When you visit some websites, you can register and sign in as an authenticated member of some other organization (Google, Yahoo, etc).
What's to stop a malicious website from simply presenting a logon screen that purports to authenticate against those other sites, but is in actuality simply gathering usernames and passwords?
Could someone explain how such spoofing is prevented?
You are referring to the OAuth protocol.
Regarding what you ask, notice that you don't insert your credentials on the site you want to login but in a specific page of the provider offering OAuth authentication, you can't simply give to the user a fake page like you describe, or well... you could, but people familiar with that kind of authentication will notice (e.g. it asks me to login to google in a non-google hosted site?).
Related
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
Is there a way of passing username/ password to Google Apps IDP and get a response as to whether a username/ password pair is correct?
I know I can use OAuth for authorization and access user data but note that I want to check if his credentials itself are valid. OAuth for sure will not work for me. I need a way to directly query Google Apps' IDP particularly not to use it and access something else.
I wish to use this to customize the Google's standard login page itself. OAuth doesn't allow me to do that.
Short answer: no.
Google actively tries to prevent the scenario that you describe because it would mean that Google users hand over their Google credentials to your application, aka. phishing.
That precludes branding of the Google login pages as well since it would make it harder for users to verify that they actually type in their credentials on a login page provided by Google.
As said in the other answer, Google Signin with OpenID Connect (built on top of OAuth 2.0) is the standardized way to offer users login to your application with their Google account.
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login: http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS.
I have a theoretical question regarding connecting users in my app I'm writing to another account like Facebook, Twitter etc'.
What would be better solution (in views of security, best practice, etc'):
1. Connect all accounts to one user and log in to it from
2. Do not allow connect users from different providers and create distinct user for every provider.
Meanwhile, I have an aspect of SSO - in the 1st option, SSO doesn't exist and user can log in from different providers and use different passwords for the same account (my app account). The same user can log in with a native password, or via Facebook up for example and provide me his access token for further authentication on the server side.
Would like to hear you opinions and suggestion and to raise new issues.
We have enabled SSO for our Google Apps Domain. When users try to access "http://mail.google.com/a/domainname.com" they get redirected to the custom SSO Sign in page url. But when url http://google.com/a/domainame.com is accessed users are able to login to google apps users hub without being redirected to SSO sign in page url. As per my understanding, this kind of login should be only enabled for administrator of domain. Why is it happening for normal users of our domain.
How can we redirect http://google.com/a/domainname.com" url to custom sso sign in page. Please help. Thanks in advance.
You can't block people from logging into Google through 'local' credentials, if they know them: they need this for access via mobile devices, where you can't be redirected to a web page for SAML SSO, for example.
The normal solution is to change the password to something the user doesn't know.
Further, if you force 2-factor authentication for your users, this means a user can have one-time passwords for their mobile devices and still have an account password they don't know.
The www.google.com/a/yourdomain.com url points to google cpanel, which can never, ever be restricted through custom SSO, as this is your only recourse to disable SSO. If anything goes wrong, you need to hit that url to turn off SSO or change SSO settings.
If you wish to restrict access to cpanel, please look into organizations restrictions / superuser privileges; you can restrict cpanel superadmins to only one or two trusted admins.
If you wish to have only a single admin account with access to cpanel, but want to give some cpanel features to regular users, check out some third party apps in the google marketplace; gPanel is especially good as it gives you fine grained control over who can access what. Couple that with SSO, and you get a complete logging / monitoring / access control solution.
How can I let users log in to my web app with their Google account, and verify that they logged in from a certain Google Apps domain?
Does the hd parameter to the Google Authorization service ensure that only the selected domain can be used to login?
Or can I get the logged in user's email and verify that it ends with "#domain.com"? This doesn't seem like such a good idea.
After login I also need to access the users' Google Contacts, which according to the documentation requires AuthSub proxy authentication.
Have a look at the OpenID docs others suggested. In brief, you need to redirect the user to a custom login URL based on their domain name - i.e. you need to find out their domain name before you redirect i.e. your hd parameter, which indeed forces login to the specified domain
This is also needed to support SSO for Google Apps domains, where the authentication for the user isn't handled by Google but by a third party service.
Make sure you check the openID provider, not just the email address domain name, once you do get the auth info.
You can use the OpenID endpoints for Google Apps domains as described here: http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains
Depending on your OpenID library, you may/may not be able to use it though. Eg openid4java doesn't support it yet
It seems I can use the OpenID+OAuth Hybrid protocol to both identify the user and get an access token to the data APIs, as described in this blog post.
Edit: updated dead link to live blog post.
See this question for info about how to get the user's email using OpenID. I guess I can then verify that it ends with the correct domain name.