I've created an app that uses Auth0 for login. I have google-oauth2 enabled for the app. What I would like to do is have a whitelist of approved users who can login but all I see is a Users page where I can block users after they've logged in. Is there a way I can configure Auth0 to restrict Google users (and all users except approved ones). Thanks....
There are a few options that you could use in order to implement what you want:
Using Auth0 Rules. Maybe you can try to create a Rule that check the user's email adress against a whitelist of adresses, and allow only access if the adress exists on the list. Rules docs
Using Auth0 Client Grants. It will allow you to grant access to specific users, based on their userId. Grant Types
Probably you could try to create a Group and assign users to that group and allow just them to log in or using auth0's connection .
You could try to use that method based on email invitation too Email invitation
I have github enterprise configured. I use keycloak for authentication.
Sign up/ login flow is like this,
Users click sign in with SAML from github enterprise.
Then they are redirected to keycloak login page.
Where they can choose github.com for signup.
After successful authentication from github.com users are redirected to github
enterprise.
Now a new user has been created in keycloak with username as of github.com username and email as of github.com email.
But in github enterprise, user's username is created by parsing the first part before the # of email id and user's email id is not getting updated in github enterprise user account even though github enterprise is receiving email id from keycloak.
Users get the following notification, saying them to add one email address.
If an user don't add their email, they don't get email for events like organization invitation, password reset.
This not what i want. I also not what the users to manually add email id to their account.
I want get github enterprise user's username and email to be the same as of keycloak.
How can i achieve this ?
We have extracted saml response from keycloak to ghe by inspecting the /consume request in browser network. When SAML response is decoded (using samltool.io), we identified that keycloak is not sending email attribute to ghe.
Github used the following attributes for updating profile information. So keycloak needs to send attribute in variable specified in this field.
We have found that there is some builtin "Mappers" available in client which can be used for sending some specified predetermined attributes to client applications.
Select your client -> Mappers -> Add builtin. Select the required mappers and click Add.
Open x500 Email and set "SAML Attribute Name" to the variable same as the variable name set on github. Provide some Property and Friendly Name.
Now you will get email address in user's account.
I am using the GSuite Admin SDK, Directory API (https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) to add and list users,
After adding a new user (using this endpoint: https://www.googleapis.com/admin/directory/v1/users) I try and check if that user exists in the user list or not (using this endpoint: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer).
Every time I do these steps I could not find the newly created users, there seems to be a problem with synchronization.
Is there any solution for this without changing the access token?
thnx for the help.
Currently Google Assitant includes an easy way to request non-identifiable information about the user and a detailed flow to authenticate the user on a third party service through OAuth2. What about if all I need is have the user authenticate on Google itself? I tried filling in the account linking flow using Google OAuth2 information, but that seems not to work. If that last thing is supposed to work fluently than that would be enough of an answer.
Context: Users already authenticate only with Google on a related webpage. All I need is to link this already authenticated account with the less-authenticated account on Google Assistant.
Update, 25 Oct 2018:
As of 13 September 2018, there is now a much simpler way to access the user's account if your project uses Google Sign-In. Google Sign-In for Assistant will give you an ID Token with information about the user, including their Google ID, with their permission. This permission can be granted just using voice and is fairly streamlined.
You can combine this with a web- or app-based Google Sign-In to get their permission to access OAuth scopes if you need to access Google's APIs.
Update, 25 Oct 2017:
As of around 4 Oct or 7 Oct, Google has updated their policy (again) to restore language restricting OAuth endpoints that are valid. The terms now include
When implementing account linking using OAuth, you must own your OAuth endpoint
and it appears (from the comments below) that they now check for the Google endpoints to prevent this method from working.
At this point, the only thing you can do is setup your own OAuth2 server.
Original Post:
Broadly speaking, the auth tasks you need to do are in four parts:
Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
Configure the Action for account linking in the action console.
Configure the Actions on Google Integration for your API.AI Agent to indicate that sign-in is required.
When API.AI calls your webhook to fulfill an Intent, it will include an auth token as part of the JSON. You can use this token to make calls to the Google APIs you need.
Configure Cloud Project
You need to configure your cloud project so that it has access to the Google APIs you need and setup the OAuth2 Client ID, Secret, and Redirect URI.
Go to https://console.cloud.google.com/apis/dashboard and make sure you have the project you're working with selected. Then make sure you have the APIs you need enabled.
Select the "Credentials" menu on the left. You should see something like this:
Select "Create credentials" and then "OAuth client ID"
Select that this is for a "Web application" (it is... kinda...)
Enter a name. In the screen shot below, I used "Action client" so I remember that this is actually for Actions on Google.
In the "Authorized Redirect URIs" section, you need to include a URI of the form https://oauth-redirect.googleusercontent.com/r/your-project-id replacing the "your-project-id" part with... your project ID in the Cloud Console. At this point, the screen should look something like this:
Click the "Create" button and you'll get a screen with your Client ID and Secret. You can get a copy of these now, but you can also get them later.
Click on "Ok" and you'll be taken back to the "Credentials" screen with the new Client ID added. You can click the pencil icon if you ever need to get the ID and Secret again (or reset the secret if it has been compromised).
Configure the Action Console
Once we have OAuth setup for the project, we need to tell Actions that this is what we'll be using to authenticate and authorize the user.
Go to https://console.actions.google.com/ and select the project you'll be working with.
In the Overview, make your way through any configuration necessary until you can get to Step 4, "Account Linking". This may require you to set names and icons - you can go back later if needed to correct these.
Select the Grant Type of "Authorization Code" and click Next.
In the Client Information section, enter the Client ID and Client Secret from when you created the credentials in the Cloud Console. (If you forget, go to the Cloud Console API Credentials section and click on the pencil.)
For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth
For the Token URL, enter https://www.googleapis.com/oauth2/v4/token
Click Next
You now configure your client for the scopes that you're requesting. Unlike most other places you enter scopes - you need to have one per line. Then click Next.
You need to enter testing instructions. Before you submit your Action, these instructions should contain a test account and password that the review team can use to evaluate it. But you can just put something there while you're testing and then hit the Save button.
Configure API.AI
Over in API.AI, you need to indicate that the user needs to sign-in to use the Action.
Go to https://console.api.ai/ and select the project you're working with.
Select "Integrations" and then "Actions on Google". Turn it on if you haven't already.
Click the "Sign in required for welcome intent" checkbox.
Handle things in your webhook
After all that setup, handling things in your webhook is fairly straightforward! You can get an OAuth Access Token in one of two ways:
If you're using the JavaScript library, calling app.getUser().authToken
If you're looking at the JSON body, it is in originalRequest.data.user.accessToken
You'll use this Access Token to make calls against Google's API endpoints using methods defined elsewhere.
You don't need a Refresh Token - the Assistant should hand you a valid Access Token unless the user has revoked access.
After contacting Google the current situation seems to be that you should set up your own OAuth2 server, and then on the login screen of your OAuth2 server you should start the Google OAuth2 flow.
you have to have your own endpoint with Google Oauth2 - it is correct that you can't use Google Oauth itself as a provider. To use the Google OAuth service, you can use a "sign in with Google" button in your own endpoint instead.
Source: Contacting Google Actions on Google Support
Kind of speechless right now... as this seems to be a huge oversight on Google's part.
I am able to make it work after a long time.
We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs
If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first.
Then follow the steps mentioned below for the Account Linking in actions on google:-
Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there
-> Download JSON - from json note down the project id, auth_uri, token_uri
-> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL
-> Save the changes
Actions on Google -> Account linking setup
1. Grant type = Authorisation code
2. Client info
1. Fill up client id,client secrtet, auth_uri, token_uri
2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token
3. Save and run
4. It will show an error while running on the google assistant, but dont worry
5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth
and token_uri as https://accounts.google.com/o/oauth2/token
6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email
and weare good to go.
7. Save the changes.
In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])
You need to implement the Oauth protocol with whatever Google Assistant app you are developing. Let me be a bit more clear:
The user is on the assistant, you need to link him to any data
you have on your App side
The access to the data you have about
your user is protected by an access token
Google then needs to
ask you for this token to have access to this resource
When
google has the token it can send it to the app so it validates every
requests to get the resource.
This is why you need to implement your own oauth server (Honestly it is just two more endpoints in your application): the identity is checked on google's side, but the link between the user and the resource to access can only be known by you.
The process above is valid, you just need to specify your own token endpoint and your own auth endpoint.
Note that if you only want to check that the user is logged in into google and get his email, you just need to implement the streamlined identity flow that does not require the /auth endpoint (Automatically Sign Up Users with Streamlined Identity Flows)
That beeing said I implemented the flow but get the same error :
expected_inputs[0].possible_intents[0]: Transactions/Identity API must be enabled before using.
I am trying to figure out how to link a skill with a custom user account. Here is what the documentation says:
Account linking flow for implicit grant (for use with custom skills):
In the Alexa app, the user enables the skill.
The app displays your
login page right within the app, using the Authorization URL you
provide when registering your skill on the developer portal. When
the companion app calls this URL, it includes state, client_id,
response_type, and scope as query string parameters.
The state is used by the Alexa service during the account linking process. Your page needs to keep track of this value, as you must pass it back later.
The state is used by the Alexa service during the account
The client_id is a value defined by you when you set up account linking for the skill in the developer portal.
The response_type is always token for the implicit grant flow.
The scope is an optional list of access scopes indicating the level of access requested. You define the set of scopes to support when enabling account linking for your skill.
The redirect_uri is the URL to which your service redirects the user once the user is authenticated.
The user logs in using their normal credentials for your site.
Your service authenticates the user and then generates an access token that uniquely identifies the user in your system.
Your service redirects the user to the specified redirect_uri and passes along the state, access_token, and token_type in the URL fragment.
The Alexa service validates the returned information and then saves the access_token for the Alexa user.
The user’s Alexa account is now linked to the account in your service, and the skill is ready to be used.
Here is what I get form Amazon:
{
"client_id":"my-client-id",
"response_type":"token",
"state":"some_long_string",
"redirect_uri":"https:\/\/subdomain.amazon.com\/spa\/skill\/account-linking-status.html?vendorId=W5TGH673R
}
Based on what I read above I am redirecting back to:
https://subdomain.amazon.com/spa/skill/account-linking-status.html?vendorId=W5TGH673R&state=same_long_string&access_token=something-I-made-up&token_type=Bearer
Unfortunately this doesn't seem to work. Basically I get: Unable to link your skill
Any ideas?
I ran into a similar issue, and I had to use a hash instead of an ampersand before the token. My redirect url is:
https://subdomain.amazon.com/spa/skill/account-linking-status.html?vendorId=W5TGH673R#access_token=something-I-made-up&state=same_long_string&token_type=Bearer