I have a scenario in my web application where I want to verify the logged in user is a member of the specific google groups. If he is a member of the group I can give some access permissions. How to verify this programatically. I am using google authentication to login to my application and I have a google group with a list of members.
There is a method from the members API which retrieves the members of a specific group, you can use that method to obtain the members of the group and look if the logged user matches any of those members.
I hope you find this useful!
Related
We are using Auth0 as the Identity Provider. We want to support both Individual Users and Enterprise users (Users who are part of an Organization).
By looking at the user profile, could not find any distinct field which can help me identify the type of user. Although Auth0 has extensive documentation, isn't helpful either for this area.
How can we identify the type of user from the User Profile of the User. I have tried GET /<user_id>/organizations but it won't help if the user logs in before the Organization is registered in the Auth0.
Thanks in advance
I'm integrating some of our company's internal applications to use our GSuite instance for authenticating our employees when they log in, using GSuite's support for Open ID Connect.
However, our applications uniquely identify the users using our internal "employee ID" to log in, instead of our GSuite email address. I see that it is possible to store/manage an "employee ID" within gsuite, however I'm not sure how I can retrieve this information after the user has successfully authenticated.
Currently, I'm getting back a list of "claims" from the userinfo endpoint, but these claims only include the name and email address of the user. I also need the phone number and employee ID which we've configured on GSuite.
Is it a matter of requesting additional scopes to start off with? Or do I need to make a separate request to retrieve the additional user information?
I see that there is an Admin Directory API but it appears that would be for accessing the information of ALL users within the domain, whereas I'm only interested the extended details of the CURRENT user.
Ultimately, I created a service account with scope https://www.googleapis.com/auth/admin.directory.user.readonly to call GET https://www.googleapis.com/admin/directory/v1/users/<current_user>. I had to delegate domain-wide authority to the service account, as well set it up to impersonate an admin user.
It seems like overkill, since I only need extended details of the current user, for which I already have an OAuth2 access token.
I found this question quite helpful in resolving the issue.
If anyone can provide an answer that makes use of the OAuth2 access token, I'd still appreciate it
I am using Azure AD B2C and I want a group based user distribution for my application. Lets say I have two subdomains subA.myapp.com and subB.myapp.com. On the other hand, I have two groups subA and subBin Azure B2C. Now a user wants to signin to subA.myapp.com, but is not a member of group subA, I would like to deny the user to sign in.
I know that Azure B2C does not include group info in the access token. So I will actually use Graph API to get the group membership of the user. But I am not quite sure if there is an appropriate event where I could intercept the validation process and manually deny a user to sign-in. Also, I thought I could use one of the *Validator methods of TokenValidationParameters but not sure which one.
I have read Authorize By Group in Azure Active Directory B2C. My problem is different because that problem is trying to protect only some actions based on group memberships, I want to prevent the whole login process to fail based on group membership.
You can use a ValidationTechnicalProfile on a page created by the SelfAssertedAttributeProvider technical profile. Using the validation technical profile, you can first authenticate the user, and then call a Rest API that can look up users group membership and return a successfull/fail response.
If the response is successful, the flow will continue. If it's a failure, an error will be shown to the user.
I have ADFS configured to deliver AD group information for a logged in user returned as claims.
Claim Language:
(sorry for the screen capture... the schemas were interpretted as URLs that I wasn't allowed to post)
Basic claims to return AD groups user belongs to
This returns groups that the user directly belongs to.
Would like ADFS to return effective permissions for the user.
Example:
User MyDomain\Bob belongs to the group Floor3Employees
The Group EntireBuilding contains the groups Floor1Employees, Floor2Employees, Floor3Employees
When getting claims for MyDomain\Bob... would like the groups returned to be:
Floor3Employees
EntireBuilding
The web application receiving the claims from ADFS could probably query AD to figure out the hierarchy of groups, but want to avoid the web application communicating directly with AD.
As we know Super administrators also have full access to all users' calendars and calendar event details.
I found these API's
https://developers.google.com/google-apps/calendar/v3/reference/ which can be used to retrieve calendar's related to a user.
i read google docs api
for getting information about a current user we use default
https://docs.google.com/feeds/default/...
and for getting information about other user in the same domain
https://docs.google.com/feeds/user#yourdomain.com/...
we have to replace default with user's email address.
but in calendar's api for accessing list of current user's calendar's list
we use this url
https://www.googleapis.com/calendar/v3/users/me/calendarList
if current user is an administrator and i have to retrieve list of calendar of other user in the same domain then how to retrieve that list
i tried to call https://www.googleapis.com/calendar/v3/users/rashmi#riteshmehandiratta.com/calendarList
response is Not Found.riteshmehandiratta.com is my domain and rashmi is a user so email address is rashmi#riteshmehandiratta.com i authorize my app by super administrator and successfully get access token and putting header
Authorization with OAuth anonymous_access_token so there is no problem with authorization part of url.
can any one please help how to retrieve other user's calendar list in the same domain by super administrator via api call?plz.. plz.. help