So I am creating an application for my google apps domain. It will have its very own google apps account associated with it, from which it can store/retrieve/manipulate data.
The application should use this google account alone and the user should have no indication that it is using a google account. Is there a way to programmatically authenticate my entire application and not prompt the user authenticate/authorize?
I think you are looking for two legged OAUTH.
You can generate a OAUTH token and secret in the control panel of Google Apps and assign the authorized scopes to this token/secret pair. For instance, you can authorize access to the calendar of all users in your Google Apps domain using the token/secret.
You can then programmatically access the calendars of all users.
Because this token/secret is authorized by the Google Apps domain administrator, individual users do not need to grant access anymore. That is why this is called two legged Oauth, whereas three legged Oauth requires user interaction to obtain a token/secret for an individual user.
This question on SO might interest you too.
Related
I am building an SSO system for android where I am the identity provider. And I want users to sign in from my app that will automatically log them in to google workspace (or any other enterprise application e.g salesforce). I cannot figure out what and how to send identity values from my Idp to Google workspace.
This can't be done this way round. When a user signs in to your app she can't be automatically signed in to any other application. The options that you have are:
When a user signs in to your application you can ask Google for an access token. As part of your sign-in process, you can run an OAuth flow against Google Authorization Servers and ask for proper permissions. This will allow the user to additionally log in to their Google account, consent to release information to your app and you will then get an access token that will enable you to call Google's APIs. This way your users will have to log in twice (both to your app and to Google).
You can rely on Google to log users into your app. So, Google will be the OIDC Provider and your app will only be the client. People will log in to their Google account, and you will get an ID token in return. You can use the data from the ID token to create user accounts and sessions in your app.
In the first case, you will want to have a look at OAuth flows, like the code flow. In the latter, you will need OIDC flow, e.g. the OIDC code flow.
I'm planning on building a G suite integration with my existing SaaS site.
I want Gsuite admins to allow access for their organisation. So I only want "domain install" possible.
After this has been done users can be imported from Google into our application. Users should be able to use SSO to login but I don't want each user having to pass the consent screen.
I also want the app to have readonly access to the calendar of the user.
What is confusing for me: do I need to create a regular web app integration or a Service account integration? I don't really need offline access but I want to avoid all users having to grant access individually.
Here it says: The user sees the OAuth Consent screen only once; if you’re using a service account to allow a domain admin accept terms on behalf of the domain users, then the end users must never see the OAuth consent screen.
So does that mean only service accounts allow this?
Yes, using a service account you can install and authorize one app for all your domain user impersonating the admin account. In such a way, your users won't have to authorize the app individually.
You will have to enable domain wide delegation in order to impersonate the admin account when using a service account.
Reference
Service Account
I need to build a custom auth system with and i don't know what to choose between Firebase Auth and Google OAuth/OpenID.
I don't want my users to sign in through google accounts nor facebook nor twitter etc.
I want to use my own user database to authenticate my users.
So what is the best and more secure, reliable,scalable option to setup this ?
Thanks
If you have an existing list of user credentials (e.g. Active Directory, LDAP or a database with user names and passwords) you can authenticate those users yourself and then tell Firebase about them with Custom Authentication tokens.
Using Google authentication makes no sense in that case, since the credentials you have are not for Google accounts.
Our clients use Google Apps for Education. We are implementing single sign on from Google Apps to our web application, using Google Apps as the identity provider. Due to the security issues related to working with students, it is not possible to allow students to create accounts in our web application using their Google Apps account. Instead, the user accounts in our application store the Google Apps account name.
So far, we have set up OpenID in Google Apps and it is working. The student enters their Google Apps username and password at the Google prompt, then approves the sharing of their username. The application uses the username to match the existing account so the student is logged into the correct account in our application.
Since our web application is trusted by the school district, we would like to eliminate the step where the student approves the sharing of their username. However, we haven't figured out how to do this. Is there a way to configure Google Apps to trust our web application using OAuth 2.0?
We are thinking that 2-legged OAuth may be the way to go. It is described in this article. Is this the correct approach for what we want to do?
Using 2-legged OAuth with Google Tasks API for Google Apps domain administrators
From what i Read about 2-legged OAuth allowed to access to the user's resources without asking for their permission to do so .
if you want to display for example all events from Google calendar of students if you do it by an ordinary way u will need to ask permission from each student to access to their calendar but by using 2-legged OAuth with Google Apps for Education you don't have to .
you find here link more infos about 2-legged OAuth and comparing it with 3 legged Oauth with an example
I was just wondering, I want to associate a Twitter and LinkedIn account with my systems accounts. Which would allow them to post to interact with them without needing to log in to the other systems.
Is there a way to store the social (twitter / LI) usernames and passwords and associate them with my system and vis versa.
E.g. If I login using my native details (email / password) I can access the API features of my social network accounts?
Thanks in advance,
Chris
I can't speak for Twitter, but with LinkedIn you could follow this basic workflow:
Register an 'application' with LinkedIn. Your site will use this application for all communication with the LinkedIn API.
Have the user authorize your site (your application really), to access their account via the LinkedIn API.
Retrieve the user's unique LinkedIn ID, as well as their access tokens, and store those in your user account database, associated with their existing account.
Then, when they return and log in to your site, any calls you need to make to LinkedIn can be done via the stored access token, rather than having to have them manually allow you to have access again.