Google OAuth Consent - Internal - Multiple separate organisations - google-oauth

I'm trying to setup a Google OAuth consent screen but I have two separate google workspace accounts. The two accounts are completely separate.
I have the consent screen setup, working perfectly for the one workspace "domain-a.com" as an Internal User Type to make sure only users within "domain-a.com" can login.
I'd like to also allow "domain-b.com" accounts from the other google workspace to also be able to login.
I'm wondering if this is at all possible? Or is my only option to set the User Type to external and then vet the domains in my auth flow?
I was hoping it would possible to somehow authorise "domain-b.com" on the "domain-a.com" workspace without adding all the additional domain aliases to users etc? I do see the Domain Verification option under the APIs and Services screen, but this only mentions webhooks.
Any help would be appreciated

I think setting the type to external is the only way to achieve this.
Does your app use any sensitive scopes? If so, then setting the app to external means that your app might require verification unless you mark the app as trusted in both Workspace accounts.

Related

Twitter Bot: Get access token for another account without 3-legged OAuth flow?

I am in control of three twitter accounts: One is my main account, the other two are supposed to automatically post content via a bot. I created the bot logic and added it to Twitter's development tools and I can easily use it to post to my main account.
Now I need to add the access tokens for my two secondary accounts. My question is - what's the easiest way to do this.
As far as I can see, Twitter only enables one way to do this: 3-legged OAuth flow. It is not too complex, but it seems to me to require setting up a mock website with callback url, which seems like too much considering I only need to generate two api tokens. Am I missing something?
There are some alternative ways to generate access token and access token secret for OAuth 1.0A via command line tools which allow you to use the “PIN-based” OAuth flow.
One example would be Twitter’s own twurl tool for API testing, which requires you to also have Ruby installed. This will let you authenticate a user account (it still pops open a window onto twitter.com to have you do the authentication) and stores them into the ~/.twurlrc file in your home directory. There is also tw-oob-oauth-cli which is a standalone app for doing the same thing.
You're not missing something. The reason this is required is to force users have a browser they trust open and see that they are on https://twitter.com/, so they can trust that it's a safe place to put in their password.

Single sign-on (SSO) without SAML/OAuth/OIDC

Guess we are all tired of login and password system and want to go passwordless.
I saw that the only solution to login without hassle is via SAML, well bad news you have to pay some SaaS apps like slack, miro, agile crm... to have access to SAML configurations.
I'm trying to build a website, like a portal where I have links to thoses website and I just click on them and I'm auto sign-in (SSO Dashboard).
I don't want to be dependent of in-browser remember password or any password keeper like bitwarden. I want to store all of my user pass in my database.
Any hints to do this ?
I already tried this solution : https://crunchify.com/automatic-html-login-using-post-method-autologin-a-website-on-double-click/ it doesn't work at all.

Login functionality from my platform INTO other sites?

I am creating a software-platform in Symfony3 (a PHP framework). In this platform, there needs to be a page with links to approximately 20 different websites (among others: Google Analytics, Google TagManager, Rocket.Chat)
My goal is to enable the following functionality:
Upon having clicked on one of these links that are in my platform, I want to redirect the user to that particular site, while having them logged in.
So for example:
There is a 'link' to Google Analytics and when being clicked, the user needs to be redirected to their campaign within Google Analytics.
Note: The username/password that will be used to perform this login will be the same throughout all the different sites. We have a database with these credentials for each user, which we want to use to login to those different services.
I was thinking about using cURL, but this would not be a universal technique. (and bring forwards many security implications)
Another option would be to use the Google API to perform an authentication, but I could not find such functionality. (Normally, it is the other way around: logging into your platform by means of a google account)
I look forward hearing from your input!
Kind regards,
Jeroen

Turn off 2-Step Verification for a user via API as a Google Apps super admin

As part of our "off-boarding" process for employees leaving the company, as super admins we use the Google Apps Admin SDK Directory API to change the user's password so that they can no longer access their account. Then we log in to do a Google Takeout, reset passwords for their other accounts, etc.
However, we recently decided to enforce 2-Step Verification for all of our users. So now when we go to log in to their account, it sends a code to their phone.
Since 2-Step is enforced for their SubOrg, we can't even turn it off through the admin console. So all I can do now is to have the API move the user to a different SubOrg where the 2-Step enforcement setting is turned off, and then manually turn off 2-Step.
Is there any way to programmatically turn off 2-Step verification for an account?
I looked in the Google Apps Admin SDK Directory API Users:update documentation, but it doesn't seem to have anything to do with 2-Step.
The Reports API can find out the user's enrollment status, but it's read-only for reporting purposes.
What you are doing is the correct way to remove the 2-Step verification. As you mentioned if it is enforced under a Organization Unit, removing it would get against that rule and that's why you are not able to do it unless you move the user to another OU where this is not enforced.
I was not able to find some way to do this programmatically. However, you could Suspend the user. After that, the user won't be able to access to that account. The account will still be visible in your Admin Console and all the information in the different Google services will remain attached to that account until you finally delete the account.
While the user is suspended, as admin, you can use service account to impersonate that user. By doing so you can act as that user and edit permissions or transfer the ownership of the files contained in Drive to a different account so those files won't get lost.
I hope this helps.
The easiest way to do this is to create a Group for which 2FA is exempt (see here: https://support.google.com/a/answer/2370108). Then add the user to that group, then you can click "Disable 2FA" on the user page in the admin console. I'm assuming you can do the same through the API.
The only downside is that this means you'll have a group through which it is possible to exempt users from the 2FA enforcement option. So that's a risk you'll have to accept and a policy you have to carefully check.

Question on Google Provisioning API and SSO Password change propagation

I'm using the Google Apps Provisioning API to synchronize user data with our internal database (MySQL). For every new user created through our site's backend, a corresponding user in created in the GoogApp system. Change is passwords are also synchronized accordingly.
I'm about to implement SSO, so that logins performed on our website automatically makes the user login into the google apps too.
My question is what happens IF the user happens to change his/her password using the Account > Settings in the googapps interface, instead of our own backend? Our system has no way of knowing about the change! Is there a way in Prov API or SSO with which I can turn off the password changing mechanism in googapp engine and let the user do it ONLY through our backend?
Anyone who's used / setup a similar system, please shed some light on it.
Thanks,
m^e
When you have SSO enabled in your Google Apps domain you have to provide a "change password" URL, that way when the users tries to go "Setting"->"Change Password" they will be redirected to your custom URL and make the password change in your backend.