/3
According to Google Cloud Platform that's not possible and the only suggestion is to set "Allow anyone with a Google account" if you are using multiple domains:
Understanding authentication for your end-users
...
Allow only members of a Google Apps domain to access the application. This is ideal for “intranet” applications where access is
limited to the users in your domain.
This method can only restrict to a single Google Apps domain. This
will not work if you use multiple domains with Google apps. If you are
using multiple domains, then select “Allow anyone with a Google
account” and extend your application code to restrict access to
end-users that are from your set of Google Apps domains. Your
application can use the value of the user_organization of the
signed-in user (rather than parsing the email address) to determine
the domain name of the user.
Also, this issue is already registered in https://issues.jenkins-ci.org/browse/JENKINS-32536 and it is still Open and Unresolved
I'm trying to create a web service for my college, which uses Google Apps for education. We have our own themed login page. I was wondering if its possible to use oauth/ openID to use our Google apps account to log in. I know when I use generic oauth, I can enter the school email address and force it to take the Google apps domain, but is there a way to redirect to it directly?
You can use the hd parameter in the oauth request to specify a google apps domain to login through. I believe the apps domain needs to have the option enabled and/or be a paying domain, but I am not certain about this part
Example URL
https://accounts.google.com/o/oauth2/auth?access_type=offline&DOMAIN.COM&response_type=code&redirect_uri=http%3A%2F%2Flocalhost&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&client_id=CLIENT_ID&type=web_server
In general, what's the best practice to authenticate a user via 3rd party (say Twitter) using iOS's ACAccountStore and then tie it to an existing user in my own service assuming that they were logged in already? Can I access and store the account credentials remotely over ssl, or is there a better way?
And if they had to re-login via Twitter, I could just search for the user with that twitter handle to know what backend user is tied to this account, yes?
And lastly if I wanted to be able to login via a browser later on, I would get new oauth credentials for the webapp as well, but could search for a user with the same Twitter account info and store these credentials as well, and know that they all refer to the same person, correct?
What you're asking involves many levels of a system "stack" that are custom to a particular environment. What is "correct" vs "incorrect" is dependent upon the environment you've set up and are connecting to from your iOS app.
So from what it sounds like you're leveraging iOS's Twitter functionality to create a Single Sign On (SSO) experience. There are several guides on Twitter's site for doing what you want to accomplish:
Integrating with Twitter on iOS: Single Sign On
Using Reverse Auth to Get OAuth Tokens on iOS - you can then store these server-side
Migrating tokens to system accounts - how you get OAuth tokens from your webapp to iOS.
I want to create an web application that will link up a student's facebook, twitter and orkut accounts all under one shed. Its like connecting all the students within a college, to login into the web app, the userid will be the unique studentID provided by the college
itself.
Now, once a student has logged-in, he can open his facebook, twitter and orkut a/c in the same window, lets say under tabs. How can i do that??
I mean how can i pass a student's Facebook's user-id and password to facebook server and if user authentication is done, then show the student his facebook wall.
I am very confused and don't know how to deal with this.
Storing username and passwords is not a very good idea. Neither Facebook nor twitter supports it through API.
For Facebook integration use the OpenGraph protocol with any SDK that Facebook provides, like Javascript SDK. Mogli is a ruby wrapper for OpenGraph API
For Twitter, there are multiple options like John Nunemaker's Twitter gem. Use that to talk to Twitter API.
Ultimately, it comes down to the architecture of your application. You can start by creating models like 'FacebookConnection' or 'TwitterConnection' and linking them to your 'User' model.
Solving it easy, just make the link open twitter/facebook. if they are signed in there already, their homepage will show, otherwise they will be prompted to enter user/pass.
To integrate your application with those platform, each platform got it's API and connect method, with this you won't need the user password be stored in your app. You instead will, twitter as an example, create a twitter application that communicate with twitter's API, and then redirect the user to twitter asking twitter to grant your application some access to the signed in user account, almost the same as you will sign in with your google account here on stackoverflow.
To do the communication with each of those platform, refer to the API/Connect documentation they provide and implement it in your web application. Don't reinvent the wheel, most of the communication functionality will be already coded in an easy to use library, whether for rubyonrails or most other development frameworks/languages.
look at facebook connect, oath (for twitter) etc instead of storing passwords
divs/iframes with some kind of tab control (jQuery?) to handle toggling of what should be visible.