I am developing a Microsoft Office Add-in that is using Auth0 to manage user logins. I am using Google SSO (identity provider) in Auth0.
I was able to add the login capability to my app by following this example on github: https://github.com/OfficeDev/Office-Add-in-Auth0
However I am now trying to add functionality to log the user out. I am calling the logout endpoint through a cors proxy (i host my own proxy that i use) as so:
https://cors-anywhere.herokuapp.com/https://{MY_AUTH0_DOMAIN}.auth0.com/v2/logout?
federated&
client_id={MY_CLIENT_ID}&
returnTo={MY_RETURN_TO_URL}
The call will return a 200, but when I go to the login screen and sign in with google I am not presented with the screen to select my gmail. I am just logged into the app with the gmail i used the first time.
The only thing that logs the user out of their gmail (identify provider) is by manually "clearing the web cache" in the add-in.
I have tried following these instructions: https://auth0.com/docs/logout/log-users-out-of-idps
I setup the proper clientId for google, so that i am no longer using the dev keys.
Has anyone successfully added logout functionality for an identify provider with auth0 in an office add-in?
Related
Background
I have a web application "APP1" (front-end: Vue.js & Back end:Azure function) deployed in azure app service. I have implemented client directed sign in (easy auth using this), after that I can authenticate user using provider's sign in page [both AAD & google].
Target
I have another web application "APP2" deployed in on-primes server. I want to redirect to APP1 from "APP2" and automatically sign in without provider's sign in page. I will read credentials from environment variable.
Tried solutions
I have found a similar issue here, however I am unable to use the solution because the DB between AAP1 and AAP2 can't be shared
I have also checked the google identity providers documentation, however I am unable to find how to programmatically sign in without provider's sign in page
Question
Is it possible to programmatically sign in to google identity to get token without provider's sign in page
The whole point of google identity is to prove the identity of the person behind the machine.
OpenID Connect is an open standard that companies use to authenticate (signin) users. IdPs use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information. (id_token)
OAuth 2.0. This standard provides secure delegated access. This means an application created by a developer, can take actions or access resources from a server on behalf of the user, without them having to share their credentials (login and password). It does this by allowing the identity provider (IdP) to issue tokens to third-party applications with the user’s approval. (access_token, refresh_token)
I'm creating a small web app running on IIS and I need to implement a secure way to handle login authentication against active directory.
Currently, I have it set up with Windows authentication, so when users first go to the website it shows the login prompt from the browser, they login using their AD credentials, and then it allows them into the site.
However, I want to have an actual login page and have these credentials validated against AD instead of Windows Authentication. I've been researching for hours about LDAP but I can't seem to find good documentation/videos on how to set it up to communicate with AD. I've thought about using 3rd party services like Okta but I don't think I need to.
Does anyone have any ideas?
We are using Excel add-in in OfficeJS and wanted to implement login authentication with below requirements.
we have own on-premise server (identity),
need to achieve access and refresh token.
Kindly suggest any examples for the same.
An add-in is just a web application embedded in Office. so you would implement login auth exactly the way you would for any web application. If you are using OAuth 2.0, then for resources and libraries about how to do this, see Authorize external services in your add-in. The one possible exception is that some identity providers (Secure Token Services) do not allow their login page to open in an iframe. If that is the case with the STS that you will be using, then you will need to open the service's login page in a special dialog. For more information, see Authorize with the Office Dialog API.
I have been successfully able to run a Custom Login Page for Google Apps until today. I used to use Client for the Google Apps Provisioning service. using which we could send email (username) and password as parameters and obtain the authentication token.
With OAuth2 (as per Google we need to upgrade to OAuth2 starting 20th April, 2015) I can't find a solution! There's no way I can send/ check if a username/ password pair is correct.
There is no way now to do what you want. You could use SAML2 and then use Google as the source IDP via OpenID but you would end seeing the Google Login page again. It seems that you are trying to hide the fact that it is a Google shop.
SAML2 auth lets you design your own login screen but requires that you use your own user database.
I have a C# MVC5 website on Azure in which I'm trying to add a variety of identity providers (e.g. Google, Twitter, Facebook, Microsoft).
Having followed a simple guide on the asp.net site on adding Microsoft Live as an authentication option, I'm finding that when I try to authenticate with a Live account, I'm always bounced to my login page. My site users should instead be directed to the "Register" (MYSITE.azurewebsites.net/Account/Register) page upon first successful authentication from a new provider, or to the home page as an authenticated user if previously registered. However, I seem to always be sent to the login page.
I'm not encountering any authentication errors from the Live provider - username and password are being accepted and the provider does seem to be redirecting as if an authentication was successful.
I haven't encountered this problem when integrating with Facebook, Google or Twitter.
In the Live Connect Developer Center, where my authentication app is configured, I'm required to provide a "redirect domain":
You only need to enter the domain, for example http://www.contoso.com
For this I've entered the URL for my Azure site http://MYSITE.azurewebsites.net
The field doesn't appear to acknowledge any routes such as /Account/Something/ on the end of the URL, but I'm not clear that it should need to.
Does anyone know if I require some additional configuration in my site to work with Microsoft Live or is there some restriction on using the Live provider on free Azure sites?
I've fixed this. Unfortunately it transpired that I was missing a preceding hyphen character from my clientSecret which I had specified in my StartUp.Auth.cs
I'm surprised an error wasn't thrown to say that the client secret was invalid, as I was going on the assumption that any incorrect clientId or clientSecret values would have rejected my request when clicking the 'login with Microsoft' button.