We are implementing application, that should confirm our internal processes. We are using Azure AD and we would like to make this app only for company purposes. So we would like to have it managed by InTune.
When we start application, we are redirect to mobile browser where is MS authentication form and if we have success logg in, then their API check whether is the mobile enrolled under company management profile, if yes return to app otherwise end up with warnign only for company purposes.
The problem is that despite we have endrolled mobile their API does not recognize it and canĀ“t proceed. In the error description is that the mobile is not regeistered and the Device ID is null, but when we check device under AZURE portal we can see that the device has logged Device ID and is correctly enrolled. And in list of access to this application we can see log, where is login failed (missing Device ID).
This problem occures only on android, not with iOS. In case of iOS is everything OK.
Could not be the problem with reading this device ID from mobile? In iOS, we set up access to KeyChainAccess with microsoft.adalcache. Does exist anything like that in Android?
I have go throught this tutorial: https://github.com/Azure-Samples/active-directory-xamarin-native-v2
Thanks for any idea.
Related
We are advertising our product on Facebook and Linkedin. When users click on our ads, a webview opens with an opinion for Google SSO as a sign-up option. We support only webview at the moment.
The Google OAuth as a sign-up/login mechanism works on desktop and mobile, but when the site opens inside a mobile app such as Facebook, the user gets this error shown.
the error leads to: https://developers.google.com/identity/protocols/oauth2/web-server#authorization-errors-disallowed-useragent
As I understand Google wants us to set 2 configuration files in our site route directory, "apple-app-site-association.json" file for iPhone and "AndroidManifest.xml" for android.
I'm trying to configure them, but I don't understand how to without a mobile app.
This is expected due to security changes to Google's OAuth 2.0 authorization endpoint, you can find more details here
We are using Microsoft Azure Authentication for one of our web apps. Since yesterday, one of my boss's phone Authenticator app is not working when he is connected to Mobile data during Authentication but when connected to WIFI it is working (I already checked he has mobile data). He is using iPhone XS. Can you guys guide me on this?
I later found that the issue is caused because the user has disabled the mobile data for the App (only). That is why when I tried to check whether the internet is working in the browser, it actually works.
I am developing cordova based hybrid mobile apps targeted for android and iOS smartphones.
Usecase: The application authenticate user and then would be accessing Google Calendar API's, and finally display user events on the app.
Note: I will be Using 3-legged OAuth and Google Data APIs without the client libraries.
Question
The Cordova-enabled WebView provides the application with its entire user interface, so what should be the application type in this case?
Since everything is going inside webview, so Shall I choose "Web Application"?
OR
Do I need to create seperate Applications type for Android and iOS
seperately?
Or can iOS Application Type work for both Android and iOS?
Please suggest what should be the proper approach to choose application type in this case.
Thanks!
It depends on how your app is setup. If you plan on handling all of the OAUTH processing on a backend server then you can use the Web application type, and you can have all the OAUTH work offloaded to the backend server.
If you do not have a backend server and will do all OAUTH processing on the user's device, then you should create both an iOS and Android client ID. For example:
https://github.com/EddyVerbruggen/cordova-plugin-googleplus
This plugin's documentation shows the creation of both an iOS and Android client ID to enable Google Sign In on a Cordova app.
I want my app to be able to log to GTalk and GMail with OAuth2 authentication.
My app runs on feature phones and can't access the internal browser, so I use the "device" OAuth flow as described at here.
POST to https://accounts.google.com/o/oauth2/device/code returns an invalid_scope error (400 HTTP error) with the scope set to GTalk
scope="https://www.googleapis.com/auth/googletalk"
If I set the scope to GMail (https://mail.google.com/) , it returns the same error, but if I set the scope to Youtube (https://gdata.youtube.com) all is working fine.
Is there a "white list" describing source(web, installed app or devices) accessiblity to different scopes, i.e. is OAuth2 authentication not permitted to GTalk and GMail from a device?
If this is the case, J2ME apps running on feature phones will not be able to login anymore to GTalk/Gmail services when OAuth2 will be the only way to log in to these services.
The phones are no smartphones and neither running Android nor iOS!
From Google's OAuth2 developer group on Google Groups (where you also posted this question, but got no answer so far):
Not all scopes are supported to be used with the device flow and that is why you are getting an error.
It would be nice of Google to somewhere document this and state if theses scopes will be enabled for the Devices flow later or not.
Apps for smart TVs (Samsung, LG and some others) are using HTML5+js+CSS to code. I wonder the feasibility of integrating Microsoft Azure ACS into those smart TVs. I did asp.net mvc 3 and windows phone from samples to build ACS into them but I don't really know how to integrate ACS into smart TV apps.
I assume it works more like the windows phone 7 approach, but still no luck on finding out exactly the work flow of ACS on windows phone 7 even I got the codes (it just works out of the box).
Anyone here could make some comments and advice will be great help.
Thanks.
The workflow for WP7 can be found in the source here:
/// Initiates a token request from ACS following these steps:
/// 1) Get the list of configured Identity Providers from ACS by calling the discovery service
/// 2) Once the user selects their identity provider, navigate to the sign in page of the provider
/// 3) Using the WebBrowser control to complete the passive token request complete
/// 4) Get the token
/// 5) If a RequestSecurityTokenResponseStore is specified, set the token.
/// 6) return the token using the RequestSecurityTokenResponseCompleted callback
But I doubt you want to go down that road, unless the SmartTV has something like a browser control. The other solution would be:
Show a custom login page (you can get the list of identity providers in JSON format)
User selects an identity provider (and will be redirected to Windows Live login page for example)
User logs in and is redirected back to http://smarttv.local/something through a POST request (the url of your app in the SmartTV, if it even has an url??)
Handle the POST request in your app (is that even possible in the SmartTV?)
Any platform that can render a web page can likely use ACS. If the standard window.external.Notify() mechanism used in the WP7 sample isn't supported, you can make your own webpage that accepts the post from ACS and massages the token into whatever kind of HTML or script that the TV app needs to consume.
This is an interesting scenario, though. Is there really a scenario where people are entering usernames and passwords for federated apps on a TV?