Until recently I have been releasing Chrome Extension using Chrome Web Store Publish API. (Automated release process)
const response = execSync(`\
curl -X PUT -F 'data=#${process.env.ZIP_FILE}' https://www.googleapis.com/upload/chromewebstore/v1.1/items/${extensionId} \
-H "Authorization: Bearer ${accessToken}" \
-H "x-goog-api-version: 2"
`);
Due to the latest set of policy changes to limit extensions abuse and improve the security of the Chrome Web Store, this includes requiring 2FA for Chrome Web Store developers, I am not able to publish chrome ext anymore.
Is there any way how to release chrome ext using Chrome Web Store Publish API without requiring 2-Factor verification?
No, but to clarify the developer account just needs to have two factor authentication enabled. You will still be able to publish extensions through an automated script, but 2FA needs to be setup first.
Related
I have added trusted origins in direct line with help of Microsoft document.
https://learn.microsoft.com/en-us/azure/bot-service/bot-service-channel-connect-directline?view=azure-bot-service-4.0#configure-enhanced-authentication
We have provided the url of web app in which the application is hosted and its working fine in Chrome browser.
But we are still getting the verification code in Safari , Firefox and sometimes in Chrome incognito when we have more than one account suggestions to sign in.
How to fix this issue.
The configuration the site options have the option to configure the sites with 3.0 version which is the Direct Line protocol and must be enabled for entire application. Then it will get access to all the browsers without any issue.
In enhanced authentication options, we need to enable the toggle and add the trusted origin of the websites that need to get access of additional protection without any explicit login.
Whenever we are providing the information regarding authentication of the bot, we need to provide the key token in the header initially. The format of the header will be like Authorization: Bearer SECRET_OR_TOKEN .
Checkout the additional procedure which is optional in this case and might be useful in future from Generate a Direct Line Token
In our project we've built an Azure Function which launches Puppeteer in headless mode, goes to our webpage and takes a screenshot of the page which is then emailed out as pdf report. Works locally and deployed to Azure. That was the POC though. Now, we're moving to production and introduced authentication (Azure AD B2C, single tenant), will run each http request via APIM etc.
What happens now:
our Function app was registered in AD as a daemon and receives an access token.
this access token is inserted into 'Bearer ' Authorization header in Puppeteer (page.setExtraHTTPHeaders)
headless browser does not get authenticated and screenshot we receive is of the login screen (Azure SSO)
What needs to happen
we need to convince the react-msal library our FrontEnd is using to authenticate users, that the headless browser should get authenticated and allowed to render the page
The solution I've come up with so far is to replicate msal-react's logic of saving session information into Puppeteer's session storage, so that when msal-react checks for persisted session it will find it and allow headless chromium in. I'm yet to implement it. I'm curious if anyone in the community has experience building something similar.
I've got a LOB UWP application which I want to distribute via the web using the web-based sideloading experience. This is fairly simple using the VS deployment tools which output an HTML file and the required resources. My goal is to publish the assets to an Azure web app and turn on Easy Auth so that only people from my org can reach the installer landing page.
This works fine for restricting access to the html page, but the links which point to the actual installer file fail. I'm guessing it's a mime type issue where the auth middleware doesn't know how to handle an Http request with auth information for a non-standard file type:
I'd appreciate any guidance or suggestions
Microsoft confirmed over on techcommunity.microsoft.com that this is not possible as of yet, but that a solution to support this scenario is on their backlog:
You're correct - the problem is that App Installer is making its own
auth request without the inherited web auth tokens. Sending
authenticated requests is currently not supported today but this is an
item in our backlog and we're working to address this issue.
I am developing a healthcare related web app and part of HIPPA compliance is that public available web apps need to enforce certain log-out behaviors. One such requirement is that when the users clicks "logout" in the app they must be logged out. Relying on the user to close the browser to clear session storage is not an option.
I am using ADAL-js with angular to handle auth for my app. When you log into the app login.microsoftonline.com stores cookies. As a result if you navigate back to the app you are auto logged back in without being prompted for credentials. That violate the requirement described above. If you use the dev tools in chrome to delete the cookies for that host the problem goes away.
Does anyone know of a way with the Azure AD Oauth service to enforce this more strict requirement?
We ended up opening a bug against Azure AD with Microsoft. They have since deployed a fix. This all occurred earlier this year. So this update is a bit late.
ADAL.js exposes a couple of functions clearCacheForResource() and clearCache() in the adalAuthenticationService Service. After calling adalAuthenticationService.logout(), you can clear the browser cache by calling the above functions. They should clear the cookies.
You can also try using the $cookieService provided AngularJS, for better control on the cookies.
I am not sure if this is new behavior, but I have noticed that it is possible to install chrome extensions from the web store without signing in to Chrome, but currently installing any packaged app (even those which do not request "identity" permissions) is gated by signing into chrome with a Google account.
Is this a bug, or an attempt by Google to get more people to create Google accounts?
At this time (Sept 2013) Packaged Apps offer developers an always signed in user, and offers users a consistent experience across all devices where they sign into Chrome. All APIs that rely on a signed in user are available and will work as expected. Identity is one, but so are the various storage APIs that rely on chrome sync. The application launcher experience is also tied to an individual, synchronizing installed apps to all devices they use.
The team has had some discussions about possible future support of apps not tied to an individual, in incognito or guest mode, etc. If you have thoughts or use cases to share the most productive place to do so is on chromium-apps.
You can allow users install extensions and apps without having logged into Google Account when using Inline installation on your website.
If you are regular user and just want to install extension from Chrome Web Store without signing in you can use Chrome Extensions Downloader website