We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
Related
We are using SignIn with Google on our Flutter App that uses AWS cognito. Recently it started giving error:
"Error 403: access_denied The developer hasn’t given you access to this app. It’s currently being tested and it hasn’t been verified by Google. If you think you should have access, contact the developer"
The app was in "Testing" and seems to have reached the limit of 100 users. In order to have more than 100 users use the SignIn with Google option, we need to put the Google Authentication App to "Production". In order to do that Google is asking for domain verification of the amazoncognito.com used in "Authorized redirect URIs". Since we don't own this domain we can't verify it.
Can someone please help with how can we get the verification of the GCP "oauth consent screen" done with other domains like amazoncognito.com?
Thanks in advance.
I don't think this is currently possible.
Your best bet would be to file a feature request with Google for a supported verification progress for third-party user identity services.
I would suggest using the Google Workspace add-ons component for this type of request.
I'm trying to make a chatbot with Dialogflow for Google Home. It requires the user to input a URL. Now it will definitely be a long and complicated URL which I can't recreate and I can't have the user speak into the google home.
The idea I had was that the user would input the URL on an agent on messenger. I store this on a Firebase database and then access it with a second agent.
Now the issue I have is authentication, I was hoping to use account linking on my google action with facebook. But I can't login to Facebook with google home. Or if I can, I can't find any documentation specific to that case. Facebook doesn't provide the necessary client ID and secret(as far as I can see).
I managed amazon and Gmail account linking with Alexa and an Amazon Echo. In those cases, you would have to login to google or amazon on the Alexa app or webpage. Then this will be integrated with your Echo and the skill will become usable.
Anyone have an idea of how I can make the link happen, if not then anyone have an idea as to how I can solve the overall problem?
This question has been left unanswered on other forums, but I was hoping to either get it solved or find an alternative.
There are three approaches to solving your overall problem - getting the URL manually entered and available to your Action. Two of them tackle it the way you've suggested - involving authenticating to Facebook and tying that to the Assistant account somehow. One solves it entirely inside the Assistant.
Account linking to the Facebook account
You've tagged firebase-authentication, so I'm going to assume that you're using it to do the auth and you've enabled Facebook login through it. This means your user has a "Firebase Account", but they log into that account using Facebook.
I will assume you have a way to get the URL from messenger once they're logged in.
The trick in this case is to setup Account Linking between their Firebase account and their Assistant account. This is done by setting up an OAuth2 server that has access to the Firebase accounts and will create authorization and refresh tokens that are given to the Assistant.
In the Action, you'll send the user to the Sign In helper, which will redirect them to your login page and send back a one-time auth code to the Assistant. The assistant will then use your OAuth2 server to exchange this code for auth and refresh tokens. Periodically it will use the refresh token to get new auth tokens.
When the user returns to the conversation through the Assistant, you'll be handed an auth token and you can use this to lookup the user. Since you also know their Facebook account, you can get the URL via however you planned to do so.
There are drawbacks to this method - it is very complicated, and setting up your own OAuth2 server is not for the faint of heart. You may be able to use something like Auth0 instead of Firebase Authentication to accomplish the same thing, but then you don't have the ease of access to the Firebase database.
Account linking to both Facebook and Google
In your Firebase account, however, you don't need to limit them to just logging into Facebook. You can have them use Firebase to record both the Facebook and Google accounts that they're using. This would "link" the two accounts together in your system.
With this, you don't need to setup an OAuth2 server. Instead, you can have the Assistant use Google Sign In for authentication. If the Google Cloud Project that Firebase is using and the Assistant are using are the same project, then once the user has logged in to your project's web page with their Google account, you'll get an identity token on the Assistant which will contain their Google ID. You can use this to match up with their Firebase account and get the Facebook ID and proceed from there.
But this is still a lot of work and kinda messy, jumping between systems.
Using just the Google Assistant (and maybe a web page)
If you're willing to make some assumptions about the devices your users are using, then you may be able to do it all just using the Assistant. The Assistant doesn't just run on the Google Home and other smart speakers, it also works on most current Android and iOS devices.
So you can detect if they have such a device available and, if they do and they're not currently on it, direct them to switch to that device when you need the URL.
If they don't have such a device available (perhaps because their version of Android is older), and you think this may be a common scenario, you may need to make another entry source available. This could be one of the solutions above, or you may want to just have a simple web page (done via Firebase Hosting and Firebase Functions, perhaps) where they log in using their Google account (so you get their ID) and you let them enter the URL. If you just need a URL - going through Dialogflow may be more complexity than you need.
I've written an authorization flow for my action, to do account linking with the "Implicit flow". I have been testing it using the web simulator. When I try to run the action in the web simulator it tells me to link my account, and provides a URL:
"https://assistant.google.com/services/auth/handoffs/auth/start?provider=hello_dev&return_url=https://www.google.com/"
I run that URL and this is what happens:
My Java servlet receives the auth request from google. It contains what is documented, a GOOGLE_CLIENT_ID, a REDIRECT_URI, a STATE and "response_type=token"
I create an access-token from the Google ID that is logged in by using UserServiceFactory.getUserService().getCurrentUser().getUserId()
I craft a URL to the redirect-uri that contains my ACCESS_TOKEN, token_type=bearer, and state= the state string I originally received
I create a web page for the user that contains that link so they can click it and it executes the link and my account is linked.
That works great and the response is a blank page with a URL that says: "https://www.google.com/?result_code=SUCCESS&result_message=Accounts+now+linked."
However, I wanted a flow that allowed the user to ensure they are logged in, and logged into the Google Account they wanted to link
So, I also present a link that logs them out if they'd like. The link is created by using userService.createLogoutURL(thisUrl)
If they do that, I then present them a link to log in, created using userService.createLoginURL(thisUrl)
Once they have logged in, with a different Google ID, they are back on the original page which allows them to log out again or click the "link account" link.
The situation is, that if they click the "link account" link now, the EXACT same link that would have worked successfully before they logged out (except a different ACCESS_TOKEN value) and logged back in with a different account, the response is a blank page with a URL that says: "https://www.google.com/?result_code=FAILURE&result_message=Account+linking+failed"
Two things of note:
If they log out and log back in with the same account, then the "link account" URL works fine
If they are not logged in at all when beginning the process, and then log in and then use the "link account" link it works fine
So, the only time it fails is when they are logged in, log out, log in with a different account, and click to link accounts. That's when it fails.
The account doesn't matter, multiple different accounts work, as long as the browser is logged into the first account and doesn't change during the flow.
I honestly cannot imagine how this is happening.
This gets even worse if I do it in the Google Home app, as it then returns some "malformed request error" page and basically stops working, PERMANENTLY. Stopping/Starting the action didn't help. Stopping/Starting the Web service didn't help. Rebooting the Android device didn't help. Link Account from the Google Home app was permanently broken. The only way I was able to get it working again was to use the Account Link URL (gotten from the web simulator) in the Chrome Browser on my Android device, which seemed to "reset" everything.
At this time, we require that the Google user who initiates the account linking process, both via the simulator and Google Home application, be the same Google user that logs in via a Google Sign-in option, if it is offered as part of your auth flow. This is a hard requirement.
For this reason, we'd suggest not offering a Google logout option as part of your account linking process.
I've using Twitter as one of the IDPs in my Google Identity Toolkit configuration. I followed all the required steps. I'm able to sign in with Twitter and it works fine for the most part except for 2 issues highlighted below. In my Twitter application settings, Permission is set to "Read only".
Every time I try to sign in with Twitter using an account used previously to sign in, it prompts me to "Authorize app" again. As I understand, the authorization should be one time only unless revoked. Why do I need to authorize with every sign in?
I found this thread: https://twittercommunity.com/t/why-does-my-app-need-permission-granted-every-time-the-user-authenticates-through-oauth/10251/5
It seems like Sign in with Twitter button seems to be routing to 'https://api.twitter.com/oauth/authorize' instead of 'https://api.twitter.com/oauth/authenticate'. Is this a bug in the GIT?
If I click Cancel instead of Authorize app, it brings me back to my callback page but I get a verifyAssertion error:
[identitytoolkit] verifyAssertion: {"error":{"errors":[{"domain":"global","reason":"invalid","message":""}],"code":400,"message":""}}
What is causing this error?
Any help would be appreciated.
Identity Toolkit is intended to use https://api.twitter.com/oauth/authorize because according to https://dev.twitter.com/oauth/reference/get/oauth/authorize, desktop app has to use this.
Which platform are you working on?
If you click Cancel instead of Authorize, Twitter will redirect user to Identity Toolkit with an error response. As a result, Identity Toolkit cannot verify user's identity, and fails the verifyAssertion.
All answers to my question lead to a year old document (http://msdn.microsoft.com/en-us/library/windowsazure/gg185919.aspx) which is not correct anymore - the section "To obtain a Facebook Application ID and Facebook Application Secret" describes the process than cannot be used on today's Facebook site for developers.
I am hoping that someone who has Facebook experience can get me the "current version" of this 7 steps long process described as:
Create a Facebook account at http://facebook.com
Navigate to http://www.facebook.com/developers/ (my note: this is wrong - the url should be developers.facebook.com)
On the Facebook | Developers page, click the + Set Up New Application button, and then follow the instructions. (What instructions)
On the Facebook | Edit <> page, click the Web Site link on the left. (No such link)
Copy Application ID and Application Secret. You will use these when you configure Facebook as an identity provider on the ACS Management Portal in the next step
Specify your fully qualified domain name (FQDN) URL to your namespace, including the leading HTTPS. Your namespace will be different.
Click the Save Changes button
The step 6 is the biggest problem - it is the insertion of Azure ACS specific information into Facebook's world and was not able to find the field on Facebook App form creation where this belongs to. Obviously, I do not know anything about Facebook's app creation.
Apologies #nikivancic for not being able to try it out for myself, but I think what you're looking for is in the application settings.
In Facebook
Click the edit button on the top right for the application you have
just created
In the left hand menu, under settings, click on Basic
(you might already be there)
Under 'Select how your app integrates with Facebook', click the 'Website with Facebook Login' option
This will reveal a textbox to enter the url to redirect to on login - I believe this is where you need to enter the URL to your namespace in ACS.
Again - apologies for not being able to test it right now, but try following this and see if that works