Bear with me, a total novice at APIs. I'm trying to build a web-app that allows my colleagues within the same domain to view a list of all other users in the domain after logging in. I'm attempting to use Google Directory API. Think of a roster, or org chart of sorts. I plan on using Django and python to build this.
https://developers.google.com/admin-sdk/directory/
I've created an OAuth 2.0 client ID, but I don't know if I need a service account to actually access the list of users. Additionally, I don't manage this domain, do I need to have the administrator grant priledges to this service account?
If you create a service account, the account still has to "act" like a user on the domain, and that user has to have privileges to whatever scope you're using. If you can get the domain admin to give you access to list users, ask him/her for the readonly scope(to imply the impossibility of your app damaging the site)
When you create a service account you'll get a key that will authorize you to act as an account on the domain.
I don't think that you need a service account, but it's a little easier in my opinion.
If you don't manage that domain you cannot get a list of users.
You would need authorization for that service account to use the relevant scope(s). If you can't do it yourself and can't get it done by the administrator then this conversation is over :(
Related
I am building a Python Daemon app to download files which are accessible to an individual O365 user via Graph API. I am trying to use ConfidentialClientApplication class in MSAL for authorization.
In my understanding - this expects “Application Permissions” (the API permission in Azure AD) and not “Delegated permissions” for which, admin has to consent Files.Read.All.
So the questions I have are:
Does this mean, my app will have access to all the files in the organization after the admin consent?
How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
Thanks!
Does this mean, my app will have access to all the files in the organization after the admin consent?
Yes, it is the downside of application permissions usually.
How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
I'm pretty sure you can't limit a daemon app's OneDrive access. You can for example limit Exchange access for a daemon app.
Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
It would certainly allow you to limit the access to a specific user. In general I recommend that you do not use username+password (ROPC); it won't work any way if your account has e.g. MFA. The more secure approach would be that you need to initialize the daemon app once with Authorization Code flow. This gives your app a refresh token that it can then use to get an access token for the user when needed (and a new refresh token). Note it is possible for refresh tokens to expire, in which case the user needs to initialize the app again.
You can limit the Application (Admin approved) permissions to specific resources (at least for some resources - e.g. mailboxes, calendars, SharePoint sites, ...)
Using Application Access Policy
An example for using this to restrict mailbox access to one or more users is:
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access#configure-applicationaccesspolicy
This approach isn't possible to set currently in the MSGraph Application definition. Your admin has to use Powershell to associate an Access Policy to an Application definition.
SharePoint sites restriction
For SharePoint sites, you can use the MS Graph Sites.Selected Application permission to have Admin approved access to specific SharePoint sites.
https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/
I recently started using the instagram-API in python. I built successfully some programs, and then I searched a way to create an Instagram account through the api - but I couldn't find.
Is there a way to create an instargram account from the api (python), and then send the login details (user,pass) and the token, secret token to the user?
Thanks, and have a nice day.
Check out the documentation and you'll quickly discern that their API isn't designed to allow for third-party, programmatic user account creation.
The only way to create an account with Instagram is by downloading their iOS or Android app and following the account creation process that way.
From an end user perspective, what would be the use case for granting a third party application all the sensitive personal data required to create an Instagram account? Because an end user can only upload media to their account via the app, why wouldn't someone just want to sign up when they download the app?
Is it possible to send an email using Google App Engine (GAE) from a Google Apps user account alias?
Since we are using a "custom" domain with our app (e.g., "www.example.com"), Google requires us to use a Google Apps paid account to enable web site HTTPS, which is a hidden cost when considering the cost of hosting.
We don't want to have pay for extra accounts for things like "support#example.com", so we've just set that up as an alias of the paid account. And I don't want to have to be checking multiple accounts. But now we can't figure out how to send email from "support#example.com".
This article explains email sending options, but when I try to use the domain account approach, it basically ends up canonicalizing the support email alias and tells me that my account is already authorized. Anyway, I can't seem to figure out how to get any of the approaches to work for my situation. Is it even possible to do this?
I have been trying to find a solution for this as well, but Unfortunately there does not seem to be any way to send email from domain alias registered to Google Apps using GAE. Or any other domain for that matter.
There is an open ticket with low priority opened here: https://code.google.com/p/googleappengine/issues/detail?id=2766
So I don't have high hopes as the ticket has been open for 5 years.
Is there any way to login via web application or web api to Azure Active Directory (with AD credentials) using my own username and password page which is hosted outside of Azure?
From my investigation it seems there is no programmatic way to send username and password to authenticate users with Azure AD (if you hosted an app outside of Azure)
Not sure if they consider this to be a security hole of some sort (i dont think it is it https is enforced?)
Seems like you can only authenticate users by going through the code grant (which means popping out of our application to sign on to an external site).
Ultimately I want to create a python flask api that can authenticate against Azure AD directly if possible.
I have done this in the past (with other auth systems) with the Oauth grant_type=password to send username and pass, but dont think this is supported in Azure AD (correct me if im wrong?)
I know grant_type=client_credentials is supported, but that seems like its service to service auth, which is not quite what im after
http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If its not possible to have a login page hosted outside of Azure for this, is it even possible to have one inside of Azure, seems like from examples here:
http://msdn.microsoft.com/en-us/library/azure/bc8af4ff-66e7-4d5b-b3d4-c33d2c55d270#BKMK_Browser
There is no custom login page with a password field .. (only open id logins it seems)
The Resource Owner Password Credentials Grant (grant_type=password) flow is supported by Azure Active Directory. However, before using it, consider if it is truly required. As it says in the OAuth 2.0 RFC:
The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).
If you have determined that the other supported flows will definitely not work for your scenario, then also be sure to follow the second bit of advice in the RFC:
Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.
(Emphasis added in both cases.)
There's a .NET and ADAL sample on GitHub that uses this flow, and it should be simple enough to implement in Python: https://github.com/AzureADSamples/NativeClient-Headless-DotNet
Edit: You can host your application anywhere you want, it doesn't need to be on Azure. This applies to all flows.
I'm making an application in Python and using Amazon Web Services in some modules.
I'm now hard coding my AWS access id and secret key in *.py file. Or might move them out to an configuration file in future.
But there's a problem, how can I protect AWS information form other people? As I know python is a language that easy to de-compile.
Is there a way to do this?
Well what I'm making is an app to help user upload/download stuff from cloud. I'm using Amazon S3 as cloud storage. As I know Dropbox also using S3 so I'm wondering how they protects the key.
After a day's research I found something.
I'm now using boto (an AWS library for python). I can use a function of 'generate_url(X)' to get a url for the app to accessing the object in S3. The url will be expired in X seconds.
So I can build a web service for my apps to provide them the urls. The AWS keys will not be set into the app but into the web service.
It sounds great, but so far I only can download objects with this function, upload doesn't work. Any body knows how to use it for uploading?
Does anyone here know how to use key.generate_url() of boto to get a temporary url for uploading stuff to S3?
There's no way to protect your keys if you're going to distribute your code. They're going to be accessible to anyone who has access to your server or source code.
There are two things you can do to protect yourself against malicious use of your keys.
Use the amazon IAM service to create a set of keys that only has permission to perform the tasks that you require for your script. http://aws.amazon.com/iam/
If you have a mobile app or some other app that will require user accounts you can create a service to create temporary tokens for each user. The user must have a valid token and your keys to perform any actions. If you want to stop a user from using your keys you can stop generating new tokens for them. http://awsdocs.s3.amazonaws.com/STS/latest/sts-api.pdf
Specifically to S3 if you're creating an application to allow people to upload content. The only way to protect your account and the information of the other users is to make them register an account with you.
The first step of the application would be to authenticate with your server.
Once your server authenticates you make a request to amazons token server and return a token
Your application then makes a request using the keys built into the exe and the token.
Based on the permissions applied to this user he can upload only to the bucket that is assigned to him.
If this seems pretty difficult then you're probably not ready to design an application that will help users upload data to S3. You're going to have significant security problems if you only distribute 1 key even if you can hide that key from the user they would be able to edit any data added by any user.
The only way around this is to have each user create their own AWS account and your application will help them upload files to their S3 account. If this is the case then you don't need to worry about protecting the keys because the user will be responsible for adding their own keys after installing your application.
I've been trying to answer the same question... the generate_url(x) looks quite promising.
This link had a suggestion about creating a cloudfront origin access identity, which I'm guessing taps into the IAM authentication... meaning you could create a key for each application without giving away your main account details. With IAM, you can set permissions based on keys as to what they can do, so they can have limited access.
Note: I don't know if this really works, I haven't tried it yet, but it might be another avenue to explore.
2 - Create a Cloudfront "Origin Access Identity"
This identity can be reused for many different distributions and keypairs. It is only used
to allow cloudfront to access your private S3 objects without allowing
everyone. As of now, this step can only be performed using the API.
Boto code is here:
# Create a new Origin Access Identity
oai = cf.create_origin_access_identity(comment='New identity for secure videos')
print("Origin Access Identity ID: %s" % oai.id)
print("Origin Access Identity S3CanonicalUserId: %s" % oai.s3_user_id)
You're right, you can't upload using pre-signed URLs.
There is a different, more complex capability that you can use called GetFederationToken. This will return you some temporary credentials, to which you can apply any policy (permissions) that you like.
So for example, you could write a web service POST /upload that creates a new folder in S3, then creates temporary credentials with permissions to PutObject to only this folder, and returns the folder path and credentials to the caller. Presumably, some authorization check would be performed by this method as well.
You can't embed cloud credentials, or any other credentials, in your application code. Which isn't to say that nobody ever accidentally does this, even security professionals.
To safely distribute credentials to your infrastructure, you need tool support. If you use an AWS facility like CloudFormation, you can (somewhat more) safely give it your credentials. CloudFormation can also create new credentials on the fly. If you use a PaaS like Heroku, you can load your credentials into it, and Heroku will presumably treat them carefully. Another option for AWS is IAM Role. You can create an IAM Role with permission to do what you need, then "pass" the role to your EC2 instance. It will be able to perform the actions permitted by the role.
A final option is a dedicated secrets management service, such as Conjur. (Disclaimer: I'm a founder of the company). You load your credentials and other secrets into a dedicated virtual appliance, and you define access permissions that govern the modification and distribution of the credentials. These permissions can be granted to people or to "robots" like your EC2 box. Credentials can be retrieved via REST or client APIs, and every interaction with credentials is recorded to a permanent record.
Don't put it in applications you plan to distribute. It'll be visible and they can launch instances that are directly billable to you or worst..they can take down instances if you use it in production.
I would look at your programs design and seriously question why I need to include that information in the app. If you post more details on the design I'm sure we can help you figure out a way in which you don't need to bundle this information.