I am trying to implement OpenId for an internal web app. Our college is on Google Apps for Edu, so we have the suite of Google OpenID and OAuth exposed to us.
I would like my login page to have the standard username and password, and additionally a button on the side that will authenticate internal users to our app domain.
I have followed the example here http://www.dotnetopenauth.net/developers/code-snippets/programmatic-openid-relying-party/ but it seems that the rules are different for the google apps id than a general google id.
Any help or further documentation would be helpful.
I have the same problem as you.
For your Google Apps login, your relying party URL is https://www.google.com/accounts/o8/site-xrds?hd=example.comsite-xrds?hd=example.com
Where you replace example.com with your URL.
However, As far as I can tell, dotnetopenauth does not handle the protocol extensions google uses when it returns.
However, using https://www.google.com/accounts/o8/id works perfectly fine.
Using this url, you pass off users to Google to login. Google will check for cookies and prompt for a login if required. if not it'll just confirm with the user that they want to associate their authentication with this site and pass you back.
Still trying to get dotnetopenauth to accept the new url: https://www.google.com/accounts/o8/site-xrds?hd=example.com
Related
My site uses the oAuth2 authentication to let users register/login via their Linkedin account.
Implementation is done using PHP.
The problem is: the oAuth2 authentication always opens in the webbrowser.
It seems this has to be implemented by LinkedIn.
Is there a way to force LinkedIn oAuth to open the app in stead of the browser if the app is available?
Not sure if you got your answer after all these years, but generally it would open in the browser to get the user's consent, and then redirect to the URL you provided with an authorization code that you can use to call the API.
We are building several websites/products, if a user has an account on one site they will also be allowed access to all other sites.
Let's say we have the following setup:
Clients
site1.com
site2.com
Single Sign On Portal
sso.company.com
APIs
api1.company.com
api2.company.com
The Single Sign On Portal supports multiple OAuth providers, such as Google, Microsoft, Facebook, etc and this is all working great built on top of the default ASP.NET Web Forms template in VS 2015 using OWIN and Idenity.
The SSO site is logging the user in an using a cookie for authentication, which works fine while still on the SSO site. Now we need to return a token that the client site can use to know that the user is authenticated
Now the challange here is how do we exchange the cookie to a token that we can return to the client(s) to use in the Authorization header in request sent to our APIs?
Should we generate a token our selves or is there some built in functionality we can use for this purpose?
I've seen most people generate a token themselves and then multiple accounts can be linked to that same user in your account (i.e. a user could log into both FB and Google). Most of the SSO providers have a way to get an identity token or one time use code for your server to use and get user info like FacebookId. The key is ensuring that identity token came from FB and not a third party.
Auth0 is a pretty good service if you want a managed route. Even if you don't use them, they have a lot of good resources on oauth. (I have no affiliation with them other than that we used them before.) we also have a little more info on auth: https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/
Currently I have a very simple google authentication built-in from ASP.NET website wizard using Microsoft.AspNet.Membership.OpenAuth
with just a single code line in AuthConfig.cs file
OpenAuth.AuthenticationClients.AddGoogle();
and now I get an error from google
OpenID auth request contains an unregistered domain
The problem is that I don't know how to update the website to support the new authentication method, I got an api key from google, but the OpenAuth.AuthenticationClients.AddGoogle does not support parameters like the function for Facebook or twitter authentication.
If you are using OpenID2 in your code, the problem could occur because Google has disabled OpenID2 for new domains.
I have an issue with one of our clients.
We developed an app, that apparently works fine.
We tested with various accounts.
The issue is that our client can't use the app.
Accessing the client's account, I tried this FB access token tool:
https://developers.facebook.com/tools/access_token/
I tried to use various apps with the client's account, from various vendors.
This is the result (screenshot):
screenshot
What can be the cause? It seems that this account cannot store any access token from any app.
Thank you!
The Access Token tool will only show tokens for apps that the user is an admin or developer of - if they are just a regular user, this will not show up here.
we have a production site like www.Domain1.com, and developing a new web application www.domain2.com, and would like to implement single sign on.
I am looking for solution pretty much like how google works like login to gmail, in gmail navigate to other google apps or we can open new window and we can use picasa or other google apps with out login.
I have found an interesting solution, where we will be developing a dedicated Authentication site like www.sso.com.
http://www.codeproject.com/KB/aspnet/CrossDomainSSOExample.aspx
we use webfarm environment, site 1 and site 2 will be deployed in webfarm environment, but when we deploy www.sso.com in webfarm , this solution will not work.
I am sure google might have implemented www.sso.com service in webfarm environment. i am trying to understand and implement the same.
Experts i kindly request your help in this direction , any information which helps me.
AFAIK, after Google authenticates user with main auth site/service, it issues a set of redirects to auth. end-points to all main domains with one-time secret key in URL, so each end-point on each domain sets auth. cookies for given user.
E.g. user signs in at http://sso.com/login, then he is redirected to
http://domain1.com/auth?secret=12345
http://domain2.com/auth?secret=12345
...
http://domainX.com/auth?secret=12345
And each domain sets an auth cookie to the browser.
Correct me if I'm wrong.