Using o-auth login on google apps domain - oauth-2.0

I'm trying to create a web service for my college, which uses Google Apps for education. We have our own themed login page. I was wondering if its possible to use oauth/ openID to use our Google apps account to log in. I know when I use generic oauth, I can enter the school email address and force it to take the Google apps domain, but is there a way to redirect to it directly?

You can use the hd parameter in the oauth request to specify a google apps domain to login through. I believe the apps domain needs to have the option enabled and/or be a paying domain, but I am not certain about this part
Example URL
https://accounts.google.com/o/oauth2/auth?access_type=offline&DOMAIN.COM&response_type=code&redirect_uri=http%3A%2F%2Flocalhost&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&client_id=CLIENT_ID&type=web_server

Related

Gmail API OAUTH2 verify Desktop application

At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.

How to limit Google+ OAuth2 with iOS API to one only domain?

I'd like to use Google+ OAuth2 in my iOS application and I'm going to use iOS native library provided by Google (API: https://developers.google.com/+/mobile/ios/api/) but the app is to be developed for company internal use and I'd like to restrict G+ OAuth2 to the corporate domain (the company has Google corporate domain already).
So, is there a way to limit a list of google accounts for a user signing-in to the accounts in corporate domain only, like e.g. mycorpodomain.com?
I couldn't find that possibility in API doc.
The quick solution is to parse the users email address upon return and validate that it uses the whitelisted domain.

How would I tie a user auth'ed by 3rd party provider via ACAccountStore to a backend user obj in the cloud?

In general, what's the best practice to authenticate a user via 3rd party (say Twitter) using iOS's ACAccountStore and then tie it to an existing user in my own service assuming that they were logged in already? Can I access and store the account credentials remotely over ssl, or is there a better way?
And if they had to re-login via Twitter, I could just search for the user with that twitter handle to know what backend user is tied to this account, yes?
And lastly if I wanted to be able to login via a browser later on, I would get new oauth credentials for the webapp as well, but could search for a user with the same Twitter account info and store these credentials as well, and know that they all refer to the same person, correct?
What you're asking involves many levels of a system "stack" that are custom to a particular environment. What is "correct" vs "incorrect" is dependent upon the environment you've set up and are connecting to from your iOS app.
So from what it sounds like you're leveraging iOS's Twitter functionality to create a Single Sign On (SSO) experience. There are several guides on Twitter's site for doing what you want to accomplish:
Integrating with Twitter on iOS: Single Sign On
Using Reverse Auth to Get OAuth Tokens on iOS - you can then store these server-side
Migrating tokens to system accounts - how you get OAuth tokens from your webapp to iOS.

need help with redirection

I want to create an web application that will link up a student's facebook, twitter and orkut accounts all under one shed. Its like connecting all the students within a college, to login into the web app, the userid will be the unique studentID provided by the college
itself.
Now, once a student has logged-in, he can open his facebook, twitter and orkut a/c in the same window, lets say under tabs. How can i do that??
I mean how can i pass a student's Facebook's user-id and password to facebook server and if user authentication is done, then show the student his facebook wall.
I am very confused and don't know how to deal with this.
Storing username and passwords is not a very good idea. Neither Facebook nor twitter supports it through API.
For Facebook integration use the OpenGraph protocol with any SDK that Facebook provides, like Javascript SDK. Mogli is a ruby wrapper for OpenGraph API
For Twitter, there are multiple options like John Nunemaker's Twitter gem. Use that to talk to Twitter API.
Ultimately, it comes down to the architecture of your application. You can start by creating models like 'FacebookConnection' or 'TwitterConnection' and linking them to your 'User' model.
Solving it easy, just make the link open twitter/facebook. if they are signed in there already, their homepage will show, otherwise they will be prompted to enter user/pass.
To integrate your application with those platform, each platform got it's API and connect method, with this you won't need the user password be stored in your app. You instead will, twitter as an example, create a twitter application that communicate with twitter's API, and then redirect the user to twitter asking twitter to grant your application some access to the signed in user account, almost the same as you will sign in with your google account here on stackoverflow.
To do the communication with each of those platform, refer to the API/Connect documentation they provide and implement it in your web application. Don't reinvent the wheel, most of the communication functionality will be already coded in an easy to use library, whether for rubyonrails or most other development frameworks/languages.
look at facebook connect, oath (for twitter) etc instead of storing passwords
divs/iframes with some kind of tab control (jQuery?) to handle toggling of what should be visible.

How to use OAuth in Coldfusion application?

I want to authorize my web-application for all users landing on it with a common google account. I am using google Document List API and want other users to get authorized by the common google account whenever they want to access the document.
Thanks
OAuth only connects your application to the target authenticator (Google). You would still need your application to proxy for the end user, your application cannot create a direct connection between Google and the end-user.
That said, http://oauth.riaforge.org/index.cfm is pretty easy to use. I used it to connect to a third party application from mine and, once I figured out the basics of OAuth, it was pretty easy. I then wrote a wrapper for all the internal functions to ease integration.
So, the OAuth package at RIAForge will make it pretty easy to authenticate your application to Google, but will not create a direct line between Google and your end-user.

Resources