Is there a line of code that bypasses the second app authentication screen where you select Allow or Deny? I would like our users to automatically be connected to the registered app.
Thanks!
No, it is not possible to bypass that step. If it were possible it would be a security hole.
Yes, is it possible, for paid networks. To be able to do this, your application should use an access token that must be authorized as verified network admin, so it could impersonate user access tokens, take a look at impersonation on Yammer documentation for more information about this.
Related
gapi.oauth2 is being deprecated so I'm trying to set up Google Sign In using the new GIS Client. However I'm having a serious issue when the user grants access to scopes. The checkbox for one of the scopes is unchecked by default. Users often forget to check this and then our app just won't work for them. With gapi I could handle this by requesting additional permissions if they forgot to check the box. But the new GIS Client has no such functionality. Any ideas on how I might solve this problem? Thanks so much.
Normally, in an OAuth flow, in such a case you would make a new authorization request with the complete list of scopes that you need. The authorization server should be able to tell that you are asking for more scopes than the user previously consented to and ask for a new consent. It seems that GIS Client is using a standard OAuth flow, so I would try to solve your problem this way.
Can anyone help clarify or provide any guidance on how we can allow our users to maintain a list of authorised devices from where they are allowed to login using Firebase Auth.
Is this a feature of 2fa?
Security is important and we want a user to control and approve logins from specific devices. Does FB Auth capture device information? Can I access this and use it? Do they create a unique fingerprint for each device?
I would like to implement something similar to Google accounts whereby I can revoke access from old devices or devices I dont recognise.
Thanks in advance.
how we can allow our users to maintain a list of authorised devices from where they are allowed to login using Firebase Auth
Firebase Auth doesn't offer this sort of feature.
Security is important and we want a user to control and approve logins from specific devices.
That's something you'll have to provide for yourself somehow.
Does FB Auth capture device information?
No, it doesn't. It allows anyone to call the REST API directly from anywhere that has an internet connection to sign in and get a token.
I'm trying to figure out which OAuth2 grant to use for my application/saas. Or if OAuth2 is even the correct way to go.
The application:
The purpose of the application is for use and integration with e-commerce. So what I want is for the user is to go to my site and register an account. After the account has been created the user should be provided with credentials with which he/she can acquire an access- and refresh-token. The access-token should provide access to the users OWN resources and preferably use scopes to limit access. The user should the be able to get/post/put and delete stuff from his/her account as if working in the provided administration (SPA).
They should not have to go through the OAuth redirect flow, because they will be using the API from their servers.
My thoughts
First I considered going for the Client Credentials grant. But then I found out that it will not provide access to a user and it's resources.
I've started leaning towards using the Resource owner credentials grant. But I don't put a lot of faith in my users picking strong passwords. And in almost all documentation I can find, everyone seems to not recommend using this grant.
Maybe OAuth is not suitable for my project? Maybe I should go for some API Key which can be traded for an access token?
Any thoughts and/or input?
I've one link which may useful for you.
Link: https://github.com/lucadegasperi/oauth2-server-laravel/blob/master/docs/authorization-server/choosing-grant.md
Came to the conclusion that OAuth2 was not correct for my situation.
In the end I chose to go with a custom solution based on JWT.
Everything I'm reading shows that in order for an application to use onedrive, it has to do the oauth2 thing to get credentials. But what if you're a batch process and don't have a web interface for your users.
Google's API has a special type of account called a service account where once you set it up, you can control access to everything from that one account, no need to interact with users. Does such a thing exist for onedrive?
App-only authentication doesn't require the user be prompted for credentials but it also isn't supported in 100% of scenarios. For example, the APIs need a user principle for creating special folders and resolving a user's personal site. Also, it is only supported for OneDrive for Business, not Consumer. Consumer always requires the user be prompted for initial authentication.
Another option would be to spin up a web service of some sort that handles initial user authentication, ie. a sign up page. With that, you can retrieve a refresh token for offline authentication and store it for the user. Every authentication from then on can be done using the refresh tokens, which doesn't require a user prompt.
I finally found this. It's the same basic idea as google's service account, but I think it's harder to use. But at least the concept is supported.
http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx
Most Oauth implementations require the user to login with the originating site in the process.
An example is: http://code.google.com/apis/accounts/images/OAuthDiagram.png
What if I want to use my own account to access a generic feature, such as a search for people outside of my network, and don't want them to login? Is there any way to login with my own generic account?
I am creating a web service that interacts with many social networks by searching them, so by forcing the user to login several times to each network if I want to use their API is just bad user experience.
You could try to authenticate your account manually and then store the access token. Any subsequent request would be made with the stored access token.
There are several problems with this approach:
if the token expires, you have to reauthenticate
you might run into request quotas if you do all requests from one account (e.g. Twitter)
If possible, I would use something like HTTP basic auth to authenticate to the services.
When you are strictly speaking of OAuth, it is not meant for this scenario. Try looking into SSO (Single Sign-On).
OAuth can also be implemented in conjunction with SSO solutions.