Limiting Sign in with Google to Google Workspace (Previously G Suite) users - google-oauth

Our application has Sign In with Google setup via Supabase. We want users to be able to sign up themselves, but want to limit it to users using Google Workspace and have custom domain rather than Gmail.
Went through Google 0Auth / Cloud Platform Documentation, wasn't able to find any configuration. Is there a direct way of doing this without custom logic? If we were to do it via code, is it as straightforward checking for gmail.com on the email or is there any metadata from Google Profile we can use?

You can try this:
Create a new function:
CREATE FUNCTION
public.check_user_domain()
RETURNS TRIGGER AS
$$
BEGIN
IF NEW.email LIKE '%#gmail.com' THEN
raise exception 'INCORRECT_DOMAIN';
END IF;
RETURN NEW;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
Create a new trigger:
CREATE TRIGGER
check_user_domain_trigger
before INSERT ON auth.users
FOR EACH ROW
EXECUTE PROCEDURE
public.check_user_domain();
I recorded a short video of how it works on Youtube:
https://www.youtube.com/watch?v=C-HoRO7Wrhg

Related

Grant Authorization to users with LDAP Authentication

I've set up an LDAP Directory Authentication Scheme on Oracle Apex (v21.1) like this, and created the ACL on my Database:
If I try to test the LDAP Login, it's working (using my firstname.lastname). I replaced the IP Address and the domain name for confidential purposes.
I can connet to my application, but I cannot access it, I can't land on the home page, because I need an authorization scheme based on the groups the users are in.
In my company, there are multipled departements, they each have a group in the Microsoft Active Directory that will give them the access to the application, each groups are named like this: GRP_Inventaire_Dpt1, GRP_Inventaire_Dpt2, GRP_Inventaire_Dpt3,....
I tried to create an Authorization Scheme based on this tutorial:
https://blog.jonas-hellmann.de/authorization-in-oracle-apex-with-ldap-groups/
I tried to adapt the code of the function as you can see on the chapter 2.3 of the tutorial, here's how I did:
And here's my authorization scheme:
As you can see on the screen, I have to write the exact group name to access to my application, but I would like to have the possiblity to check if the user is in a group which start with "GRP_Inventaire_", no matter what department he is.
Unfortunately, some things seems already weird. Why does the password need to be statically written down in the function? How can dynamically have it in the function based on the LDAP Authentication Scheme? However, I know that I can use the p_username parameter for the username.
***Finally, if I try to connect to my application, I have the error message of my Authorization scheme: ***
To summarize what I'm looking for:
Authorization scheme based on the user logging in
Check if the user is part of a group which start with "GRP_Inventaire_"
The function needs to have dynamically the credentials of the user connecting
Do not hesitate to ask questions for more details.
Don't you need to check user's security group with something like this?
DECLARE VAL BOOLEAN;
BEGIN
VAL := APEX_UTIL.CURRENT_USER_IN_GROUP('xxx');
RETURN VAL;
END;

Amplify + Cognito signup trigger create document in lambda

I am using amplify auth and have a table in documentdb managing user profile information. I want to be able to create a document in dynamodb on signup with the cognitoIdentityId as a field so I can query for it later.
I was hoping I could handle this in a trigger on the cognito pool but I cannot get access to the identity inside my lambda function as it doesn't appear to be on the event.
Is it possible to get access to the id so I can create my document on the trigger or is there a better way to achieve this?

Google Classroom user role through API

I am using Google classroom to integrate with my .Net web application. I am using Directory API to create new users in google.After creating new user through Directory API if i am login to classroom its asking for role(Teacher/Student).My doubt is how can i create a new user as a teacher or student through API.I don't want to give option to user to login as teacher or student,i want declare that user at the time of new user creation only.How can i achieve this,or any other API to give role through code?
Unfortunately the API currently doesn't support the ability to set the teacher/student option. We are aware of the demand for this feature and tracking it internally.

Getting the E-mail id of user in Bigquery

I am using Bigquery Java API. For authorization with Bigquery service,I am using Google OAuth 2.0.My question is :- How to get an E-mail ID of user who has granted the access on consent screen?
I am not able to find anything related to it. Is it possible to get an E-mail ID of the User.
Can anyone help?
Thanks in advance :)
Just run
SELECT CURRENT_USER()
and this returns the current user's email
You can find this, and more functions in the manual: https://cloud.google.com/bigquery/query-reference
In addition to Pentium10's suggestion, you can also get the user e-mail of the user who ran a particular job / query; it is in the user_email property of the job. You can see this by using bq by doing:
$ bq show --format=prettyjson -j project_id:job_id | grep user_email
Where project_id:job_id are the project and job id for the job you're looking for.
This only works to get the user e-mail if either you are a project administrator or you were the one who ran the job in the first place.
You should be able to get the user's email address as part of the OAuth flow. It looks like it's part of the JWT that you receive during this process:
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
If you're using a language-specific client library, there may be support in that client library for decoding the JWT.

Salesforce Tooling API - insufficient access rights

I am attempting to create a trigger through the Tooling API. This is being executed within Salesforce and being performed on the same Salesforce org. This is being done in a dev org and the running user is an administrator.
When I create the MetadataContainer it works as expected. When I create the ApexTriggerMember I am presented with the following error:
INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY
Here is some debugging of the process along the way:
The JSON that is sent to create the MetadataContainer
{"Name":"Container 2013-03-08 17:28:06"}
The URL it's being sent to
https://na11.salesforce.com/services/data/v27.0/tooling/sobjects/MetadataContainer/
The response:
{"id":"1dcG0000000PAwZIAW","success":true,"errors":[]}
The JSON that is sent to create the ApexTriggerMember
{"MetadataContainerId":"1dcG0000000PAwZIAW","Body":"trigger TestTrg1 on Account (after insert, after update, before insert, before update) {\n\n}"}
The URL it's being sent to:
https://na11.salesforce.com/services/data/v27.0/tooling/sobjects/ApexTriggerMember/
The response:
[{"fields":[],"message":"insufficient access rights on cross-reference id","errorCode":"INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY"}]
Any help is greatly appreciated.
I just tried the same thing but via the SOAP version of the Tooling API.
It worked fine if I specified the ApexTriggerMember.ContentEntityId as an existing Trigger Id (key prefix 01q). Of course, this is updating an existing trigger rather than creating a new trigger.
If I didn't set the ContentEntityId I get exactly the same error you do. "insufficient access rights on cross-reference id" (StatusCode.INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY)
The documentation says (my emphasis):
ContentEntityId
Type: reference
Properties: Create, Filter, Group, Sort
Description:
A reference to an Apex trigger.
There can be only one ContentEntityId per ApexTriggerMember,
otherwise, an error is reported.
This field is required.
So the field is required, but we don't have an Id to assign to it yet...
Note, I've asked a similar question on the dedicated Salesforce StackExchange - How do I use the Tooling API to create a new Apex Trigger?