Regarding the AppSource submission, the docs state the following:
"You must provide at least two login credentials, one admin and one non-admin"
"For enterprise apps, apps where a subscription is required, or apps where there is an Office 365 tenant/domain dependency, you must provide a third account in the same domain that is not pre-configured for your app so that we can validate the first-run user experience."
For #1, our add-in does require external login and we will provide test credentials. However we don't have the concept of an "admin user" within the add-in. What exactly are we meant to provide for that?
For #2, our add-in will require that the user have an account with us (subscription?) what exactly do we need to provide? Another user of our system without access so it can be verified how that user experience is? A user will not be allowed to upgrade themselves but will be prompted to call our customer rep.
I've run into your first question: "You must provide at least two login credentials, one admin and one non-admin" as well with some confusion.
From what I can see this points to https://learn.microsoft.com/en-us/microsoftteams/using-admin-roles. They define a teams admin by the role "Teams Service Administrator". This can be added to an account here https://admin.microsoft.com/adminportal/home, I'd recommend a guest account.
Hopefully this helps.
Related
I have made a web app that using Microsoft Graph api's. when we authenticate user using their personnel account then it work perfectly but when someone use their organizational account then error display which is
"AADSTS65001: The user or administrator has not consented to use the application with ID '29eb2e50-3e2b-45a4-9488-d9b08a34b6f0' named 'testing app'.
Send an interactive authorization request for this user and resource.
Trace ID: 4a665bcf-c19e-48f8-b5c2-056e61aa2d00
Correlation ID: 1ad728bb-6fa2-4f27-ae5e-215f580d2e9e
Timestamp: 2022-09-05 10:46:49Z","error_codes":[65001],"timestamp":"2022-09-05 10:46:49Z","trace_id":"4a665bcf-c19e-48f8-b5c2-056e61aa2d00","correlation_id":"1ad728bb-6fa2-4f27-ae5e-215f580d2e9e","suberror":"consent_required"}
now kindly let me know how can we resolve it. I have done all changes in our azure app which is provided by the internet but still the same error please let me know which permission I should add or which changes are made to resolve this issue thanks.
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to Assign Azure AD roles.
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
Check if the user or organizational account has the required permission granted as seen in the sample below.
I try to give new users in our domain access to our VSTS. We have MSDN enterprise subscriptions via MPN. The subscription is assigned and visible for the user if he logs in my.visualstudio.com with his work account. If the user tries to access the VSTS at [ourprojects].visualstudio.com he gets “VSTS login fails with 401 not authorized – [user] has multiple accounts associated with it. Your work or school account does not have access to [ourprojects].visualstudio.com, but your personal account does have access. “.
Signing in with the personal account as suggested by the error message leads to another error: “This Microsoft account does not exist.” This is correct. The account in charge is definitely a work account in Microsoft Azure Active Directory. So the first error message is somehow strange and leads into the wrong direction.
Our domain accounts are synchronized with Azure Active Directory (AAD). I can see the new users both in our domain and AAD. The user can login into my.visualstudio.com with his work account. So sync with Windows Server AD and AAD looks working correctly. MSDN assignment works, too.
Loggin into my.visualstudio.com redirects to the login page of our domain. thsi is corect and works fine. But this redirect does not take place loggin into VSTS.
For other older accounts in our domain VSTS access with work account works completely fine. Has anybody experienced similar problems?
Finally I talked to Microsoft support. It turned out that this VSTS account is not backed by Azure Active Directory. It has to be converted to do so.
To check if a Azure DevOps/VSTS account is backed by AAD, you can look in the settings page ("gears"->Settings) of Azure DevOps at the very bottom.
I was looking at Khan Academy and I'm wondering how their authentication works (probably many other websites have it the same).
When you login with facebook account that has email "aaa#gmail.com", you completely logout, open another anonymous window, and login with google account that has the same "aaa#gmail.com" email, you log into the previously created account.
My questions are :
Do they make association to account based on email your social account has ?
I'm sure their solution is secure, but is this common and normally doable so there won't be any possible exploitations ?
I'm using a system of Oauth2 to grant access to my app, dvouch
First you have a registered user in your website, with an unique email.
So what basically happens is:
User visits your website (website doesn't know who the user is)
User clicks to login through one of the Oauth2 providers
Your website proceeds to start a "OAuth2" handshake, it redirects the user to the provider oauth endpoint, along with some information, like what scopes you're asking for (email, personal info, public info, etc), the url to send back the user after the authentication is done, your application tokens (that are registered in the providers app dashboard), and so on.
Let's say the provider you chose was facebook. Facebook receives your request for an OAuth2 authentication. It also receives the scopes you're asking for, which url you want the user to go to after being authenticated, and your application credentials
It checks that the credentials you're sending are valid, that the callback url you're asking the user to be sent after also matches what they have registered for your app (so that someone can't simply steal your app credentials and have users redirected somewhere else) and if everything is fine and dandy, it will then present the login window to the user. This login is happening on the provider's page. Not on your website.
The user logs in (inside facebook or google not your website). The provider sends them back to the call back url you specified in the beginning of the handshake.
You (your website) receives the user back with a bunch of information, such as the email of the user who just completed the Oauth2 flow.
At this point you use the email that came in the callback and identify the user through the email. Since all emails are unique, and since your user had to be registered with that email on the provider, you are safe to assume he's the owner of the email.
(technically things might happen a bit differently)
It's basically very secure as long as the website has the regular security measures. Of course if someone has access to your Facebook(wtv) account or email they can login as if they were you, but that would happen either way they offered Oauth or not.
Then as long as you verify you're logging in the correct provider's website (like facebook's or google and not something else) you'll be fine since no one else will be able to see your login. Since a "scope" of authorizations has to be passed as well you as a user can also see what the application is asking for (email, access to your inbox, wtv) and decide if you want to grant those scopes or not, if you decide not to grant access then facebook will not pass back that information, which in turn renders the process safe.
The only way it wouldn't be safe would be if you had malicious software installed in your computer to log your activity and in this case you would be screwed either way.
I want to create a "guest account" and then login the user to that account.
Creating the account on the server side is fine, and better than doing it client side!
But once this account is created, how do I login the user with it, given that my server would know the password (that it just created)
It seems there are methods to login with external services but not just with a password.
meteor DOCS link here
meteor login source code here
If I create the account client side, it will then login the user, but for various reasons I cannot do this. One is a dependency on another package that bans this but generally creating accounts client side isn't smart, even if they are throwaway guest accounts.
sankyu!
doh! you just have to know what to look for! hope it helps someone else!
https://docs.meteor.com/#/full/meteor_loginwithpassword
Using the Jenkins OpenID plugin I'm able to configure Jenkins to use my Google Apps OpenID as a provider. Anonymous users are still able to access that application (they have read access only), but I want to have it so that users are forced to login using the Google App domain or they are denied access.
I'm currently using the Jenkins Authorization setting of "Logged in users can do anything", I've tried using the "Matrix based authentication" and denying anonymous users, assuming logged in users would still have permissions, is there a special group value I can use for "logged in users" in matrix based authentication?
It seems like "Matrix-based security" will only work for specific users when using Google Apps OpenID (I don't believe Google apps for domains has support for OpenIDTeam extension
Yes there is a special group you can use to do this but finding the information about how to do it isn't obvious.
If you hover over the 'Overall - Read' column on the Matrix-based security table you'll get the solution.
It states
The read permission is necessary for viewing almost all pages of Jenkins. This permission is useful when you don't want unauthenticated users to see Jenkins pages - revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
I use the following technique in combination with the OpenID plugin which allows me to specify a Google Apps for Business domain to secure Jenkins with
Warning: Make sure you've got a backup of your installation before you start because if you get something wrong you may lock yourself out of your Jenkins. Unpicking the plugins and settings would take longer than just restoring from a backup.
Ensure your choice of OpenID provider is still working ok with your current 'Logged in users can do anything' setting
Select the 'Matrix based-security' mode for Authorization
Add a new 'authenticated' group (lower case 'a') to the Matrix-based security table.
Use the 'check all' icon at the right hand end of the new 'authenticated' row to tick all the permission boxes.
Use the 'check all' icon at the right hand end of the 'Anonymous' row to untick all the permission boxes.
Save the settings
Reload Jenkins
Now each time a user wants to see Jenkins they have to be already signed into their Google Account and no-one can get to see any Job names or views without login.
Hope this helps.