I have an application hosted on Google AppEngine. This app requires users authentication. I know that users can be authenticaded through OpenId, Google Accounts and so on. However, some user don't have any of these accounts. Thus, i have to suggest that they create an OpenId or a Google Account before they can be able to access my application.
I was wondering if it's possible to host an OpenId provider inside AppEngine, this way, instead of suggesting user to go away, create an OpenId and later get back, i could simply display a simple form. In this form, that user could create they new account and, at same time, create an OpenId, since the application would also be an OpenId Provider.
I'm not sure if i could host and OpenId provider inside appengine . Would I?
Thanks a lot
http://code.google.com/p/google-app-engine-samples/ contains a sample OpenID provider application. It uses Google accounts to authenticate, but it shouldn't be too difficult to use it to create your own accounts.
Of course, it's a bit bizarre that you want to create accounts on your service for the users but then use openID to authenticate them from that service to itself; why not just have a non-OpenID login in addition to OpenID if you want to manage some users' accounts yourself?
Related
I want my application to be able to use an external user pool from my customers Azure AD, instead of them having to maually create every user in my application, when they already have them in Azure AD.
Initially, I though of using only OIDC for this as I can just create the user in my application upon the first login. But OIDC does not allow me to logout and deactivate the user in my application when they are deleted in Azure AD. This is an important requirement for my application.
To solve this, I think I could combine OIDC and SCIM:
Azure AD provisions the users to my application through SCIM endpoints. When deactivated, Azure notifies my application through the SCIM endpoints and I can delete their session and deactivate them in my application.
Login is handled with OIDC. When I have a valid OIDC token I create a session in my app. This way I don't have to manage passwords or multi factor authentication in my app.
Does it make sense to use SCIM and OIDC together?
Yes, it makes sense to use SCIM and OIDC together in the way that you describe.
It also has other advantages to "pre-provision" with SCIM: for example, when users want to address accounts other users that have not logged in yet. Adding such a user to a group would not work with "just-in-time account provisioning" since the account would not exist (yet).
I am working on an ASP.Net MVC application which will handle two types of users
External Users (Need to authenticate using Azure B2C with username as login instead of email as login)
Internal Users (which already exist in Corporate Azure AD)
What is the right way of implementing it?
One option is to run two separate instances of the application configured against each IDP. Keep each type of user stick to one app instance.
I tried to register AD and AD B2C in one app by registering two OpenIdConnect services but having problems when the user tries to access a resource without first logging into the application. Without knowing the type of the user I cannot specify AuthenticationSchema in the Authorize tag.
I am sure people have done this before so if you someone who knows how to do it, then please guide me..
I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.
App engine has by default an integrated google sign in features, which gives back the current authenticated user email and ID (permission is asked to the user before).
I was wondering if the app engine has an option to extend to permissions asked to the user to include more scopes for examples (contact information, manage youtube account).
Or is it only possible via oauth authentication?
No, you can only do this via OAuth.
User API uses OpenID which does not support "scopes". OAuth does support scopes so you should use it if you need broader access to users profile.
I have an appengine application that allows users to register themselves. These users must be able to send e-mail from a google apps domain. To do this, I want the appengine application to use the provisioning API to create new users in the apps domain.
I could of course create a custom administrative account for the apps domain. Then I could use a normal gdata.apps.client.ClientLogin. However, that would also mean that the userid and password are stored in source code or in the application.
Is it possible to tell the apps domain that the appengine's service account (its app_identity account) is an administrator for the apps domain?
If that's not possible, any tips on how I can secure the userid and password in the appengine application?
Hans Then
As far as I can tell what I want is not possible. I'll have to setup a userid and password in my apps account and login using that.
You'll need to use 3 legged oauth for authentication with provisioning api. Here's some docs https://developers.google.com/gdata/docs/auth/oauth#Examples