So I am using LDAP for authentication however we have an external developer (customer who contributes to the code) which i wish to give access to the git repos but also the web ui interface. Can this be done without adding them to ldap?
I tried the create account cmd but that does not work.
Is it possible to create a user for web ui that does not use LDAP authentication if you set it as the authentication?
Shawn Pearce answered the same question here on the Gerrit Discussion list and indeed the answer is no.
No. When you use ldap authentication, all web users must be in ldap.
You could create a restricted LDAP account and let the developer change his email in gerrit settings. So he will get every notification to his own Inbox.
Related
I have an application that authenticates users via Google Oauth. When I click Signup button, a signup screen would pop up as shown in the figure below.
The problem is that I want users to signup emails with domain name of my organization. Specifically, the username suffix should be #my_organization.com instead of #gmail.com as displayed in the figure. I have tried to modify the Oauth Consent Screen but there seems to be no option to configure this.
as you mentioned the "Sign in with Google" is for login purposes through OAuth protocol when the accounts already exists in an organization, I am afraid this is not intended to delegate user creation since this is a task only domain administrators are allowed within an organization.
The most you can achieve from OAuth is to force the sign in with an specific domain; you can do this by modifying the "hd" parameter in the authentication request you are sending using the Google's OAuth 2.0 API. Here you can check on this topic: click here
As mentioned above, if you are looking to create user accounts with a specific domain you need to be an administrator in a Google Workspace account.
I hope this information helps!
You can only use oAuth with registered Google accounts.
With Google Workspace you can use a domain in your Gmail, see.
But if that's not possible and you want a quick way to authenticate, maybe Auth0 or similar tools can help.
I want to create a way for someone who visits my site (hosted in Azure), to be blocked by a page that asks for a username and password that I can distribute. Once entered they will see my site! Is this done with Azure Active Directory? If yes, can anyone point me to a tutorial, I can't seem to find anything useful.
Thanks for any help!
App Service allows us to use different authentication providers, Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We could enable the Authentication/Authorization on from Azure portal. For more information, please refer to this and this tutorial.
I am working on managing user access to workspaces via the API. [Cleaning inactive users], and am running into issues where I can authenticate the user, but don't have a way to check if the user is a workspace admin.
This becomes an issue because I am authenticating the user, and then managing users in a later step. I would like to show an error when the user authenticates if they are able to manage users on the chosen workspace.
Any ideas?
There currently is not an endpoint to determine if a user is an admin. I do think this would be helpful, and I will surface it with our API team.
There are endpoints that can only be accessed by admins, such as user management. Unfortunately, I don't think this solves your requirements.
Currently using the Provisioning API that is being depreciated April 20.
This is the current flow:
user (University Alumni) gets to our site http://alumni.columbia.edu/email
they click on Create My Account
they authenticate through our university WIND system using what we call their UNI
they land on a page mentioning that an email account UNI#caa.columbia.edu is ready to be created. They can pick an alias to UNI. They also need to enter a password to use the Chat and POP-mail features of Gmail.
they confirm the creation of the account. At this point the API is being called using https://www.google.com/a/feeds/, some data (email address, name, id) being saved in our database.
To log in, they come through our site, click on the login button, this will use the SSO and they get logged in.
Based on the flow above, do I need to use OAuth2.0?
Yes, you will need to authenticate with OAuth using the Installed Applications approach to do this. Instead of step 5 the way you currently have it, you'll need to call the API from a process on your server with an account that has (limited) admin credentials that can create the account with the Directory API. To do this, you'll need to persist the OAuth token information that the account will use to connect, and handle the code to refresh the token when it has expired.
The first time you run your code you'll need to manually authenticate that account to get your application the appropriate permissions so that they can be stored.
If you're hoping to not go too crazy with handling the authentication side of things and you're using .Net, I'd recommend checking out my project gShell that acts as a wrapper for the authentication and handles the token storing and refreshing for you. It's still a young project but it should fit your needs. Alternately, feel free to browse the code for an example on what to do.
If you plan on using Python, check out Google Apps Manager by jay0lee which is also a wonderful resource.
I am using Dotnetopenid for login.
I am logs in my application by using dotnetopenid provider suppose google.
At the time of logout I am ending the my application user's session by FormsAuthentication.SignOut(); but if I am not closing the browser and logs in using google it will not ask me for id-password and land me on secured page of my apllication.
Also, if i will try gmail.com it will directly lands me user account without asking id-password.
So how could I logout completely from my application and google too ?
thanks in advance
I think you are mistaking the Relying Party and the OpenID Provider. Using StackOverflow as an example, SO is the Relying Party and other sites (e.g. Google) are the OpenID Provider(s).
The Relying Party (e.g. SO) has no say in when the OpenID Provider (e.g. Google) chooses to "forget" the user for their own purposes.
EDIT: I was not familiar with the PAPE extension. However, if I understand correctly, it does not provide a way for the RP to say to the OP, "On your end, forget this user's authentication", which is what I think rehan wants. It just provides a way for the RP to demand another authentication for the RP's purposes.
I still see no way for (e.g.) SO to log a Google user out of Gmail after SO logs them out.
It sounds like what you're looking for is a Logout feature that will allow the relying party to also log the user out of the Provider at the same time.
DotNetOpenId doesn't offer this feature because OpenID itself doesn't have this feature in its spec. There's simply no way to do it right now. The OpenID community have had conversations about spec'ing out such a feature, but so far it's not there. If and when OpenID adds such a feature to its spec, DotNetOpenId will add support for it.
i had the same issue. So tried this.....when i logged out of my website which uses dotnetopenid, i also made a call to the following gmail logout link https://mail.google.com/mail/?logout&hl=en. This logged me out of gmail also.
https://www.google.com/accounts/Logout
try this one....