Can I somehow prevent a service user with the manage-users role from resetting the password to other users, but at the same time leave the option to block other users?
Roles
Prohibit:
Credentials
Keep allow:
Allow
At the moment I have not found whether it is possible to prohibit editing credentials
Related
I'm building an ASP.NET Core 6 MVC app and using the Microsoft.Identity.Web package for authentication and authorization.
How can my application acquire multiple scopes at once when a user from a new tenant logs in for the first time?
My app will be multi-tenant, and I want to acquire multiple scopes when a user from a new tenant logs in. I want to acquire the scopes up front (and not incrementally) because a frequent use case is that:
An admin user from a new tenant logs in and grants consent for the required scopes on behalf of their organisation
A non-admin user from the same tenant logs in afterwards. This user is not allowed to grant consent, and thus relies on the admin user to have granted consent up front.
I was initially using the [AuthorizeForScopes] attribute on my home controller to ensure that the relevant scopes were acquired. This works fine when acquiring a single scope at a time, but when I attempt to acquire multiple scopes at once it seems like the client (browser) goes into and endless loop. It's like it doesn't know which scope to ask for first.
I was expecting that my application would simply ask the user to grant consent to all the specified scopes at once.
Specifically I'm asking for these scopes:
https://graph.microsoft.com/v1.0/user.read
https://management.core.windows.net/user_impersonation
https://database.windows.net/user_impersonation
I have a web app which sends emails (gmail) in name of my users
When a user registers, she supplies gmail account and password. Also she has to enable access for Less Secure Apps (I recommend to create a new account for this)
Then I can open a gmail session
session = Session.getInstance(props, new javax.mail.Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(user.getEmail(), user.getPassword());
}
});
and send emails on her behalf.
Unfortunately this is going to stop working next 30th May, when Google will allow only OAUTH2 access
I have followed Java Quickstart for Gmail API and I have code up and running for sending emails with OAUTH2: enable gmail api, create an application on google cloud platform, grant send permission, oauth2 client id credential created...
The problem I have is I can't see a way to automatize this task because when creating an authorized credential, a consent screen displays on browser and you have to select the account to be granted manually (maybe because my app in google cloud platform is still pending to be reviewed)
Is there a way to infer the gmail account you want to access from the credentials file (client_secret.json)? Is there a way to automatize this?
No, or yes. It depends.
The whole point of OAuth2 is to improve security by working with authorization tokens rather than asking for user credentials. To do this the user has to consent to the app's access request, and thus the OAuth consent screen cannot be bypassed. This is
explained in Google's documentation. It's not related to your app's review status but rather it's the way OAuth works.
You can still work in a similar way, though . Instead of asking for username and password upon the user's registration you can redirect them to the OAuth consent screen so they can authorize your app. Make sure that your app is requesting offline access type and then you can retrieve an access_token and a refresh_token. These will essentially work as your credentials and you can use the refresh token to generate new access tokens when needed without having the user go through the consent screen each time.
The refresh token doesn't have a "natural" expiration so you can keep using it indefinitely, but there are a few scenarios where it will become invalid, such as it not being used for six months, the user changing passwords (if using Gmail scopes), the user manually revoking access, etc. In these cases you will need to direct them to the consent screen again to reauthorize your app.
In this sense, your app can still work automatically without user input except the initial setup, which you already had to deal with when they supplied you with their credentials. The refresh token expiration can even be compared to what you had to do when the users changed their passwords in your current workflow.
One exception to this are service accounts. If you and your users are part of a Google Workspace domain you can delegate domain-wide access to it, then the service account will be able to access user data without any manual input. Of course, this is because as the domain administrator you pretty much own all the accounts under it. But if you're working with a publicly available application you will have to deal with the limitations I mentioned above.
Sources:
Google's auth overview
Using OAuth 2.0 to access Google APIs
OAuth 2.0 for web applications
The OAuth consent screen
I have created userpool and integrated 3rd party IdPs to login to my website.
I want only some specific users of that Idp(example SAML ADFS, google) should be able to login and not every user.
Like if google user tries to login than first it should be checked whether this user is in our user's list (like by checking email id) and if it matches than redirect that user to main page otherwise not allowed to login.
I want to if it is possible via cognito or not and if yes than what is solution.
I have spring security with 2 roles (ROLE_USER, ROLE_ADMIN).
Now, I want to implement admin panel. I have already done access to panel url only for users which have ROLE_ADMIN. But I want to make extra secure.
When user with ROLE_ADMIN open admin panel pages first time, he will have to enter a admin panel password. So, my question is What the good way to implement this feature?
Your suggested idea, by making user with role 'ROLE_ADMIN' re-enter his password is used to secure in case of leaving your device unlocked. It used for critical high potential actions like changing your mail password, which require something like token renewal. I think implementing Two-factor authentication add a second security layer.
Assume a user uses the domain name and password to login his personal computer, and then i want to get the current user information(such as a session) from the ldap server. Because i would like to use this session to login another web site without password.
I am not sure if i describe this question clearly, i summarize it again as below:
1. User login PC with his password and username
2. The script get this user's session from ldap server and stored
3. When this user want to login another webpage, this website use the session to login (without password)
Is there any ideas about this? i still don't know how to implement with this.
As far as I'm aware LDAP does not have a concept of a session on the level of authenticating the people in the directory (as opposed to authenticating access to the LDAP server). So the answer is that you don't. LDAP is typically only used to store the user information.
What you need is some sort of single sign-on (SSO) solution. It can use LDAP to store the user data of course.
I agree with Lennart. From LDAP, there is no mechanism to determine if the user is already bound.
There maybe some extensions or controls or SASL mechanisms that could provide that information from some LDAP server vendor implementations.
-jim