allow admins to read users mails using GSuite app - google-apps-marketplace

right now i'm trying to build an app for G Suit marketplace which allow the admins to read users emails using Gmail APIs. I found that we can do that by using a service account but i only can access the users emails in my domain. right now i don't know how i can make admins from outside my organization use my app to read users emails
from googleapiclient import discovery
from google.oauth2 import service_account
SCOPES = ['https://www.googleapis.com/auth/gmail.readonly']
SERVICE_ACCOUNT_FILE = 'service_file2.json'
emails=['user2#example.com','user1#example.com']
for email in emails:
# The user we want to "impersonate"
USER_EMAIL = email
credentials = service_account.Credentials.\
from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)
delegated_credentials = credentials.with_subject(USER_EMAIL)
service = discovery.build('gmail', 'v1', credentials=delegated_credentials)
email_list = service.users().messages().list(userId=USER_EMAIL).execute()
b = 3
for m in email_list['messages']:
message = service.users().messages().get(userId=USER_EMAIL, id=m['id'], format='metadata').execute()
print(message['payload']['headers'][1]['value'])

Related

Keycloak - require email verification before creating the user

We are evaluating Keycloak to replace Forgerock for user registration
Our current workflow provides a registration screen. On submitting the registration form, an email is sent to the user to verify their email and activate their account. The link in the email confirms the user registration before creating the user in forgerock.
My questions:
Is there a way to create the user after the email verification as a confirmation?
I have this implementation but sendVerifyEmail it is just for checking the email and basically the user can login even if he/she didn't check the email
Keycloak keycloak = KeycloakBuilder
.builder()
.serverUrl(KEYCLOAK_URL)
.realm(KEYCLOAK_REALM)
.username(KEYCLOAK_USER)
.password(KEYCLOAK_PASSWORD)
.clientId(KEYCLOAK_ADMIN_CLI)
.build();
CredentialRepresentation credential = createPasswordCredentials(userRegistrationRequest.getPassword());
UserRepresentation user = new UserRepresentation();
user.setEmail(userRegistrationRequest.getEmail());
user.setCredentials(Collections.singletonList(credential));
user.setEnabled(true);
// Get realm
RealmResource realmResource = keycloak.realm(KEYCLOAK_REALM);
UsersResource usersResource = realmResource.users();
// Create user (requires manage-users role)
Response response = usersResource.create(user);
String userId = CreatedResponseUtil.getCreatedId(response);
System.out.println("Response: " + response.getStatusInfo());
System.out.println(userId);
UserResource u = realmResource.users().get(userId);
u.sendVerifyEmail();
This is late though but you can set the user representation email verified to false when creating the user. So they won't be able to access until they verify the email.

Flutter Firebase signInWithCustomToken with an existing authentication system's user id?

I have a Laravel application with it's own user authentication system. I am using firebase only for real-time chat and push notifications.
In order to store chat conversations in firestore, I can directly just write/read data without any auth system. however I need to protect the data with read/write rules to only allow authenticated users.
But I don't want to login the user with email and password again, instead I want to use the signInWithCustomToken function. As per the docs, It says I can pass my own customtoken which was created from the laravel application when signing the user in.
Now My question is, I do not want to use the token generated by the laravel application instead I want to use the user's id from the laravel application's database
Laravel application users table:
users table:
id | name | email | password | age
1 | mike | mike#example.com | hashedpass | 40
in Firebase signInWithCustomToken can I pass the user's id like this as the uid ?
const auth = getAuth();
const token = 1; ------------------------->user id from laravel
signInWithCustomToken(auth, token)
.then((userCredential) => {
// Signed in
const user = userCredential.user;
// ...
})
.catch((error) => {
const errorCode = error.code;
const errorMessage = error.message;
// ...
});
Is this a good practice? so I can match the user in firebase with the uid and my database's user_id?
If you want to call signInWithCustomToken to sign a user, you will have to always mint a custom token for that user. You can't switch from signInWithEmailAndPassword to signInWithCustomToken for the same user account.

Yammer Impersonation As A Valid Admin

I registered an app as a valid admin in my network.
I got my token.
when i request a list of tokens to impersonation I receive only my token and not all the tokens (of users in my network).
This is the request I'am making:
https://www.yammer.com/api/v1/oauth/tokens.json?consumer_key={0}&user_id={1}", CONSUMER_KEY, UserId
Where {0} = My Application Client Id,
Where {1} = My UserId (The verified admin user id).
what could i be doing wrong?
Thanks guys.
I found the answer.
My error was I was registered under
"xxx.com"
and when I requested the token I was under the domain of:
"yyy.com"
so the token I received was not the right token.
Another mistake I made was trying to impersonate verified admins - a verified admin can't impersonate another verified admin.
**
Solution:
Register a new app with a user that is registered on the right domain.
Get the token with thee user that is registered on the right domain.
Get id's of users that are not verified admin.
**
Thanks for all your help.
Hope this info contribute to someone.
You can pass in user_id the sender_id from the post object
var config = require('../config');
module.exports = function (sender_id, tk) {
var params = '?' + 'user_id=' + sender_id + '&consumer_key=' + config.YAMMER_CONSUMER_KEY + '&access_token=' + tk;
var url = 'https://www.yammer.com/api/v1/oauth/tokens.json' + params;
return url;
};

Add Okta user to Okta group Python sdk

Is there a method to add a user to an Okta group? I see update_group, but nothing specific on how to add a user to an Okta group.
The latest updates to the SDK have add_user_to_group(group, user) and add_user_to_group_by_id(gid, uid) methods on UserGroupsClient.
from okta import UserGroupsClient
from okta.models.usergroup import UserGroup
from okta import UsersClient
from okta.models.user import User
groups_client = UserGroupsClient('your_url', 'your_key')
users_client = UsersClient('your_url', 'your_key')
# Create group
group = UserGroup(name='sample_name',
description='sample description')
group = groups_client.create_group(group)
# Create user
user = User(login='sample#asdf.com',
email='fake#asdf.com',
firstName='Joe',
lastName='Schmoe')
user = users_client.create_user(user, activate=False)
groups_client.add_user_to_group(group, user)
# or
groups_client.add_user_to_group_by_id(group.id, user.id)
To get the latest:
pip install git+git://github.com/okta/oktasdk-python#master

django-facebook does not login facebook test user

I am creating a web app that allows users to register using their Facebook account. I am using django-facebook to do the authentication / registration of new users. I am trying what I think is the simplest setup, using django registration instead of userena. Everything works well when I use my own Facebook account: I am asked to confirm that I allow the app to have access to my profile, a new account is created in the auth_user table and I am logged in.
However, when I am logged in into Facebook as a test user, I confirm that I allow the app and then I am redirected to facebook/connect/?facebook_login=1&attempt=1&code=AQBM0-z......
The new account is not created.
Here are my relevant settings:
TEMPLATE_CONTEXT_PROCESSORS = (
'django_facebook.context_processors.facebook',
'django.contrib.auth.context_processors.auth',
'django.core.context_processors.debug',
'django.core.context_processors.i18n',
'django.core.context_processors.media',
'django.core.context_processors.static',
'django.core.context_processors.tz',
'django.contrib.messages.context_processors.messages',
)
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
)
AUTHENTICATION_BACKENDS = (
'django_facebook.auth_backends.FacebookBackend',
'django.contrib.auth.backends.ModelBackend',
)
FACEBOOK_APP_ID = NNN
FACEBOOK_APP_SECRET = NNNN
FACEBOOK_REGISTRATION_BACKEND ='django_facebook.registration_backends.FacebookRegistrationBackend'
AUTH_PROFILE_MODULE = 'django_facebook.FacebookProfile'
It seems like the whole problem is that django-facebook removes the long emails from the facebook data. This makes the auth not be able to create an account.
I just commented out the following lines in api.py
if len(user_data.get('email', '')) > 75:
#no more fake email accounts for facebook
del user_data['email']

Resources