I am developing a project for Google Apps for Education.
It is using domain wide delegation, to access user account's data across a domain.
This is done with the Google Service Accounts (https://developers.google.com/identity/protocols/OAuth2ServiceAccount)
But in order to log the user in, and get his email, i use a normal oAuth login procedure. (https://developers.google.com/identity/protocols/OAuth2WebServer)
This does however result in a consent screen for the user, asking for his email and "Know who you are on Google".
Is there a way to log in the user, and get a object from Google, containing email etc., without showing this consent screen?
Thanks in advance
You should pass the domain in hd= parameter. Soon we are changing the "approval page" to a simple account selection page when only email scope is requested. So this experience will become what you would ideally want, just that user would need to confirm the account with one click (not an approval).
Related
I am using office 365 credentials to login to windows 10 machine. I have written a desktop winform application in c# where I just want to get email address and ad group assigned to that login user.
I don't want to relaunch login from desktop app. Just want to use existing user info to get email address and user groups. I am only able to get local groups assigned to that user but required AD groups too.
You must throw login challenge from your desktop app at least once to get the auth token to be able to query graph api (details in the next para) and keep the token cache so that it does not prompt the user again next time onwards. There is no other way I am aware of. You need to create a native client app in AD (or if you want to reuse some existing one, that will do too) and grant Graph API user.read permission to it. Here is an end-to-end guide for that. https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-windows-desktop (well, the example is for WPF, but Winforms would be very similar except the XAML part). If you follow this example, the login screen which will show for the first time will automatically have O365 Windows logged-in user populated (because of .WithPrompt(Prompt.SelectAccount) part in the bootstrapping) if that gives a bit of relief to you app users.
Once you get the access token, you need to query Graph API for that. Here is the programmatic way (C# based on your tag in the question) to get the user details for a logged in user (me) and to get the user groups for the user (me).
a c# windows application give privilege to users with a specific profile in its database. The application does not handle user and password but get the username of the authetcated user in Windows session.
They asked me to authenticate the user by a IAM service such as Microsoft IAM. But I'm a bit confused. It means that I have to ask username and password to user and verify them with IAM? I don't want to store in my db password.
I cannot figure how to use an external IAM.
No, you will not need to deal with passwords.
In short, your application will need to display a mini browser window (WebControl, WebView, etc.) where the IAM provider's login screen is displayed. Users provide their credentials directly to that login screen. Your application never touches those credentials and only receives the valid tokens afterwards from which it can get information like unique user ID, email address, etc.
Check out this WPF tutorial from one of the best IAM providers, auth0 (disclaimer: I'm not affiliated with auth0 in any way).
https://auth0.com/docs/quickstart/native/wpf-winforms/01-login
You can sign up for a free trial account to quickly try it out.
Side note: This method is not entirely safe from abuse as your malicious application could intercept key strokes as users type in their credentials into the IAM login page (since it is hosted within your application's process).
I have a web application which is largely a content system - that is, it displays help for another system. It doesn't matter who views it. However, there is a list of users I would like to display, and also provide a way to edit the list. On that one page I want to detect the user's Active Directory information, and if the user is in the list of users authorized to change the data, then display an edit icon button to provide a means of editing some element. I do not need nor want Windows Authentication determining whether the user can get to the page, only to discobver the user's logon creds.
In short, I want this:
// Get the user's creds
// Is user a page editor?
if (IsPageEditor(UserCreds))
{
// put icon buttons for editing
}
else
{
// don't put icon button there
}
First of course is, getting the user credentials. I should add that this will all be on a private company intranet, and every user will be signed into the network.
I do not need nor want Windows Authentication determining whether the user can get to the page, only to discobver the user's logon creds.
Why not? Windows Authentication is the obvious, secure way to discover the Windows identity of the connected user.
Any other mechanism is insecure, i.e. a user who is not authorized to edit could spoof an authorized user's identity. Using Windows Authentication doesn't preclude you from allowing any user to access the application.
My understanding of setting Windows.Authentication ON is that it will challenge the user to give user name and password before allowing to view the page
No, this isn't correct. If the server is in the same domain as the client, and the server is configured to allow all domain users to connect, there doesn't need to be a prompt to the end user.
Our trouble ticket system "knows" who we are when we access the page -- it must be getting this information from Active Directory, from the current logged in user.
Probably it is using Windows authentication. Try examining the HTTP flow between the browser and your trouble ticket system with a tool such as Fiddler: you'll probably see an authentication challenge/response.
To get the current logged in user you need to call WindowsIdentity.GetCurrent();
From there you can do a lot of things depending on your requirement, get users groups, get OU information etc. For a full AD wrapper I have a full article here
http://macaalay.com/2010/06/28/active-directory-c/
I'm working on a project where I need to include Google authentication, but my superior would like to have it in a different way, when the page loads, it checks if the user is Logged In into Google, and if it is then gets the users email address.
My question is that is it possible to send an authorization request on page load to Google, and authenticate the user without the user have to click on any button?
No.Even if user is logged in Google in other tab for example to be able to access user email address you must ask user for permissions.
After user confirms this then you will receive access token that you can use to make request to google and access users email adress and other data.
I have a website that allows users to login w/ their google account, http://urlme.cc
Issue: user Bob logs in as bob#gmail.com, then logs back out, and THEN decides that he wants login as bob-at-home#gmail.com, one of his alternate gmail address, he can't do that. If he leaves the "remember me" checkbox checked on google's login page, it'll remember him. Is this possible? I know the user can manually revoke the association on "https://www.google.com/accounts/IssuedAuthSubTokens", but, there's got to be an easier way where I as the developer can revoke it for him.
Please let me know if I need to word this better!
The "remember me" checkbox has only meaning when the user is logged in to google.
when he logs into another account, google will no longer authenticate the previous account, and instead use the one he is logged into.
In steps:
User logs in as bob#gmail.com to Google
User clicks "sign in with Google" at the site
Google asks the user for permission to authenticate, and asks whether to remember that permission (and not the user)
User is signed in, but decides that it was a bad idea to authenticate with this account
User logs out at the site and at Google
User logs in at Google as bob-at-home#gmail.com
User clicks "sign in with Google" at the site
Since now another user is signed in, and he didn't permit to authenticate yet, Google asks for the permission, as in step 3.
User has allowed the auth, so now Google returns a different identifier, the one for bob-at-home#gmail.com, and neither Google nor the site have any knowledge that the two accounts are connected in any way. The site sees two separate users, and so does Google.
Also, it doesn't seem like a best idea to limit your users to one provider. OpenID is all about decentralization -- you should at least allow to manually enter an identifier.
And again: "remember me" means: "Don't ask me for the permission to send that data the next time.", and not "Remember that the one using this machine is me"(that's the "remember me" when you log in to Google).
And no, there is no way to either revoke the user's permission automatically, or know that he has one remembered, and I don't see any reason why you might want to.