I have to build a portal for my institute which will act as a job portal for the institute. Companies should be able to post their job/intern openings on the portal. For that to happen, one prime condition is that HRs should login only with their work profiles and thus their personal accounts(gmail,etc.) should be restricted. I have seen some similar questions where we had to whitelist a particular domain and restrict all others but this might not be feasible in this case, as whitelisting all the work domains doesn't seem practical. Is there a built-in solution for this?
My Tech Stack is:
NextJS for the frontend.
For the backend part, I am thinking of either NodeJS+mongoDB OR Sanity.io depending on a more feasible solution for the above problem statement...
Restrict yahoo/gmail and only allow their company's email or school's email (.edu). You can also have a dropdown of whitelisted school's email or company.
School or companies who wish to join your platform will have to be manually added once. Basically whitelisted list can perform registration in the future.
I am working on a web application which is based on Google App Engine (GAE). The requirement of the application is that one user can be associated with multiple company accounts.
My application has two main types of accounts. One is that main Admin/Company account. Other is the employee account (i.e. the persons who work under a company). Now, what I want to do is that to allow an employee to work under more than one companies, but he does not have to make a separate account for each company. His single account can be associated with multiple companies.
I have explored different platforms which are already supporting this feature. The major ones which I found are Slack and Asana. And my problem can be perfectly mapped to what Slack is doing right now i.e. I create a single account on Slack and I can join multiple workspaces on Slack using this single account.
I want to achieve the same in my application too. I am curious that how Slack is supporting this feature right now? Does it send some ID with every request to the server which indicates that the activity which just has been done is associated with the workspace under this ID? Or there is some unique sort of token associated with every workspace (on Slack API level)?
I do have such a model in my app. A unique auth_token is associated with every company account. So, I am thinking that when an employee wants to do an activity for a specific company he will send this unique token with the request to the server so that server knows for which company the activity was performed.
Does anybody know what is the best way of achieving this?
There are two different concepts at work here:
Relation between account and company / workspace
The data structure for the Slack account is designed such that it can be linked to multiple Slack workspaces, e.g. in SQL you would have a many-2-many relation between the accounts and the workspaces table.
Staying logged in
The way Slack and others Single-Sign-On provides like Google SSO keep you logged in is by settings a browser cookie. That cookie would usually be some kind of crypto hash and the SSO provider will use it to identify to which account the current user belongs to or to request a login via OAuth if the cookie is missing / invalid.
This can also be achieved partly with server sessions (which also uses cookies). Using server sessions is easier to implement than implementing your own (secure) cookie solution, however the user will only stay logged in as long as the browser stays open. But that should be sufficient for most solutions.
Note that tokens for the Slack API work very differently. e.g. they have to be generated per workspace, user and app.
We are developing a web app that has users and payments. We need to use it ourselves and we need to allow other companies to use it as well. All instances of the app must use the same database and the same payments account. And it's preferred that each front-end is completely separate.
Here are the ways I can think of:
1) Use OAuth. This is a perfect approach but I don't think each front-end can be completely separate - in other words each app instance would link to the same password and payment forms and then redirect back to the app instance when the user is done with the form.
2) Just give the other company the whole app and let them deploy a completely separate instance. The downside is that we would need to give them our database and payment credentials.
3) Load the front-end of our app into an iframe on their site. Is this even possible? If so it seems like it would meet all my requirements but it seems a bit hacky...not sure of all the drawbacks.
Are there any other options that would allow for the same database and payments account and completely separate front-ends?
Do you want the other company to use your company domain or sub domain or their own domain.?
Your company domain
In this case, create a separate login page. Once user is loggedin, create a custom UI for the logged in user and show the pages for user and payment. It is single UI and it can render based on the user preference like custom font, logs etc.
Company Subdomain
This is a popular model used in Software as Service business. Based on the subdomain, create the custom page and this page will access the services with cusomter id. You can also provide a module for the customer to upload the images, select the font etc.
All the services and transaction will have customer id and easy to track.
Customer domain
Expose the user and payment info as restful webservice and let the customer to create a webpage and use the exposed services.
I am creating an arcade website with multiple games. should I generate a single oauth client id for the entire domain or should I generate a unique oauth id for each individual game?
The more interesting question is: What user experience would you like to give users?
If you want to build your brand across each of the games, you'll configure a single project (ZBestArcadeGames.com, for instance) in Cloud console. Users will be prompted to authorize your entire site. Whether you create one client or multiple clients in this case is not super-important, since you can configure multiple redirect_uris for a single client. Users will consent once to sign-in to your site and they can authenticate to every game w/o additional consent prompts. Similarly, if they revoke access to your site, they will no longer be able to authenticate to any game in the site. This may be the typical choice if your company develops all games it hosts.
If, on the other hand, you want to highlight the individuality of each game and allow users to consent / de-authorize authenticating to them individually you need to create separate projects each with its own brand (and in this case you will need to configure at least one client in each project). This may be the typical choice if each of the games is developed by a company and there's no implied trust between the games you host and your company, and you'd not like to sign terms-of-service on behalf of these other companies--you might even want to ask the developers of each original game to register separately (using the redirect_uri for your site).
I am working on an app in iTunes connect for a client, under their iTunes connect account. I want to add myself as a user so that I can get email notifications of updates in app status. When I try to add myself as a user I get the following message:
The email address you entered already belongs to an iTunes Connect account. To continue, enter a different email address
I am using this email address on my own company's iTunes connect account, but not on my client's account. How can I add myself as a user?
#sarnold Turning your comment into an answer because it worked for me.
Two Separate Websites
Apparently for historical and organizational reasons, Apple operates their developer and app store business in a bifurcated manner.
developer.apple.com
The web site for all the technical resources, including documentation, WWDC videos and such.
itunesconnect.apple.com
This completely separate web site handles the business end:
Contracts, banking, payments.
Uploading your finished app.
Defining your In-App Purchase products.
Problem: Different Handling Of Accounts
The developer.apple.com site is slick in that a programmer can have a single Apple ID used to join multiple developer accounts. She may work for three different companies, and be assigned a role on each of those companies’ Developer accounts all on the same Apple ID. When she logs in to the Developer site, she is presented with a popup menu asking which of the three companies’ Developer accounts she wants to access during this work session. Nice.
The problem: in iTunesConnect, not so nice. In iTunesConnect, the "admin" person cannot assign existing Apple IDs as members with a role. Very strange. The admin is forced to create a new ID for each person being adding to the team. That means the person joining must have multiple email address. If an admin tries to add you to their iTunesConnect with an email address already used on some other company's iTunesAccount, an error message reports that email address / Apple ID is already in use. Obviously the programming team running the iTunesConnect site could use some help from the Developer site's team. ☹
Workaround: Email Address Trick
The workaround cited by sarnold involves a feature of email addresses. The spec for email servers has a feature where you can extend your email address. You can add a suffix to the first part of your email name by appending a "+" PLUS SIGN. From what I could figure out, the email software first looks for the extended name. If no such name is found, it drops the extension and looks again. If found, the shorter version of the email address is actually used.
So if the programmer Susan wants to use her email address susan#example.com for a second or third iTunesAccount, she tells her client's admin person at Acme Corporation to use something like this as her email address: susan+acme.com#example.com. Apple will still create a needless extra Apple ID for Susan, but at least Susan does not have to bother with creating and accessing extra email accounts. The emails sent by Apple will arrive at her susan#example.com address.
Susan double-checked this would work before talking to the admin person. She sent herself an email to susan+acme.com#example.com to make sure it arrived at the susan#example.com account.
Effectively, the email servers are not fooled by the extended email address, but iTunesConnect is fooled into creating an new Apple ID using an old email account.
Basically, you can't invite other iOS devs to review your efforts seems to be the result of this policy.
I had (and have) the exact same problem... what makes me kinda like FlavorScape's suggestion ;)
What I did is something similar to sarnold's comment: I used an alternative email address (_#gmail.com instead of _#googlemail.com) and this actually created a new AppleID with this email address.
It works fine, but it would be so much better to just connect my actual Developer account to my client's.
The way it's like at the moment, I can not even access the developer resources and (most importantly) the provisioning center with the new Apple ID, so my client has to do create new provisioning profiles and stuff, which is pretty frustrating and complicated.
Additionally, it is a pain to let him test the Apps on his own devices, because of the developer certificate is installed on my Mac, not his, and I am therefore the only one (or better, my Mac is the only computer) that can install new provisioning profiles on his devices.
Is there a better way to connect the accounts and solve these problems?
Cheers,
Nils
Apple now will allow the same email address to be invited to multiple itunes connect accounts and no longer allows new emails to be added with the +. Just a word of warning to others who were doing this the original post is now out of date with Apples new policy it seems.
#knl: The problem in the original question is specifically with iTunes Connect. If you want to be able to manage the Provisioning center -- to make profiles etc -- ask your client to add you to that account. Here are the steps:
Go to "Member Center"
Select the "People" tab
Click on invitations
Select "Invite person"
in the next screen they can select your role including "Member" (limited access) and "Admin" (full access)
From apple documentation:
You can only create test user accounts using an iTunes Connect
accounts with the Admin or Technical role assigned to it. Test users
do not have access to iTunes Connect, but will be able to test in-app
purchases in a development environment on a registered test device.
Link here