I have created a platform account and I want to connect my other stripe accounts that I own to the platform account as connected accounts.
In order to connect existing Stripe accounts to a given account you would need to do so using OAuth:
https://stripe.com/docs/connect/oauth-reference
The idea is that you build an OAuth link using your account's client_id, which you can find in the dashboard, something like:
https://connect.stripe.com/oauth/authorize?response_type=code&client_id=ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7&scope=read_write&redirect_uri=https://sub2.example.com
Then, you would send that link to the existing accounts you want to connect to. Once they complete the OAuth flow and grant you access to their accounts, they will be redirected to your redirect_uri with an authorization code. To complete the connection you will need to make a request for an access token using the authorization code from the redirect as shown here:
https://stripe.com/docs/connect/oauth-reference#post-token-request
Related
I have developed web application (Python/Django) for my client and he wants me to add SSO via Azure Active Directory that he setup. Also I need to fetch user profile information (email, upn) and update it when it changes in AD.
I managed to get SSO working using MSAL with auth code flow and able to send requests to Graph API on behalf of user to get profile information (/me).
To get profile updates I created subscription (webhook) to /users resource using app identity (client credentials grant flow).
The problem is that I can't understand how to correlate users I get from subscriptions with users I get from auth code flow via MSAL. Notifications from subscriptions give me ids i can find on azure portal (GUID), but profile information requests on behalf of user dont give me same ids. There are ids, but these ids are differenet (something like c66b9ba73bcba166)
As juunas mentioned, the object id is typically oid or sub.
Example using jwt.ms to examine the ID token:
Also, if your app needs to distinguish between app-only access tokens and access tokens for users, you can use use the idtyp optional claim.
I already setup the Google Identity Provider in Azure Active Directory and can invite users to my application. After the Google user accepts the invitation, I can see their user object in Active Directory. What I would like to do next is to programmatically login the user using the Google federation or get the JWT token of the logged in Google user.
For user objects created in AD, I can programmatically login the users using ROPC. I understand this is not possible for external users authenticated using Google federation.
• Kindly please take note of this that Azure AD does not support ROPC flow method of credential authentication for federated accounts. Also, when you are using ROPC method, your credentials are at risk of compromise as they are passed directly in the body of API authentication request. Thus, I would suggest you use client credential flow for this purpose as it can access the data from both sides.
• Since you want to programmatically login using the Google federated user to some application or SaaS platform, I would suggest you refer the below link which describes sufficiently how you can use the federated domain’s user login credentials to login to an application or a SaaS platform. In this link, it is stated that you should configure the Azure Policy regarding the Home realm discovery to false and configure the federated domain as its preferred domain for logging in. Also, if you want to retrieve the access token only, then you can use the ‘Postman’ application or ‘https://jwt.ms’ as the redirect URI for that purpose.
https://medium.com/#amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d
I have been trying to create a connection with the gmail api. It worked when I followed this example: https://developers.google.com/gmail/api/quickstart/nodejs
The problem is, this requires the user to browse to a URL and then enter an authentication code in the CLI. This is possible on my local dev machine, but I don't see how this should be done when deployed on a production server, in a docker container. Additionally this method requires you to store a file in your project folder containing your credentials (sensitive data that I don't want to have in my Dockerfile obviously).
My second attempt was using JWT. I followed these steps Send mail via Google Apps Gmail using service account domain wide delegation in nodejs. This works until I actually try to retreive the email from the inbox. I get an error saying GaxiosError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.. I have created a service account with domain wide delegation so the account should be authorized to do anything.
Then I read this:
"Service accounts only work with GSuite because you have to be able to preauthorize the service account and grant it access to the users account. There is no way to preauthorize a normal user Gmail account. So no you cant use a service account with a normal users gmail account." source: Client is unauthorized to retrieve access tokens using this method Gmail API C#
I have also looked at using just an api key, but this option is not available for gmail.
How the hell am I supposed to authenticate from my container?
So it turns out the account I was using didn't have the correct rights. We did have a gsuite. Everything is working as expected now! :)
I am not able to authenticate the Azure API's though my application with the email id registered under different domain name. It works for me company email address.
Steps I followed to register the application in AD:
Registered an app in Azure Active Directory.
Set permission requests to allow the client to access the Azure Resource Manager API.
Also, enabled the Multi tenanted option.
Followed URL Azure Authentication
Authorize URL:
/common/oauth2/authorize?
client_id=XXXXXXXXXXXXXXXXXXXXX
&response_type=code
&redirect_uri=calBackURL
&response_mode=query
&resource=https%3a%2f%2fmanagement.azure.com
&state=12345&prompt=consent
Token URL:
/common/oauth2/token?
grant_type=authorization_code
&client_id=xxxxxxxxxx
&code={Code}
&redirect_uri={calBackURL}
&client_secret=xxxxxxxxxx
Error Message:
AADSTS50020: User account 'xxxxxx#hotmail.com' from identity provider
'live.com' does not exist in tenant 'xxxx' and cannot access the
application 'xxxx xxxx xxxx xxxx xxxx'(Azure Demo Builder Dev) in that
tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active
Directory user account.
Having look on your request code it seems that you are trying to authenticate your application using azure active directory V1.0
Point To Remember
If you look into Microsoft official document you would get to know that azure AD V1.0 does't not support personal account integration for authentication. See the screen shot below:
To make it workable you could use Azure Active Directory V2.0 Or you have to change your personal email either.
For V2.0 Token Request endpoint you could hit following URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
The code grant flow you had used on your request you could prepare it for V2.0 by having look here
Note: The v2.0 endpoint and platform has been in preview and continually enhanced. Its not recommended for production version.
Background
I create an CSP Customer (Azure Active Directory) through the REST API and then connect this customer to my Azure Stack. In order to automatically connect their account with the Azure Stack I need to grant this from both sides, customer account and my Stack.
Hence, I need to use the customers password to login and grant Azure Stack access from the customers side.
Problem
I create a CSP customer (password cannot be set during creation) and the password is returned when successful (using the CSP REST API). The password is automatically set to be changed at next login. Hence, I cannot use the returned password programatically until manually setting a new password (not wanted!).
Is there a way to change the customer password using the REST API? Either through CSP or Graph API?
It was possible to change the password for the newly created CSP customer by using the CSP REST API. However, it must be accessed with both API + User credentials in order to be able to change the password.
Change password REST API request:
https://learn.microsoft.com/en-us/partner-center/develop/reset-user-password-for-a-customer
Credentials as described in Partner Center authentication. This
scenario supports authentication with App+User credentials only.