Since Google Auth does not support wildcards in its redirect URL's, I am trying to create a proxy solution for Google Authentication.
I have read the following two posts but need some more clarifications
How to deal with arbitrary amount of redirect URIs?
Subdomain in Google Console Redirect URIs
Primarily I have one domain say www.abcxyz.com
I need to have the Google Auth mechanism work for number of subdomains say:
alpla.abcxyz.com
beta.abcxyz.com
and so on for dynamically created subdomains
Following is something I want to try:
I will have only 1 redirect URL in the client secret json file say google.abcxyz.com
When creating a redirect url I pass the name of the subdomain 'alpha' in the state parameter
Once auth code is sent from google to google.abcxyz.com my proxy code reads the state parameter and forwards the request to alpha.abcxyz.com. This domain will then exchange the auth code for access token and refresh token.
Will this kind of mechanism work or do I need to do something more?
Will access tokens work from the subdomain?
What happens when access token expires?
I initially thought that this issue will be a big hindrance in automating my system but looks like there is an easy fix for this.
The redirect url should contain the primary domain and should be present both in Google client secrets and Google API console.
Pass the subdomain name in the state.
In the Primary Domain Apache Config read the query string and redirect accordingly.(read this blog to learn how to do redirect's based on query string).
Related
What I'm trying to do is create a seamless transition where you login to cognito and one way or another you get redirected to your API Gateway resource that requires cognito token authorization automatically.
my understanding of how to solve this problem:
you login to cognito and are redirected to a public API Gateway endpoint that is a lambda function. The lambda function takes the code that cognito passed as a header and uses that to generate a token. Next I want it to redirect to my website that requires cognito authentication and be logged in.
I'm not even quite sure if this approach is the appropriate one to take but I'm struggling to find resources out there explaining how you go about this.
one more questions that might help me understand the problem better:
Are headers held by your current session when you redirect to another link? I ask this because I thought (or atleast this is what I've seen in the youtube tutorials I've watched) that authentication is essentially JUST a header. If you have a valid header token="long random key" then you're authenticated. You want this header to stay in your session when you hop around your website right?
Can you redirect to a different url from lambda and hold onto your headers? Cause this is essentially what I'm trying to do.
Also I highlight the word automatically because every single youtube video I've seen shows them saying oh just change the word code in the login url to token like this: "https://domain123.auth.us-west-2.amazoncognito.com/login?client_id=19shq1tf1n1&response_type=token&scope=aws.cognito.signin.user.admin+email+openid+phone+profile&redirect_uri=https://actuallywebsiteIwanttogoto.com"
but then the problem is that it gives the access_token in the hash of the url when you login successfully. These people showing how to use cognito are manually extracting the access_token from the url and calling a get request on there demo website with the access_token as a header manually. I wanna know how to automate this!!!
I'm attempting to make SOQL queries to the Salesforce API using the Python salesforce_api and simple-salesforce modules. I had been making these requests with a client object:
client = Salesforce(username='MY_USERNAME',
password='MY_PASSWORD',
security_token='MY_SALESFORCE_SECURITY_TOKEN')
a = client.query("SELECT something FROM some_object_table WHERE some_condition")
However, my company recently restricted Salesforce sign-in through SSO only (you used to be able to login directly to Salesforce without SSO), and the funciton is throwing either:
simple_salesforce.exceptions.SalesforceAuthenticationFailed: INVALID_SSO_GATEWAY_URL: the single sign on gateway url for the org is invalid
Or:
salesforce_api.exceptions.AuthenticationMissingTokenError: Missing or invalid security-token provided.
depending on which module I use. I suspect this is because of the SSO implementation.
I've seen the docs about creating a new app through Okta, but I need to authenticate and access the API of an existing app. What is the best way to access this API with Okta IdP enabled? It there a way to have a get request to Okta return an access token for Salesforce?
Uh. It's doable but it's an art. I'll try to write it up but you should have a look at "Identity and Access Management" Salesforce certification, study guides etc. Try also asking at salesforce.stackexchange.com, might get better answers and Okta specialists.
I don't know if there's pure server-side access to Okta where you'd provide OAuth2 client, secret, username and password and it'd be silently passed to login.
If your app is a proper web application that needs human to operate - you can still make it work with SSO. You'd have to read about OAuth2 in general (you saw it on the web, all the "login with Google/Facebook/LinkedIn/Twitter/..." buttons) and then implement something like this or this. Human starts in your app, gets redirected to SF to enter username and password (you don't see password and you don't care whether he encountered normal SF login page or some SSO), on success he/she is redirected back and you receive info that'll let you obtain session id (sometimes called access token). Once you have access token you can make queries etc, it's just a matter of passing it as HTPP Authorization Bearer header (simple-salesforce docs mention session id at top of the examples).
Look, I know what I've written doesn't make much sense. Download Data Loader and try to use it. You might have to make it use custom domain on login but there is a way for it to still work, even though you have SSO enforced. Your goal would be to build similar app to how Data Loader does it. This might help a bit: https://stackoverflow.com/a/61820476/313628
If you need a true backend integration without human involved... tricky. That might be a management problem though. They should not enforce SSO on everybody. When Okta's down you're locked out of the org, no way to disable SSO. You should have a backup plan, some service account(s) that don't have SSO enforced. They might have crazy password requirements, maybe login only from office IP address, whatever. It's not a good idea to enforce SSO on everybody.
https://help.salesforce.com/articleView?id=sso_tips.htm
We recommend that you don’t enable SSO for Salesforce admins. If your
Salesforce admins are SSO users and your SSO server has an outage,
they have no way to log in to Salesforce. Make sure that Salesforce
admins can log in to Salesforce so that they can disable SSO if
problems occur.
(If you have a web app and it's embedded as Canvas in SF - there's another clean way to have the session id passed to you. Again - this works only if you have a human rather than backend integration)
If you check the profiles in SFDC and uncheck the box that requires SSO.
"is single sign-on Enabled [] Delegate username and password authentication to a corporate database instead of the salesforce.com user database. "
I want to use Google API to track the number of tweets a particular website (say Rbloggers) make each day. And I am trying to do it in Python.
I am completely new to this. So, I was looking at the hello-analytics-api, in which I need to deal with OAuth 2.0. And I have no idea what to put down for the redirect URI.
I have read
What's a redirect URI? how does it apply to iOS app for OAuth2.0?
But I still don't quite understand the concepts and what I should put down for the 'redirect URI' ?
From Choosing a redirect URI
When you create a client ID in the Google Developers Console, two redirect_uris are created for you: urn:ietf:wg:oauth:2.0:oob and http://localhost. The value your application uses determines how the authorization code is returned to your application.
In case of desktop apps or programs, you should set it to urn:ietf:wg:oauth:2.0:oob so that you will be redirected to the page where you can copy the authorization code from internet browser and paste it in your desktop app
I'm creating a web based service that I want to expose as a REST API so that developers are able to create apps using it. I want developers to be able to create/manage user accounts and authenticate through API. How to handle this? OAuth or something else?
I'm using python,flask,mongodb for this.
We have settled on the following, using OAuth 2 (which is much preferable to OAuth 1). In particular we are using the resource owner password credentials flow. As to how to integrate it into our RESTful service, here is the idea:
The initial resource, when hit by an unauthorized user, returns a 401. The body of the 401 contains a single link, with rel=oauth2-token. (How you signal links depends on your media type; we're using HAL, but you could use even just the Link header.)
After the user authenticates, he returns to the initial resource, sending in his Authorization header the bearer token returned from the OAuth 2 process. At this point, we return a 200, with all the normal links available.
We don't expose account creation, but if you wanted to do that, I would do so with another link available to unauthorized users in the initial resource. That link would have a custom rel since it is specific to your application, e.g. rel=http://rels.myapi.com/users
Good RESTful design would indicate that the link with this rel points to e.g. http://myapi.com/users, and that consumers of the API do a POST to that endpoint, which returns to them the new user resource with a Location header pointing to the newly-created user resource at e.g. http://myapi.com/users/username. (User resources themselves would of course be another rel, distinguishing between the singular user resource and the plural users collection resource.)
I have a google app engine project and i want to make my REST API available to third parties. Like twitter API.
Twitter requests the user and password to be sent so thet they can be authorized - can i do this with google user accounts?
I have read somewhere on this site this is not a prefered method as their credentials are entered into a thirdparty app/passed etc.
I dont want to over complicate and redirect them to a googles own login/captcha and so on. I have seen a implementation of this - also with desktop/phone/widgets this may not even work.
Is a solution for a third party apps to call my service - the app calls a page on my site (which asks for login - i just add login rights) the user then logs in and my app then creates a long token that is then passed back to third party app which then stores this in their own repository and pass it as a Token arg in the post/put/delete request.
My REST service then checks the token and against a lookup (token|user key) pairs and allows/rejects the method call.
I could also ask the app for their domain? and store this too. I guess i can read the url of the request on the REST service and check they match etc?
Is this a reasonable solution or am i living in the 90's?
OAuth was created with this situation in mind. It's a specification for the sort of auth-token scheme you just described, and it's reasonably widespread these days.
For balance, see this recent StackOverflow thread.