I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)
Related
I'm creating an app registration for Azure AD using my admin account (specifically for Mobile and desktop applications authentication). I intend to create an AAD Conditional Access that will be applied to the created app registration. For some reason the App Registration is not visible on the cloud app selection when I am trying to select it.
Screenshot - Conditional Access > Policy > Cloud apps or actions > Select apps
P.S. It showed on the cloud apps when I tried adding a "Web" platform on the app registration, but still CA is not applied when trying to login using the App Registration. Am I missing anything? Thanks in advance.
Screenshot - AAD - Sign-Ins
Please note that the CA policy is applied when a client calls a service. It's not applied directly to a client (public/native) application.
See the Note tip here.
Since Conditional Access policy sets the requirements for accessing a
service you are not able to apply it to a client (public/native)
application. Other words the policy is not set directly on a client
(public/native) application, but is applied when a client calls a
service. For example, a policy set on SharePoint service applies to
the clients calling SharePoint. A policy set on Exchange applies to
the attempt to access the email using Outlook client. That is why
client (public/native) applications are not available for selection in
the Cloud Apps picker and Conditional Access option is not available
in the application settings for the client (public/native) application
registered in your tenant.
It also explains why CA is not applied when you tried to login using the App Registration -- you didn't call a service.
We are trying to integrate Onedrive with a WebApplication. Intent is to get the content from Onedrive into WebApplication on any event.
We are able to integrate and using the "APP Register" in Azure Active Directory and configuring with Graph API for delegation and then using the client id, client secret and tenant id from WebApplication.
Here, I would like to understand, Is it possible for us to create an app on our azure subscription and have a way for others (other companies/clients) to install it on their azure system using OAuth process in order to avoid any creation of app and sharing other details.
Please let me know if the query is clear or not. If not, I will explain more in detail.
Thanks
Sakti
Yes, you can share your application with other organizations, you only need to change your application to a multi-tenant application, because changing the application to multi-tenant application allows any tenant to log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
However, you need to note that after sharing your application, the permissions granted to it in the original tenant will not exist. If you need the application to access the resources of other company tenants, you must request the other company's IT to grant similar access permissions.
Do you know some tool that allow me to create several google accounts in batch mode?
I have Google for Education in my company and I will have to create 100 users account in order to allow them to use my Google Apps applications and forms.
I was wondering if there is a way to create these accounts programmatically or some tool could do that.
Any tip I will be happy to hear!!
Cheers,
Fernando
The Google Admin SDK Directory API allows you to create users programmatically.
You'll need either domain-wide authorization of a service account (established via a Google Console API project) or OAuth2 creds from an admin user in order to successfully make the API calls.
The Facebook app platform supports a "gradual consent" model - whereby an app can be written to request consent from the user for resources only when they are needed. For example, an app may want public_profile all the time, but for a certain function the app also needs user_birthday. The app can be created in such a way that it prompts the user for consent to public_profile as soon as it is installed, but only prompt for user_birthday when the user actually uses the function that requires it. If the user never uses that function, the app never prompts for permission to access user_birthday. Permission is granted to the users resources gradually and only when they are needed - hence, "gradual consent".
Can I implement this pattern with Azure AD Applications? For example, let's say I have a web app with an optional feature that accesses the Microsoft Graph API for a tenants Office 365 resources. Can I build this in such a way that the tenant admin is only prompted to grant access to the Graph API when they enable the optional feature?
Sure, you just need to use the new application model. For an example, see https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-openidconnect-v2/
I have an appengine application that allows users to register themselves. These users must be able to send e-mail from a google apps domain. To do this, I want the appengine application to use the provisioning API to create new users in the apps domain.
I could of course create a custom administrative account for the apps domain. Then I could use a normal gdata.apps.client.ClientLogin. However, that would also mean that the userid and password are stored in source code or in the application.
Is it possible to tell the apps domain that the appengine's service account (its app_identity account) is an administrator for the apps domain?
If that's not possible, any tips on how I can secure the userid and password in the appengine application?
Hans Then
As far as I can tell what I want is not possible. I'll have to setup a userid and password in my apps account and login using that.
You'll need to use 3 legged oauth for authentication with provisioning api. Here's some docs https://developers.google.com/gdata/docs/auth/oauth#Examples