I want my app to be able to log to GTalk and GMail with OAuth2 authentication.
My app runs on feature phones and can't access the internal browser, so I use the "device" OAuth flow as described at here.
POST to https://accounts.google.com/o/oauth2/device/code returns an invalid_scope error (400 HTTP error) with the scope set to GTalk
scope="https://www.googleapis.com/auth/googletalk"
If I set the scope to GMail (https://mail.google.com/) , it returns the same error, but if I set the scope to Youtube (https://gdata.youtube.com) all is working fine.
Is there a "white list" describing source(web, installed app or devices) accessiblity to different scopes, i.e. is OAuth2 authentication not permitted to GTalk and GMail from a device?
If this is the case, J2ME apps running on feature phones will not be able to login anymore to GTalk/Gmail services when OAuth2 will be the only way to log in to these services.
The phones are no smartphones and neither running Android nor iOS!
From Google's OAuth2 developer group on Google Groups (where you also posted this question, but got no answer so far):
Not all scopes are supported to be used with the device flow and that is why you are getting an error.
It would be nice of Google to somewhere document this and state if theses scopes will be enabled for the Devices flow later or not.
Related
We are advertising our product on Facebook and Linkedin. When users click on our ads, a webview opens with an opinion for Google SSO as a sign-up option. We support only webview at the moment.
The Google OAuth as a sign-up/login mechanism works on desktop and mobile, but when the site opens inside a mobile app such as Facebook, the user gets this error shown.
the error leads to: https://developers.google.com/identity/protocols/oauth2/web-server#authorization-errors-disallowed-useragent
As I understand Google wants us to set 2 configuration files in our site route directory, "apple-app-site-association.json" file for iPhone and "AndroidManifest.xml" for android.
I'm trying to configure them, but I don't understand how to without a mobile app.
This is expected due to security changes to Google's OAuth 2.0 authorization endpoint, you can find more details here
Let's imagine the following:
I've developed a mobile app using Xamarin (iOS/Android compatible)
I want it to support OAuth2 + OpenID connect's authorization code flow with PKCE, so that the user's credentials are never stored on the device, but rather an access token is. The token grants access to an API used to make the whole mobile app function, meaning the mobile app is simply a front-end interface/UI.
Is my mobile app considered the "client application", or the "Resource owner"?
The third step makes it so hard for me to grasp this. If it's considered client application, how will following through the whole code flow, protect us from anything, as most of the things will be visible (Mobile apps are public clients, there is no back-channel)
If it's considered resource owner, then does that mean I'd have to whip out an entire dedicated back-end, separate from my API, separate from my Authorization Server, and just specific for the mobile app (it will be the "Client application")?
If someone could shine some light on this, please let me know. The title is not very correct, if it can be edited to better fit this question, I'd be very thankful.
Your mobile app is the client application - with a trust entry configured in the Authorization Server. PKCE works by the mobile app generating a runtime secret used in 2 messages:
The login redirect
An authorization code grant message
See steps 4, 7 and 8 from my article to understand PKCE messages.
Mobile OAuth involves integrating AppAuth libraries which is not easy, though you'll have the best security and usability once complete.
I have a sample Android app and article that you can easily run.
The behaviour on iOS is similar.
We are implementing application, that should confirm our internal processes. We are using Azure AD and we would like to make this app only for company purposes. So we would like to have it managed by InTune.
When we start application, we are redirect to mobile browser where is MS authentication form and if we have success logg in, then their API check whether is the mobile enrolled under company management profile, if yes return to app otherwise end up with warnign only for company purposes.
The problem is that despite we have endrolled mobile their API does not recognize it and canĀ“t proceed. In the error description is that the mobile is not regeistered and the Device ID is null, but when we check device under AZURE portal we can see that the device has logged Device ID and is correctly enrolled. And in list of access to this application we can see log, where is login failed (missing Device ID).
This problem occures only on android, not with iOS. In case of iOS is everything OK.
Could not be the problem with reading this device ID from mobile? In iOS, we set up access to KeyChainAccess with microsoft.adalcache. Does exist anything like that in Android?
I have go throught this tutorial: https://github.com/Azure-Samples/active-directory-xamarin-native-v2
Thanks for any idea.
My question is [Similar to this one1, but with third party providers instead of active directory.
I have an end-user UWP app, and I want to consume my Azure API App. I am NOT Azure mobile app and it's client side SDK.
Most of documentation is of sort "copy paste this magic code" and never explains how authentication actually happens.
I was inspecting mobile app SDK because Microsoft's documentation says that it's auth. process is the same.
From what I see, the mobile App SDK opens a web-view very similar to that produced by a WebAuthenticationBroker. Then every request to the server is accompanied by a header X-ZUMO-AUTH and a token. It appears that this token is issued by the azure app service, not the original provider. It is much longer than the tokens issued by Twitter or Google.
At the same time when I point web-browser at the end-point and go through the log-in process, I see that the browser is using a Cookie: ARRAffinity=c4b66198677464de573103f7aa267c33ea38617020514011cea4506e0a55d9d0; AppServiceAuthSession=EIVymV
Questions:
The problem is Mobile app documentation is it just provides
instructions on how to use the SDK. I am unclear on how I would
obtain the token issued by the app service.
Everyone knows how to obtain access tokens for Google
and Twitter. Can they be used to access Azure API apps?
You are correct that API apps use the same built-in authentication as mobile apps. The basic flow looks like this:
Login to the app using provider credentials. This can be done using either a client-directed flow using your provider's SDK or can be done using a server-directed flow involving browser popups (i.e. the web view you mentioned). In the latter case, there is an endpoint at /.auth/login/ which is provided by App Service and manages the login flow for your app.
App Service will respond to your client app with a session token (a JWT).
You call into your APIs using the session token from #2. It is passed via the x-zumo-auth HTTP request header (it's named this way for legacy reasons).
The AppServiceAuthSession cookie you are seeing is the session cookie for when you use a browser to do authentication. ARRAffinity is an internal routing cookie used by App Service and is not related to auth.
If you're looking for more internal technical details on how the built-in App Service Authentication / Authorization works, check out my blog, starting with this post: http://cgillum.tech/2016/02/01/architecture-of-azure-app-service-authentication-authorization/
I have to build an web-app for Google Apps market place where my app would enable Google Apps user to access and backup their Google Apps email to my server.
While I have a good knowledge with PHP and etc, with no prior knowledge to Google Apps development, I have been reading developers.google.com documentation since last couple of days and everything seems to start confusion with each-other now with SAML, Oauth2, OpenId, SSO etc, and Google Apps Mail and Gmail itself. So far, I have done helloworld app from the documentation that accesses the calendar and uses SSO for it.
I wish if you could point me to the right direction about how I should proceed to accessing the mail of the Google Apps user.
Since you wish to use the Google Apps Marketplace, you'll want to use 2-legged OAuth 1.0 with your application. OAuth 1.0 is officially deprecated but it's still the only supported authentication method to Google Accounts for the Marketplace.
Instructions for authenticating to Gmail IMAP via 2-legged OAuth 1.0 are available at:
https://developers.google.com/gmail/oauth_protocol
Seems like you are in the right place already - if you are going through the main developers.google.com documentation, that's where it should be.
I have had a look through their documentation, and found this though: Mail PHP API Overview
A quote from the above link/documentation:
App Engine applications can send email messages on behalf of the app's
administrators, and on behalf of users with Google Accounts. Apps can
receive email at various addresses. Apps send messages using the Mail
service and receive messages in the form of HTTP requests initiated by
App Engine and posted to the app.
More information:
Getting Started - Introduction - Google App Engine
Tutorial - Hello, World! - Google App Engine
Installing the PHP SDK - Google App Engine
EDIT
As I mentioned in the comments below, after further searching, I found this documentation for Google Data Apps APIs which should be helpful (the page currently 404s, but I've sent off a message to Google, so hopefully it should be fixed soon).
There is also a depreciated version of OAuth 1.0 that you could use to authenticate Gmail with IMAP/SMTP, using standard "three-legged" or non-standard "two-legged" OAuth.