targetwebsite.com has a google login button that takes you to the website:
https://targetwebsite.com/login/google
As a response you get the location:
https://accounts.google.com/o/oauth2/auth?client_id=867328024096-e1p5hbmra2s0g2psgqhhl7ldafla8qr9.apps.googleusercontent.com&redirect_uri=https://targetwebsite.com/login/google&response_type=code&scope=https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile&state=cH-mI0
Parts:
https://accounts.google.com/o/oauth2/auth
?client_id=867328024096-e1p5hbmra2s0g2psgqhhl7ldafla8qr9.apps.googleusercontent.com
&redirect_uri=https://targetwebsite.com/login/google
&response_type=code
&scope=https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile
&state=cH-mI0
If you log in there with google you come back to link
https://targetwebsite.com/login/google?state=cH-mI0&code=4/0AX4XfWjOprw2J7PfNFkaOCWLEAAiGDkm7UJQPmnzLRwnfp4IhhHf37XoyNsvr3DCGzmRcA&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20openid%20https://www.googleapis.com/auth/userinfo.email&authuser=1&prompt=none
The part "code=4/0AX4X..." is different for each login.
How would it be possible to automate this process? (in Powershell)
As far as I understand, Google only allows you to create permanent login tokens for your own projects, not for others as in this case.
Related
We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
We have a Flutter app with Google login feature. In order it to work, we need to send the access grant code to the backend service. In SPA workflow, that could easily be done by setting redirect_uri. But in mobile, we cannot do that as it is the app itself (not a website) that user needs to return. Is there any way that we can set a redirect_uri that will redirect user to app itself? (from in-app web view) Of course, I should also be able to grab the grant code from the query parameters.
Also an example would be great if it is possible to create such a redirect_uri.
A workaround is to point the redirect_uri to a standard webpage hosted by you, and that webpage uses javascript to open the app.
How to open app from webpage: Lots of ways, such as How to open flutter application from url?
Of course, I should also be able to grab the grant code from the query parameters.
You can find plenty of tutorials about how to do that, since in the approach above, redirect_uri points to a very normal webpage.
I'm trying to make a chatbot with Dialogflow for Google Home. It requires the user to input a URL. Now it will definitely be a long and complicated URL which I can't recreate and I can't have the user speak into the google home.
The idea I had was that the user would input the URL on an agent on messenger. I store this on a Firebase database and then access it with a second agent.
Now the issue I have is authentication, I was hoping to use account linking on my google action with facebook. But I can't login to Facebook with google home. Or if I can, I can't find any documentation specific to that case. Facebook doesn't provide the necessary client ID and secret(as far as I can see).
I managed amazon and Gmail account linking with Alexa and an Amazon Echo. In those cases, you would have to login to google or amazon on the Alexa app or webpage. Then this will be integrated with your Echo and the skill will become usable.
Anyone have an idea of how I can make the link happen, if not then anyone have an idea as to how I can solve the overall problem?
This question has been left unanswered on other forums, but I was hoping to either get it solved or find an alternative.
There are three approaches to solving your overall problem - getting the URL manually entered and available to your Action. Two of them tackle it the way you've suggested - involving authenticating to Facebook and tying that to the Assistant account somehow. One solves it entirely inside the Assistant.
Account linking to the Facebook account
You've tagged firebase-authentication, so I'm going to assume that you're using it to do the auth and you've enabled Facebook login through it. This means your user has a "Firebase Account", but they log into that account using Facebook.
I will assume you have a way to get the URL from messenger once they're logged in.
The trick in this case is to setup Account Linking between their Firebase account and their Assistant account. This is done by setting up an OAuth2 server that has access to the Firebase accounts and will create authorization and refresh tokens that are given to the Assistant.
In the Action, you'll send the user to the Sign In helper, which will redirect them to your login page and send back a one-time auth code to the Assistant. The assistant will then use your OAuth2 server to exchange this code for auth and refresh tokens. Periodically it will use the refresh token to get new auth tokens.
When the user returns to the conversation through the Assistant, you'll be handed an auth token and you can use this to lookup the user. Since you also know their Facebook account, you can get the URL via however you planned to do so.
There are drawbacks to this method - it is very complicated, and setting up your own OAuth2 server is not for the faint of heart. You may be able to use something like Auth0 instead of Firebase Authentication to accomplish the same thing, but then you don't have the ease of access to the Firebase database.
Account linking to both Facebook and Google
In your Firebase account, however, you don't need to limit them to just logging into Facebook. You can have them use Firebase to record both the Facebook and Google accounts that they're using. This would "link" the two accounts together in your system.
With this, you don't need to setup an OAuth2 server. Instead, you can have the Assistant use Google Sign In for authentication. If the Google Cloud Project that Firebase is using and the Assistant are using are the same project, then once the user has logged in to your project's web page with their Google account, you'll get an identity token on the Assistant which will contain their Google ID. You can use this to match up with their Firebase account and get the Facebook ID and proceed from there.
But this is still a lot of work and kinda messy, jumping between systems.
Using just the Google Assistant (and maybe a web page)
If you're willing to make some assumptions about the devices your users are using, then you may be able to do it all just using the Assistant. The Assistant doesn't just run on the Google Home and other smart speakers, it also works on most current Android and iOS devices.
So you can detect if they have such a device available and, if they do and they're not currently on it, direct them to switch to that device when you need the URL.
If they don't have such a device available (perhaps because their version of Android is older), and you think this may be a common scenario, you may need to make another entry source available. This could be one of the solutions above, or you may want to just have a simple web page (done via Firebase Hosting and Firebase Functions, perhaps) where they log in using their Google account (so you get their ID) and you let them enter the URL. If you just need a URL - going through Dialogflow may be more complexity than you need.
We are developing a hybrid mobile app (code is written in HTML and runs on browser shell as a native app on the device). We need to authenticate the user against an external security manager. I've seen the Gmail App in iPhone which opens a browser to authenticate the user. We are also looking to do something of that sort. We just need to gather your thoughts on how authentication can be done with some external security manager in a mobile app.
Also I noticed that Dailymotion website was able to know if the user is authenticated with Facebook. This looks like a cross domain authentication.
Can you please share your thoughts on how Google and others have implemented it?
What you are looking for is OAuth and OpenID services to federate your login. Depending on the architecture of your system you can implement whichever one you like or even a hybrid of both.
Take a look at this link: Federated Login for Google Accounts
It provides all the useful information you need.
Hmm this question seems old but in case you haven't found an answer here's how I did it with my hybrid apps :
open url on client side with the provider's (facebook/twitter/instagram) url for login
the user logs in and is redirected to the server's callback url (my server is written in nodejs)
once I've got the access token from the provider. I save this token and then create a token for the client to reuse every time the user wants to access a protected ressource.
Download the apk and test it.
If this is what you're looking for you can checkout both the client side code at : https://github.com/malikov/Authenticate.me-client-cordova-ionic
And the server side code at : https://github.com/malikov/Authenticate.me-Node-Server
Cheers
My company uses Google Apps, and we've built a single sign-on application to do our custom authentication.
It's been working just fine for several months.
I've noticed that with certain Google features (like switching accounts), the user is often supposed to get redirected back to a certain web page.
If the user isn't logged into any of our Google Apps accounts, then this works fine. However, if they're logged into one of our Google Apps accounts, then it ends up dead-ending at our sign-out page, because I don't know where I'm supposed to send the user at that point.
We actually don't even use the sign-out page for anything at all, it's only there because it's a required field when setting up SSO for Google Apps.
So my question: Where am I supposed to send the user after they've come to my custom sign-out page?
Where do you send them? Wherever you want them to be after sign out! :)
There are typically two places you get redirected to after sign out: the company's main page, or the sign in page.
For example, if I built a SSO for the Stanford Med School, after sign out, I'd probably redirect to med.stanford.edu or med.stanford.edu/signin (hypothetical).
In your case, I'd either redirect to your company's main page, or redirect back to your custom sign in page.