following official freebase facebook app tutorial, in Step 4 it mentions the Acre OAuth Console but attempting to access the url provided in the tutorial (inserting your app name and your user id where indicated)
http://<your app name>.<your user id>.user.dev.freebaseapps.com/acre/oauth
results in the error:
No Such file acre in app
Where did the OAuth Console go?
The OAuth console is now part of the application settings dialog which you can get to by clicking on the name of your app at the top left of the Acre IDE. Then, go to the Web Services tab and you can add OAuth keys as usual.
This feature is useful for any APIs that need to use a key to make API requests. All Acre apps are open source so you don't want to put those keys in the source code.
Related
We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
I've using Twitter as one of the IDPs in my Google Identity Toolkit configuration. I followed all the required steps. I'm able to sign in with Twitter and it works fine for the most part except for 2 issues highlighted below. In my Twitter application settings, Permission is set to "Read only".
Every time I try to sign in with Twitter using an account used previously to sign in, it prompts me to "Authorize app" again. As I understand, the authorization should be one time only unless revoked. Why do I need to authorize with every sign in?
I found this thread: https://twittercommunity.com/t/why-does-my-app-need-permission-granted-every-time-the-user-authenticates-through-oauth/10251/5
It seems like Sign in with Twitter button seems to be routing to 'https://api.twitter.com/oauth/authorize' instead of 'https://api.twitter.com/oauth/authenticate'. Is this a bug in the GIT?
If I click Cancel instead of Authorize app, it brings me back to my callback page but I get a verifyAssertion error:
[identitytoolkit] verifyAssertion: {"error":{"errors":[{"domain":"global","reason":"invalid","message":""}],"code":400,"message":""}}
What is causing this error?
Any help would be appreciated.
Identity Toolkit is intended to use https://api.twitter.com/oauth/authorize because according to https://dev.twitter.com/oauth/reference/get/oauth/authorize, desktop app has to use this.
Which platform are you working on?
If you click Cancel instead of Authorize, Twitter will redirect user to Identity Toolkit with an error response. As a result, Identity Toolkit cannot verify user's identity, and fails the verifyAssertion.
I work a lot with AppsScript within my workplace. I've built lots of custom OAuth2.0 flows within AppsScript, that allow the application to call Google's REST APIs, and I've also worked with enabling the 'built in' API interaction objects (GmailApp, CalendarApp, etc). If you enable any of the built in APIs, the script editor adds the relevant scopes to the project information, and then asks the user for permission to interact with these APIs, when the web app first loads.
If I need to interact with both REST APIs and the few built in API calling objects, the user needs to first grant permission to the built in API scopes, then has to follow a separate OAuth flow, for the REST APIs. This makes for a really ugly user experience.
Is there a way to add REST API scopes to the list of scopes within the project information, so that when the user first loads the app, it asks them to grant permission for ALL scopes that the project will need? I could then retrieve the users oauth token from the script session with ScriptApp.getOAuthToken(), and use that in all external REST API calls.
EDIT (~12:00:05 18/DEC/15):
Please note, I already know how to enable APIs through the Developer Console Project that's linked to the AppsScript project - I want to find a way to add ALL APIs that are enabled to the Scripts properties, so that when the user launches the app, it asks them to grant permission to access all enabled APIs on their behalf (even REST apis), so that I don't need a second manual OAuth flow / token for the REST APIs.
EDIT (~14:00:08 18/DEC/15):
I've also looked into the Import/Export functionality within Drive, documented here:
https://developers.google.com/apps-script/import-export
and can't find any way to alter the scopes (or supply any scopes) for the project, this way.
In apps script you can enable specific API if you go to the menu "Resources > Advanced Google Services". It will open a Popup with a list of API, but there you also have the option to go to the Developer Console with the project associated with your Apps Script project.
And from there you can get the necessary information (clientId, etc.) related to the same Apps Script project and use it in you OAuth flow.
If you already have a project with all the required configurations and all the necessary API already enabled, you can also link your current Apps Script project to that app, so you don't have to do the same again.
In the menu "Resources > Developer Console Project", a popup will open and there you will have the option to access the Developer Console, but also you will have the option to associate the current Apps Script project to any other app you already have.
Just keep in mind that when you are trying to use an API you will have to enable it in the "Advanced Google Services", both in the list that the popup shows as well as in the Developer Console.
After doing this, the access tokens will be related to the same app and the users will grant permissions only one time when enabling a new API.
I hope this helps.
I built a native Windows app (non Windows-Store) that uses the Facebook API.
I wanted to make it public which means going through their review process which means (among other things) selecting the app's platform.
Sadly a native Windows app is not one of the choices: Facebook app platform selection screenshot
I found 2 unanswered questions on SO on the same topic:
one
two
How should this be done in a proper way?
Thanks in advance.
PS:
I found a post a few days ago where the poster said he registered such an app by setting the platform to "web site" (I didn't keep the link).
This does not look like a good long term solution and also I don't have a domain to provide.
In short, you must set your platform to Web.
The reason for this can be found in the official documentation on building your native logon flow. There is no secure way of creating a logon flow without a server, as this would imply storing your App Secret inside your binary or app config file.
So the recommended (and only supported) way is to create a server which stores the App Secret and handles authentication for you. And use this server from the WebBrowser/WebView control which you embed into your native application.
This means you use the logon flow from a web browser via a custom server and you should have a domain for it (a domain is quite cheap nowdays, it should not be a problem). So you are building a web app embedded into a native app.
For a successful login review do the following:
Choose Web as your platform
On the Settings page in the Advanced tab choose Native App.
Create a screencast (Start your app, logon, use all the requested permissions and that's it. Do not edit it!) and upload it to the web (YouTube/Vimeo/...)
When submitting provide a link to your screencast.
All answers to my question lead to a year old document (http://msdn.microsoft.com/en-us/library/windowsazure/gg185919.aspx) which is not correct anymore - the section "To obtain a Facebook Application ID and Facebook Application Secret" describes the process than cannot be used on today's Facebook site for developers.
I am hoping that someone who has Facebook experience can get me the "current version" of this 7 steps long process described as:
Create a Facebook account at http://facebook.com
Navigate to http://www.facebook.com/developers/ (my note: this is wrong - the url should be developers.facebook.com)
On the Facebook | Developers page, click the + Set Up New Application button, and then follow the instructions. (What instructions)
On the Facebook | Edit <> page, click the Web Site link on the left. (No such link)
Copy Application ID and Application Secret. You will use these when you configure Facebook as an identity provider on the ACS Management Portal in the next step
Specify your fully qualified domain name (FQDN) URL to your namespace, including the leading HTTPS. Your namespace will be different.
Click the Save Changes button
The step 6 is the biggest problem - it is the insertion of Azure ACS specific information into Facebook's world and was not able to find the field on Facebook App form creation where this belongs to. Obviously, I do not know anything about Facebook's app creation.
Apologies #nikivancic for not being able to try it out for myself, but I think what you're looking for is in the application settings.
In Facebook
Click the edit button on the top right for the application you have
just created
In the left hand menu, under settings, click on Basic
(you might already be there)
Under 'Select how your app integrates with Facebook', click the 'Website with Facebook Login' option
This will reveal a textbox to enter the url to redirect to on login - I believe this is where you need to enter the URL to your namespace in ACS.
Again - apologies for not being able to test it right now, but try following this and see if that works