I’m looking for a way for admin to approve third party app for all users in org through OAuth.
Basically I wonder how to get to this state
I tried using different scopes such as drive, group and calendar but can’t figure out how to request admin to approve for all users.
Related
I'm planning on building a G suite integration with my existing SaaS site.
I want Gsuite admins to allow access for their organisation. So I only want "domain install" possible.
After this has been done users can be imported from Google into our application. Users should be able to use SSO to login but I don't want each user having to pass the consent screen.
I also want the app to have readonly access to the calendar of the user.
What is confusing for me: do I need to create a regular web app integration or a Service account integration? I don't really need offline access but I want to avoid all users having to grant access individually.
Here it says: The user sees the OAuth Consent screen only once; if you’re using a service account to allow a domain admin accept terms on behalf of the domain users, then the end users must never see the OAuth consent screen.
So does that mean only service accounts allow this?
Yes, using a service account you can install and authorize one app for all your domain user impersonating the admin account. In such a way, your users won't have to authorize the app individually.
You will have to enable domain wide delegation in order to impersonate the admin account when using a service account.
Reference
Service Account
My client wants to build an website app that allows customers to link their Xero account to the website so that certain actions such as create/manage employees can be updated in the website and also pushed to the respective user's Xero account.
I've been through the basics of connection to the Xero API and had to create/install certificate and generate Xero keys etc to get both apps talking to each other. This is not a feasible approach for end users of the site trying to connect their Xero account as it requires sharing a key etc that is supposed to be secret.
Is there a way to create a connection using just some sort of Xero key - similar to linking Xero accounts? Or it the case that my client would need to become a Xero Partner and actually create an app that users can install from their Xero account?
The Xero API has a number of different types of applications - sounds like you've set up a private app, which (as you've spotted) is intended for interaction with a single Xero organisation.
To interact with multiple Xero accounts, you'll want to create a public app on https://developer.xero.com/myapps/. This will allow you to send multiple users through the OAuth1.0a auth process, giving you an access token for each account that has authorised your app. You can then persist these tokens and match them to the account in your own web app.
Note that this will give you access to each Xero account for 30 minutes before the user will need to authorise your app again. For long-lasting access tokens, you'll need to register your interest via the link in this page to get information on how to complete this process.
Our clients use Google Apps for Education. We are implementing single sign on from Google Apps to our web application, using Google Apps as the identity provider. Due to the security issues related to working with students, it is not possible to allow students to create accounts in our web application using their Google Apps account. Instead, the user accounts in our application store the Google Apps account name.
So far, we have set up OpenID in Google Apps and it is working. The student enters their Google Apps username and password at the Google prompt, then approves the sharing of their username. The application uses the username to match the existing account so the student is logged into the correct account in our application.
Since our web application is trusted by the school district, we would like to eliminate the step where the student approves the sharing of their username. However, we haven't figured out how to do this. Is there a way to configure Google Apps to trust our web application using OAuth 2.0?
We are thinking that 2-legged OAuth may be the way to go. It is described in this article. Is this the correct approach for what we want to do?
Using 2-legged OAuth with Google Tasks API for Google Apps domain administrators
From what i Read about 2-legged OAuth allowed to access to the user's resources without asking for their permission to do so .
if you want to display for example all events from Google calendar of students if you do it by an ordinary way u will need to ask permission from each student to access to their calendar but by using 2-legged OAuth with Google Apps for Education you don't have to .
you find here link more infos about 2-legged OAuth and comparing it with 3 legged Oauth with an example
So I am creating an application for my google apps domain. It will have its very own google apps account associated with it, from which it can store/retrieve/manipulate data.
The application should use this google account alone and the user should have no indication that it is using a google account. Is there a way to programmatically authenticate my entire application and not prompt the user authenticate/authorize?
I think you are looking for two legged OAUTH.
You can generate a OAUTH token and secret in the control panel of Google Apps and assign the authorized scopes to this token/secret pair. For instance, you can authorize access to the calendar of all users in your Google Apps domain using the token/secret.
You can then programmatically access the calendars of all users.
Because this token/secret is authorized by the Google Apps domain administrator, individual users do not need to grant access anymore. That is why this is called two legged Oauth, whereas three legged Oauth requires user interaction to obtain a token/secret for an individual user.
This question on SO might interest you too.
I was just wondering, I want to associate a Twitter and LinkedIn account with my systems accounts. Which would allow them to post to interact with them without needing to log in to the other systems.
Is there a way to store the social (twitter / LI) usernames and passwords and associate them with my system and vis versa.
E.g. If I login using my native details (email / password) I can access the API features of my social network accounts?
Thanks in advance,
Chris
I can't speak for Twitter, but with LinkedIn you could follow this basic workflow:
Register an 'application' with LinkedIn. Your site will use this application for all communication with the LinkedIn API.
Have the user authorize your site (your application really), to access their account via the LinkedIn API.
Retrieve the user's unique LinkedIn ID, as well as their access tokens, and store those in your user account database, associated with their existing account.
Then, when they return and log in to your site, any calls you need to make to LinkedIn can be done via the stored access token, rather than having to have them manually allow you to have access again.