Identity Aware Proxy Page not showing my domain - google-app-engine

I've setup my GCP App Engine app to use the Identity Aware Proxy (IAP) to limit which users can see/use my app. I followed these docs.
However, when I navigate to my page the login screen says: "Sign in
to continue to iap.googleapis.com".
How do I get it to say "Sign in to continue to MYDOMAIN.com"?
I've configured the "OAuth consent screen" properly w/ my domain and contact info, but it doesn't seem to be getting applied.
Any ideas?

Based on this article, verification is required when a project is configured for a user type of External and a publishing status of In production, and would want to display the App or Logo name.
Submitting for verification may not be required, based on the current configuration of your OAuth consent screen. Users may not see all of your app's information, including its name and logo, until your project has completed verification.
Additionally, see this list of OAuth verification criteria:
You want to display an icon or display name for your project on the OAuth consent screen.
Your project's OAuth clients request authorization of any sensitive or restricted scopes.
The number of authorized domains for your project exceeds the domain count limit.
There are changes to your project's OAuth consent screen configuration after a previous published, verified configuration.

Related

SaaS Application with Azure AD authentication as MS Teams App with App Studio

My company is using this service Aha! Ideas for internal idea-sharing. Everything is set up correctly with Aha! and the page site loads and requests the email for the user. Once they put it in the Microsoft credentials from the host machine so an SSO and they are redirected to the secure page. On machines where the user has not authenticated against our domain on the workstation, they are redirected to the Microsoft login and after they login, the user is redirected to the site.
So Great!! that is all working perfectly.
Now, I go into App Studio in Microsoft Teams and set up the site to load as an App in the Sidebar. I have added the main URL as a tab, I have set up the Valid Domains and included login.microsoftonline.com and I have set ADD App ID to the one used in the SAML2 setup of Aha!.
When I load the app I get the page requesting my email, this is from Aha!, and when I submit it should use SSO from Teams to log me in. I am logged in to Teams using my company Microsoft Account. At a minimum, it should redirect to the login.microsoftonline.com and request my username and password. Instead, I get nothing but a blank page.
Anyone have any ideas as to why it's not working, or what I might have done wrong?
'SSO' in the truest sense with Teams -definitely- won't work - it requires changes to the app itself, which you don't control, but even aside from that, depending on how the app ends up doing it's authentication, this still might not work, as you're seeing. Is there maybe a chance Aha! is working on Teams integration?

Is admin consent required in a native app using Directory.AccessAsUser.All?

According to this page, admin consent should not be required for a native app using Directory.AccessAsUser.All
As a side note, for native applications, this permission behaves like a User permission instead. A native app does not have an identity per se, and it is already doing the direct user’s bidding anyway. It stands to reason that the app should be able to do what the user is able to do, just as happens on-premises when a classic native client (say Word or Excel) can or cannot open a document from a network share depending on whether the user has the correct permissions on that folder.
I'm not seeing this in practice. The "API Permissions" page in Azure portal warns me that admin consent will be required, and users attempting to sign in using my app also get told that admin consent is required.
I haven't provided a Web redirect URL, just checked https://login.microsoftonline.com/common/oauth2/nativeclient under the Public Clients section - i'd expect this to be enough for admin consent not to be required, but it doesn't seem to be the case.
Is the doc above wrong, or am I missing something?
That page is wrong, consent framework doesn't allow a permission to be Admin/User.
If it is marked Admin, it requires admin consent.
That may have been right in the past though.

Azure Active Directory B2C user signup without redirect (non interactive)

I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.

Showing Keep Me Signed In when requesting tokens from Azure AD

Is it possible to show the Keep Me Signed In checkbox when logging a user into Active Directory via the login.microsoftonline.com/[tenantId].onmicrosoft.com/oauth2/authorize endpoints? When logging in via login.microsoftonline.com, the page will show the KMSI box, but it is missing on the oauth2 endpoints. See for example the two attached images.
Login endpoint
Authorize endpoint
Based on the test, the Keep me sign-in is only work for the web app. If you developing the web app it should shows like figure below:
This is expected because that Keep me signed in uses the cookies to store the sign-in user info and the native client is not using the broswer.
If you have problem to keep the users sign-in for a long time, you may share the secnario and detail code you were developing.

Custom domain app requesting permission to access Google Account

I refer here to that page you are redirected after you login to GAE app with your google account, which asks your permission to access your google account.
Put this toghether with custom domain and https and you get my problem.
Sorry for the lengthiness. I searched everywhere. Didn't find anything. Not sure it is an OAuth issue (think not).
My configuration:
developed myapp.appspot.com
configured custom domain myapp.mydomain.com to point to myapp
myapp is making use of GAE login service
need for https posts from custom domain (!), solved as follows:
page is loaded in HTTP from http://myapp.mydomain.com
some submit HTTPS URLs are hardcoded in the page, as https://myapp.appspot.com/someservice
same domain policy resolved server side by means of http headers
GAE login service applies both to http://myapp.mydomain.com handler AND https://myapp.appspot.com/someservice handler
The workflow is:
user not yet authenticated
user browse http://myapp.mydomain.com (not ssl)
user is redirected to google account login page
user logins
user is redirected to the abovementioned page: myapp is requesting permission to access user's google account
user grants his permission
user is in - OK
Now comes the problem:
user makes a submit to https://myapp.appspot.com/someservice (so that data is ssl transmitted), which is loginrequired decorated
login is ok, user is not again redirected to the login page,
I think this is because the google login is cross application (the same should appen if the user was already logged in into gmail, to say)
but now https://myapp.appspot.com/ is again requesting permission to access user's google account - and this is the problem
The user is prompted TWICE to grant permission to myapp to access his account:
once when he browse to http://myapp.mydomain.com
and another one when he submits data to https://myapp.appspot.com/someservice
My user doesn't like it and me too !!!
I suspect this is because the user answer (Allow or No Thanks) is saved server side with respect to the URL of the app
and not with respect to some other unique id of the app.
But I have no idea how to solve it or at least work it around.
Thank you for your patience in reading up to here.
Any help would be appreciated.
The cookie that is issued for the user's session is per-domain and per-protocol. As a result, the same session won't work on the appspot app and on your custom domain. This isn't an App Engine limitation - it's simply how HTTP works.
The best solution, currently, is to put the form itself on HTTPS as well (which is in general a good idea anyway).

Resources