Im trying to add google oauth2 as my login method in superset. Users cant register by their own, the system admin must provide access for the user deppending on permissions/role.
When a annonymous user loged in, the system must check if the user email exist and what role is applied to him and show the user profile
I already have the google oauth2 linked in superset, i can click in the login google button the login pop apears and enter the email and pasword of an google acount. But when the login is done, it apears a message saying that the user is not authorized.
Login Page
After Login, with console error (page stays loading...)
The question is how i can associate an google user to a superset user, or register an user by this google oauth2 method with the respective role?
One thing you can do is set Flask App Builder's AUTH_USER_REGISTRATION = True and
AUTH_USER_REGISTRATION_ROLE = "some_default_role".
Then if you want to alter the registration flow, I'd recommend setting your own SecurityManager and overriding BaseSecurityManager.auth_user_oauth . I'd copy the source of that method and alter it.
I'd be great if FAB had a pre_registration hook in BaseSecurityManager for this purpose. Maybe it could receive the User object FAB is planning on creating (before it gets created) and could return a list of roles, or None if we want to abort the registration process.
Related
I completed the process to allow the users to login to Google OAuth but the Oauth Consent Screen do not ask the email/userinfo permission/scope to the user and so the access token I get do not have access to the user information.
At console.cloud.google.com > My project > Credentials > Oauth Consent Screen the following scopes are visible but seem added by default and I can not edit them: email (googleapis.com/auth/userinfo.email), profile (googleapis.com/auth/userinfo.profile), openid (openid)
But when I test it I get this dialog window:
Instead I should get this:
So with the text "To continue, Google will share your name, email address, language preference, and profile picture with Support Board."
My app is not verified by Google and maybe this is the issue, but after checking everywhere I do not see any docs about it.
I found the answer, the URL must include; scope=email
For instance:
https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&access_type=offline&redirect_uri=[URL]&client_id=[CLIENT-ID]&prompt=consent
^^^^^^^^^^^
I am using Cognito User pools and the hosted Cognito UI. I want new users to be disabled when they first sign-up.
I am trying to use a Cognito Trigger to disable the user.
The "Pre sign-up" trigger is to soon, the user has not been created yet. I have successfully used the "Post confirmation" to disable the user, however this is causing a side effect. After the user enters the confirmation code which is emailed to them, they see this message in the hosted UI "User is disabled".
Does anyone have a suggested solution on how to make the new users disabled by default?
We had a similar Business Requirement. For us we made use of a User Pool Group. This allowed the sign up and validation process to work as normal. We had the Post Confirmation trigger send our product team an email with details about the new confirmed user. We had a simple UI for the product team to add the group to a user if they should have access.
To Deny/Grant Access to the app: Our app checked the ID Token, once a user successfully authenticated, for the group (the ID Token has a 'cognito:groups' key which contains a list of all the groups the user is in). If the group was not present we displayed a page showing the user a customized access denied message
Our DocusSgn integration is currently a two step process:
the user clicks on "Login to DocuSign" whereupon they are redirected to "https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=00000000-0000-0000-0000-000000000000&state=00000000-0000-0000-0000-000000000000&prompt=login&redirect_uri=www.stackoverflow.com/app/callback" (for example) where they login, so that we can get an authentication.
we have the templates populated from DocuSign using the authentication. The user selects the template and clicks "Go to DocuSign" where upon a popup takes them to "https://appdemo.docusign.com/documents/details/c921ac4b-fdae-48a9-a70e-5d8a4e3e0089" for example.
The problem is that the user is forced to login both times. The expectation is that after the initial login during step 1, the user would not need to login again in step 2 since the domain names match (and DocuSign would create session cookies for the login).
Is there any way/process that we can follow which would allow us to not have to do this awkward double login?
thanks in advance!!!
First Login is the OAUTH login in which user is giving your IntegratorKey (Client_Id) access to call DS ESign APIs and impersonate user on the user's behalf. Using this flow you will never get access to bypass DS Weblogin page to access the page hosted by DocuSign like the one which you have - https://appdemo.docusign.com/documents/details/c921ac4b-fdae-48a9-a70e-5d8a4e3e0089. If you want to give access to the user to edit the templates using API then you need to use below API call with the OAUTH Access token:
POST /v2/accounts/{accountId}/templates/{templateId}/views/edit
Documentation for the same is available at:
TemplateViews: createEdit
I'm talking about interaction between IUserEnumerationPlugin and IAuthenticationPlugin.
Plone has a strange behaviour about the possibility to flag (activate) the IAuthenticationPlugin without flagging IUserEnumerationPlugin too.
You can add in ZMI -> Plone -> acl_users a simple "ZODB user manager"; add a dummy user in it; and activate only the Authentication flag.
You will get that the user authenticate correctly at login (welcome message is printed as well as userid in place of login tab) but the authentication cookie seems that didn't being set: browsing any other page brings you back to anonymous state.
Dunno if it is a bug, but I need to authenticate users without let them show in sharing page or in usergroup-userprefs searches as they are managed elsewhere.
I am trying to create an app with SQL database connection. Like other apps, user should have the option of both custom register(email,password) and facebook login.
If user choose custom login thats fine, but if user choose facebook login my app would be able to retrieve email from facebook yet no password.
In most apps if you choose facebook login, after login with facebook you never deal with register and logging again (Single sign on, and access token).
But How other apps let user register without choosing a password? Do they let password field null in database (that doesnt seem feasible)? Or do they create a random password for user and save it to users device? What if user logs out or delete their facebook account and wants to login to my app, how would they login without password since in first place they have chosen facebook login?
I know multiple question but they are all related and I am having a difficult time understanding that simple task.
Thanks
M. Fustang
In general if you allow people to register using Facebook, you can force them to set their username and password for this website on first time they log in. And simply store user's id from Facebook as a column in users' table together with username and password provided by user. And then allow them to login using this user/pass data for your website or using Facebook. This will allow your users to log in even after Facebook's account removal.