Im trying to make a little .core service to keep gitlab issue's and a board on Microsoft Planner in sync.
Gitlab side isn't an issue however talking to the planner aspect is proving problematic.
In Azure I have successfully added an App Registration and using the delegated permissions, I can do what I need, BUT when it gets the access token, I get the old
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ******** to authenticate.
Which as im trying to make this into a service, isn't great.
I then setup permission as a deamon but Planner dosn't allow assess to 'Application Permissions' which planner needs.
So is there another option?
Unfortunately Planner does not support Application Permissions. You can try to use a user account specifically created to act as your service as a workaround. There is currently no timeline for Planner supporting Application Permissions, however this is in our work backlog.
For example if you create a new Plannerplan then it works only with delegated permissions. It's not exposed with application permissions so that you can use it in daemon app. Unfortunately this is by design or in other words, it will work only with delegated permissions only at this point.
Unfortunately it won't work that way, but you may want to give a try. Being said that i would suggest you to file an Microsoft Uservoice or upvote an existing uservoice item talks about it - so that they can consider implementing it as a feature which support application permissions
Also you can see above #Tarkan confirmed the same and shared insight that its in their backlog too.
Related
I have a web application which runs until now with cloud run, but without access restriction. Now it should be available only for certain users.
I read https://cloud.google.com/run/docs/authenticating/end-users and also tried both
mentioned ways: Google-Sign-In and the "Identity Platform" tutorial.
If I understand correctly, you have to program the actual user handling yourself in both variants. For example, determining which email addresses have access to the application, etc.
I was looking for a declarative way where, ideally, I only maintain a list of permitted email addresses and the "cloud run application" is only "magically" linked to this. With the result that only these users get access to the web application. That doesn't seem possible?
Ideally, the actual application should not be changed at all and an upstream layer would take care of the authentication and authorization, possibly in conjunction with the "Identiy Platform".
Best regards and any hint is welcome
Thomas
Let me add some sugar to this to better understand all these.
A Cloud Run application is packaged by you, you maintain the source code, if this is a website, placing a login button and handling authentication is your job to accomplish.
A Cloud Run system which is running all this on a hardware, it doesn't "look into" or handles your application code outside of the "code". Simply put it doesn't know if it's a Java or Python code and how to handle authentication out of the box for you - but read further.
If you require a simple way to authorize look into API Gateway it can be placed "before" Cloud Run. It might not be exactly your use case. These exists only for "API" designed services.
That upstream layer you need is the managed Identity platform, but the CODE should be assembled by you and deployed inside your Cloud Run service. The code will be the UI driven part, the authorization logic is handled by the Identity Platform so it reduces the amount of development time.
Your users would sign up using a dedicated registration page, and sign in by entering their emails and passwords. Identity Platform offers a pre-built authentication UI you can use for these pages, or you can build your own. You might also want to support additional sign-in methods, such as social providers (like Facebook or Google), phone numbers, OIDC, or SAML.
Look into some of the advanced examples to get a feeling how authorization can be customized further: Only allowing registration from a specific domain you could reuse one of these samples to maintain that shortlist of users that you mentioned.
In addition to #Pentium10's answer, you can also make all users authenticate to your app somewhat forcibly. (Imagine you're building an internal portal for your company, or an /admin panel for your app that only certain users/groups can access.)
This sort of use case can be achieved by placing Cloud Identity-Aware Proxy (IAP) in front of your Cloud Run service. That way, all requests go through this proxy that validates the caller. This is not like Identity Platform in the sense that visitors don't create accounts on your website (they use existing Google accounts or other IdPs like ActiveDirectory, or whatever you configure on IAP).
I have a little tutorial at https://github.com/ahmetb/cloud-run-iap-terraform-demo/ since IAP+Cloud Run integration is still not GA and therefore not fully documented.
I have been scratching my head for a while now. Went through tons of documentations but everything seems very confusing. Please forgive if it appears to be a duplicate question, but believe me, the more content I find, the more its confusing me.
Below is the configuration of my project and what I need to achieve:
The project is a web based application developed using Spring framework with Java 8 that is hosted on S3(linux server). HTTP server used is Apache. JBoss is used as an application server and the exact version used is wildfly-8.2.0.Final.
Currently, the user enters his credentials which are validated against Microsoft Active directory using LDAP and is let in. The requirement now is that when the user logs into the machine using his AD credentials in his intranet environment, and he tries to open the application, he should directly log in and not prompted for credentials again. If he is outside his intranet network, the existing log in method should be followed.
While researching I found the below things I assume can be useful but not able to reach to a conclusion.
Kerberos along with Shibolleth: I went through below two references which somewhat matched with my requirement but not very sure am I looking at the right thing or not.
http://richardjohnson798.blogspot.in/2011/10/single-sign-on.html
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
My confusion revolves around the below things.
Is Shibolleth the right choice. If yes, what is the exact role of Shibboleth?
What things needs to be setup on the linux server(Kerberos implementation for example), and what changes would be needed in the client's AD environment?
Is the implementation possible on the Wildfly server? (as all the references have the thing implemented using Tomcat).
What are the security aspects I should be concerned about.
Help is much appreciated. Thank you.
Since you are using S3 I assume you are using AWS.
Go to IAM and add the Active Directory as a SAML provider
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Then use AWS Cognito Federated Identity Pool via the JavaScript SDK in the front end code you have hosted on S3.
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html
I have a web application, which run in all browsers using ASP.NET, SQLSERVER.
Since its relating to transferring funds and transmitting vouchers any one can use this from anywhere in the world.
Only user name and password are the security parameters used here.
We are facing an issue in the security side, any sales agent / customer who got this credentials can make transactions on that particular dealers account.
Is it possible to launch the web-app only inside an .EXE file, which can act as a parent to run my web-app.
So any anyone suggest an idea to do this mechanism /or a better solution to overcome this obstacle?
1) Change your application to use two-factor authentication.
2) User best-practices for application security -- no magic fix ever guarantees real security.
I am building a web application with front-end coded in angular. The front-end will access a bunch of web-services coded in Java/Spring. There might be other ways that people may try to access the webservices such as from a desktop tool. Now I need to secure the whole infrastructure.
I need a way to maintain a user repository, i.e. provision users and manage users, roles etc.:
users should be able to register themselves and have their emails verified.
admin should be able to approve users and assign them roles, delete users, update them etc.
I also need single sign on functionality. So once you login through the webfront end, you should be able to access the REST based webservices seamlessly (depending upon the role you have).
I do not need to support millions of users, so something light-weight will be preferable.
I am looking for open-source solution(s) that can:
allow user management (ideally over REST based API and have its own user interfaces as well)
allow single-sign-on functionality for web frontend and webservices, and potentially for desktop apps that may need to be implemented.
I have tried Apache Syncope which seemed promising as it provided REST based APIs. I am thinking of using it with CAS. However, the default UI seemed kludgy and CAS doesn't directly support REST.
I am looking at Shibboleth and OpenIDM as well - but none seems to be meeting my requirement directly.
I'll appreciate any suggestions on what options/stack can I consider for this. Ideally, a single solution or a well integrated solution on Java/Spring stack might work better for me.
you should have a look at https://github.com/openMF/mifosx for Java and Springs RESTFull Web service.
and https://github.com/openMF/community-app for there AngularJS web app.
plus you can also find a live demo link on there repository.
username is mifos and
password is password.
it is ment for microfinance but you can study its architecture implementation and use there core functionalities, it is really amazing.
I have written an application that I have listed in the Google Marketplace. I am trying to get my app to use the Directory API (part of the Admin SDK). According to the documentation here: https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites, this will require anyone who installs my app to enable API access.
The only scope I need is:
https://www.googleapis.com/auth/admin.directory.user.readonly
Is there any way to access the above scope without requiring API access to be enabled? All I am ultimately trying to do is import users from a domain into my app so that they do not have to visit my app to have an account.
I am trying to avoid having to have the domain administrator enable API access. I have also seen other apps that require the same exact scope as I do that seem to work without requiring API access. I'd be willing to drop back to the older, deprecated Google Data APIs, but I don't think I can even register an app to use them.
This is not possible today. You have you have guidance in your app to remind the admin to turn this on.
We understand this is suboptimal for both admins (expecting that authorizing an app should give it access) and developers (needing to write unnecessary code to handle this). We are looking into improving this flow but not specific plans on launch yet.