I have been successfully able to run a Custom Login Page for Google Apps until today. I used to use Client for the Google Apps Provisioning service. using which we could send email (username) and password as parameters and obtain the authentication token.
With OAuth2 (as per Google we need to upgrade to OAuth2 starting 20th April, 2015) I can't find a solution! There's no way I can send/ check if a username/ password pair is correct.
There is no way now to do what you want. You could use SAML2 and then use Google as the source IDP via OpenID but you would end seeing the Google Login page again. It seems that you are trying to hide the fact that it is a Google shop.
SAML2 auth lets you design your own login screen but requires that you use your own user database.
Related
I am building an SSO system for android where I am the identity provider. And I want users to sign in from my app that will automatically log them in to google workspace (or any other enterprise application e.g salesforce). I cannot figure out what and how to send identity values from my Idp to Google workspace.
This can't be done this way round. When a user signs in to your app she can't be automatically signed in to any other application. The options that you have are:
When a user signs in to your application you can ask Google for an access token. As part of your sign-in process, you can run an OAuth flow against Google Authorization Servers and ask for proper permissions. This will allow the user to additionally log in to their Google account, consent to release information to your app and you will then get an access token that will enable you to call Google's APIs. This way your users will have to log in twice (both to your app and to Google).
You can rely on Google to log users into your app. So, Google will be the OIDC Provider and your app will only be the client. People will log in to their Google account, and you will get an ID token in return. You can use the data from the ID token to create user accounts and sessions in your app.
In the first case, you will want to have a look at OAuth flows, like the code flow. In the latter, you will need OIDC flow, e.g. the OIDC code flow.
I'am working on an project where we have a Vue.js Frontend and a Microservices architecture for the backend hosted in Azure Service Fabric.
We wan't to add an IdentityService for authentication using IdentityServer4.
What we want to achieve is a login that is basically the same as stackoverflow provides:
You can login on the website with an embedded login or use external providers like Google and Facebook.
My question only concerns the embedded login.
I have read articles that state using Authorization Code Grant with PKCE is the best way in my scenario. Moreover they say, that Ressource Owner Password Grant should not be used.
But as far as I know, with this flow it is not possible to embed the login to our own website. It will always be a redirect to the IdentityService.
How do Stackoverflow achieve this? Do they use Resource Owner Passwort Grant?
Thank you!
First of all, I welcome you to check how Stackoverflow (SO) handle their user registration process.
SO allows you three options. Login through Google, Facebook or register directly to SO. When someone use Google Or Facebook, SO uses Authorization code flow. User is redirected to respective login page. Once you login there, SO receive user profile details from those identity providers, which allows SO to complete the profile and onboard the user.
But when someone use built in register page, it is simply good old registration page. There is no OAuth involved there. SO obtain end user credentials, complete the profile and save them at their backend.
In your scenario also, you can omit OAuth and use a built in registration or login page. Only concern is the maintenance burden of end user credentials.
I am currently working on a project that requires a user to Login to the app using Google credentials but without redirection to the google authentication website. The user needs to enter his Gmail id and password in the app window and somehow I need to verify these credentials with Google (without redirecting). Is there a way to do this?
EDIT:
One approach I got is to send these credentials to google which would authenticate the credentials and return an authentication token. But the feasibility of this approach is questionable.
We currently have a corporate portal in which users authenticate and get different page views based on their access level. We have been tasked with allowing them to click a Google Mail icon to sign them into their domain Google Mail Account. To do something like this, should we be looking in to oAuth or Open ID? Presently, they're already using their email and password to sign in.
From what we understand, Open ID requires their email and password to go to us, which we have; but will Open ID do what we're looking for?
Thank you.
Since your users have a Google Apps for Business email address already, I would suggest using the Google+ Federated Login feature-set. (You can learn more here: https://developers.google.com/accounts/docs/OpenID)
A quick snippet from the aforementioned link:
If you are planning to provide a “sign-in with Google” feature, we recommend using Google+ Sign-in, which provides the OAuth 2.0 authentication mechanism along with additional access to Google desktop and mobile features...[the] OpenID+OAuth Hybrid protocol lets web developers combine an OpenID request with an OAuth authentication request. This extension is useful for web developers who use both OpenID and OAuth, particularly in that it simplifies the process for users by requesting their approval once instead of twice.
You can find more on the Google+ Federated Login toolset and explore a sample application here: https://developers.google.com/+/
Hope this helps!
I am trying to use facebook API to provide a silent login feature.
Application has to login onto facebook without prompting for user name and password. The authentication can be done through the application.
I want to know whether this can be done using the facebook API. I'd also want to know whether some paid facility is available to do that.
Facebook does not support silent login. Facebook only permits authorization through its own servers and browser windows, because it does not trust third party developers to handle their passwords.
You will have to authenticate once, then get an access token, and you can keep using the access token to auto login the user, until it expires. Have a look here or search google on "how to get Facebook access token c#"
Auto Facebook OAuth from ASP.NET C#