With an AWS Cognito User Pool, there is:
"Self Service Sign-up"
Can I interject an administrator approval after the email is verified but before the account is approved/active?
Or if I check Self Service Sign Up off, is there a way to send an email verification, get this confirmed, and then require an administrator to approve the account?
Please pardon the broad question.
Thank you for your time.
Related
can GMAIL API be used for sending out account verification when registering to a site?
I plan to use it for email registration , verification, forgot password for transactional use
Yes it can but you may not want to unless you are using Google workspace.
To send an email using a standard google gmail account you will need to use Oauth2 and authorize the user who owns this account. Using Gmail scopes with an Oauth2 will require your application go go though a security audit. This audit is expensive and time consuming. Its up to you to decide if this is worth it or not.
You could go though the SMTP server and use something called an Apps password to authorize it. This solution would work but, google is shutting down unsave apps now and i fear that apps password will me next. If it is your only option then would be to use Xoauth2 with smtp. Which again may require that you verify the app.
If you do have a google workspace account then you could set up domain wide delegation to a service account allowing it to impersonate a user on your workspace domain. This solution would work without any issues. It would be optimal in my opinion.
I am new to Cognito, so I'm sure the answer to this will be very obvious to most readers.
I want to restrict access to my app so that certain Google accounts can access it.
I have configured Google as an external identity provider in Cognito, and the sign-in works insofar as anyone with a Google account can sign in with Cognito and access the app.
How would I go about having Cognito check the email address associated with the Google account of the person trying to sign in and only letting them access the app if their Google account is authorized, and denying them if they don't have permissions?
I think this is a quick answer, I am just at a loss when it comes what words to search in order to find help.
You can use a pre-sign up lambda. Pre sign up lambda is triggered just before AWS Cognito signs up a new user, so you can add custom verification methods in pre-sign up lambda and accept the registration if you verified the user and deny registration if the verification is failed.
You can read more about pre-sign up lambda here : Pre-sign up lambda
You could use the Cognito Lambda triggers to check the user attributes of the google user when signing in like email and then authenticate or fail authentication depending on the email of the user. You will have to mess around with which trigger to use but that could work.
I want to aggregate my clients' ad account into my business account automatically.
The client is already logged in via oauth2 process in my website and grant the permissions, ["ads_read", "ads_management", "manage_pages"].
I'm succeeded to request access for the client using the endpoint POST /<business_id>/client_ad_accounts.
Request image in the client Ad account setting page:
And, There is a problem.
I want to accept this request programmatically using the client's ACCESS_TOKEN.
POST /act_<client_ad_account_id>/agencies
-d "business=<my_business_id>&access_token=<client_access_token>"
But, I have a error message (#10) Ad account <client_ad_account_id> must be managed by a business account to approve agency access.
Is it possible to accept this request programmatically? If that's possible, what should I do?
self answer: Connect client page to the client's business account and add permission business_management. Then, everything works fine.
According to the docs, Google Apps domain administrators can grant service accounts domain-wide authority to access user data on behalf of users in the domain. My understating is this gives service account authority to access data for all users inside the domain. Is there a way to restrict which users service account has access to?
For example, an application that uses Google Calendar API to view events from the calendars of specific list of users in a Google Apps domain.
Can google apps administrator authorize application for access to some but not all users?
Thanks
The answer was to publish an app in Google Apps Marketplace. An app can be turned ON for everyone or some specific organization unit. See Turn a Marketplace app on or off for users. Organization Unit is how you can control who in organization has access to your app.
If you're an administrator, yes. You can control who uses any particular Google service from their account. Just turn the service on or off for those people in your Google Admin Console. When users sign in to their account, they see only those services that are turned on for them.
To delegate domain-wide authority to a service account, first enable domain-wide delegation for an existing service account in the Service accounts section of the Developers Console Permissions page or create a new service account with domain-wide delegation enabled. Your application has the authority to make API calls as users in your domain(to impersonate users).
Here's a useful material for Delegating domain-wide authority to the service account:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I have developed and published a simple Marketplace App needing access to all members of a domain. I followed the Google Instructions (see http://goo.gl/XvczDQ) and created a service account (for domain-wide delegation of authority). Everything is working if I access the users from my own company / domain.
But it is not clear to me what happens if an administrator from a different company installs the app from the Google Marketplace. How can I access the users in the client's domain and how works the service account approach there? What are the further steps?
I figured it out myself. Provided that the service account is correctly configured with the required scopes: All you have to know is the client's administrator email and the domain. Usually you can get this with the setup url in your marketplace app.
Then you have to set the service account user to the administrator's email before you request an access token. That worked for me.
When the admin installs the app, he grants you the authorization to use the service account to impersonate his users.
You can also list the users using the Directory API if you need the complete list of users. Note that you will need to have the relevant Directory API scope in your marketplace app configuration and you will need to impersonate an admin user.