I'm developing an extension that, as part of its processing, needs to access the user's message headers. Since they aren't contained in the HTML, a call is made to a servlet running in our server, which is hosted by Amazon Web Services, that connects to the Gmail IMAP server using the user's credentials. However, the first time the user runs the extension, Google sends a warning email to the user asking if it's OK to let the connection happen and blocks the connection until the user OKs it.
Is there any way for the user to OK the connection in advance and if not, how can else I get at the headers?
Related
I'm tasked with making a server using Node.js which will read emails from a Google account and parse the content from those emails into data we can store in a database. I'm using Google's googleapis package (v103.0.0) in NPM to authenticate/authorize with whichever account we'd like to use.
The issue comes when we try to switch accounts and have the user re-auth. During development on a local machine, the Auth process works as expected:
The client requests an Auth URL.
The server generates a new Auth URL and sends it back to the client.
The client redirects to that URL and the Google Consent Screen is shown.
The client is asked to choose between logged-in Google accounts.
The client authorizes the application and is redirected back to the server with a code.
The server uses the code to generate/save a token, which allows it to use the Gmail API.
However, after deploying to Heroku, the Google Consent Screen no longer allows the user to select an account. Instead, at step 3, it shows this message. In just about every other question related to this error, there's always additional information below the error code/message, but nothing's there for me. I made sure: (1) the domain I'm using in Heroku is verified on the Google Cloud Console, and (2) the redirect_uri within the Node.js application is passing the correct domain to the Auth URL, even while in production.
I can't provide the URL for privacy reasons, but let me know if there's any source code or Cloud Console info I should include.
It didn't take long after posting this question, but I realized I was using an incorrect OAuth 2.0 Client ID type. I was attempting to use "Desktop" when I should've been using "Web application" instead. Take a look at this image to see the difference.
When you select "Web application", you're given some new options: Authorized JavaScript origins, and Authorized redirect URIs. This is where you need to fill out the allowed URIs. Here's a sample of what that should look like.
I'm implementing a webdav server. I have everything working fine for anonymous access, but now I want to require authentication.
When a user clicks on a link to open the word document (I'm using the ms-word: protocol), Word sends a couple of HTTTP OPTIONS requests, first with an empty Bearer value in the Authorization header, to which the server responds with a WWW-Authenticate header, and everything is working correctly (after the user authenticates with Word, word sends a follow-up HTTP OPTIONS request with a token value in the header).
However, when Word requests the file itself (using HTTP GET), there is no Authorization header. I've tried having the server respond with a 401 status, but when it does, Word simply gives up and informs the user the file can't be opened.
What's even more troubling is that, from what I can tell, Word sends the GET and OPTIONS requests in parallel, so at the time it sends the GET request, it has no idea that it will be authenticating with the OPTIONS request.
Not sure if this will always be the answer to the issues I described above, but I think it's a combination of problems I was running into. Here's the basics of how I got around the issues I was having.
Delete Office Webdav cache. Office caches information about Webdav servers pretty aggressively. The cache is found in the registry as this location: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\X\Common\Internet\Server Cache where X is the current version of Office you have installed. Delete all subkeys that have your server's URL.
Do not use localhost or 127.0.0.1 for your Webdav. Office seems to behave differently if it knows that your server is local. This may mean needing to add entries into your hosts file to "trick" it into thinking your site is on a remote server.
If using some sort of federated auth (Azure AD, Google, Facebook, etc.) and you are using bearer tokens, Office needs to be told where to go to authenticate, this is done by responding to non-authenticated requests with a 401 status and the WWW-Authenticate header value being set to something like this (I can confirm this works for Azure AD):
Bearer authorization_uri="https://login.microsoftonline.com/[Tenant ID]/oauth2/authorize",trusted_issuers="https://login.microsoftonline.com/*/",client_id="[Azure AD App Client ID]"
Even with the client ID set, it seems like the Application ID URI in the app registration needs to match the server's base URL (protocol + host + port)
I have an API set up on my server (node.js) which potential clients can send request to. One such client would like for me to set up a structure where they would pay only for the amount of their users who would connect to my API. They are creating a mobile application. Regardless mobile or web, I'm not sure how I would be able to track their individual users, to make sure it is their users who are sending requests to my server and not the client himself. The client can make one request and send to 1000 of their users instead of 1000 of the client's users directly connecting to my server.
The only feasible solution I can think of is creating a plugin which they would insert into their app and it would connect directly to our server, bypassing the client's server. Something like a Facebook Share/Like, Google +1 button. Creating the plugin would require to create the entire request and dynamic layout in each platform language, which is outside my scope at the moment.
Is there any way to have the end-users connect directly to my server through the client's app, bypassing the client in the middle, allowing me to know how many users will be connecting?
I have been working on IBM Maximo Anywhere apps such as Work Approval and Work Execution for sometime now have few queries regarding the login mechanism used by these apps. To be specific as per my understanding anyone having access to maximo on that particular environment can login into the anywhere apps - is that a correct statement? and if yes then how does it work in a disconnected state? If for any reason maximo is down will it mean that the app will not be able to authenticate a user and hence unable to login as well? And alongwith that is there any other kind of authentication done for example LDAP etc? Are there any different kinds of login failure messages that are displayed depending on why the app isnt able to let the user login? or is it a common one saying "Login Failed"
The first time the user ever logs into the application, they do have to have a connection to the Maximo server to authenticate. We also validate that the user is authorized to use this particular mobile app. We have a security group for each mobile app that the user must be a member of. After the authentication and authorization finishes, we download, store, and sign the locally stored data with the username/password combination, so that on subsequent login attempts, if the server is down, we can fail over to the locally stored data. This also guarantees that the locally stored data is protected.
We support all of the types of authentication configuration that base Maximo supports.
More information here:
http://www-01.ibm.com/support/knowledgecenter/SSPJLC_7.5.0/com.ibm.si.mpl.doc_7.5.0/security/c_authentication.html
I have few ideas where im not sure if Im correct and if my approach is correct.
The situation is that I got some backend server(s) which exposes REST (of course stateless) interface and expects usage of HTTP authentication via its headers. Then I have some its clients and one of them is web server which has loaded web application that is accessed by typical web browser (using SSL). User via web browser enters his credentials (username and password), which are sent to web server and here comes the thing I want to ask. Web server will delegate all the requests to backend server (REST) putting those credentials to HTTP headers. Is it safe to store those credentials within HTTP session between web server and browser? And if not, where to store them otherwise?
Thanks:-)
for as long as you using session.abandon at the end of the session(application exit or close) all your data should be in theory safe.
Make sure that you close session when application shuts down or user idle for too long.
I usually give no more then 20 minutes. Over HTTPS even less.