I followed the example of AuthExample that uses Custom Chrome Tabs with Azure AD B2C policies.
I do not find any resources on how to style the custom chrome tab (and respectively the Safari controller). The tab always shows the URL in the header and the standard colors which does not look very native.
I know I can style the page content itself within Azure portal.
Can anyone guide me to links or tutorials on how to style the browser view to adapt to my app design and at least not show the Microsoft URL when the user signs in/up. In my opinion the user shouldn't even notice he is redirected to a browser tab.
The beforementioned link suggests, that it is possible to at least hide the URL bar at local sign in / sign up. For third-party identity providers it isn't a problem to get redirected to another (identity provider owned) site.
It is not possible to remove the URL in the Xamarin control.
The ideal way to achieve full UI customization is to use the OAuth Resource Owner Password credential flow. This will allow you to build your own UI and not leverage a web view (aka Custom Chrome Tabs and Safari controller) for local account. Keep in mind that for 3rd party identity providers like Facebook and Google, there is no way around the web view and the URL in the header. This is by design and a key security requirement to prevent phishing.
At this time, this flow is not supported in Azure AD B2C. You can support this ask and stay up to date on its status by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow
Related
I tried getting the context of personal tab of Microsoft teams using microsoftTeams.getContext(context => { console.log(context);});. I am able to get the context when I render the site from valid domains that i mentioned in the manifest.
But in case of cross domain scenarios, I am able to render the site in that teams tab, but unable to fetch the context of teams tab using the getContext of MicrosoftTeams SDK. Is there any limitation on fetching the teams tab context based on valid domains ( like context can only be fetched for valid domain )?
This is expected and it is for security concerns only. In order for a site to use getContext you need to define it in manifest's valid domain so that unwanted web app doesn't take advantage of that.
If you are using third party app and it navigates you to another web app then you wont want to give your information to it until you trust it. By adding domain in validDomain you are giving your consent that this domain can use context.
Trying to get my consent screen verified, as my iOS mobile app uses YouTube's API to get their YouTube subscriptions (this falls under the 'sensitive' scope, not 'restricted'). Info on it can be found here -> https://support.google.com/cloud/answer/9110914?hl=en
The consent verification form requires an "Authorized Domain" and also a "Homepage" for the app. The problem is that this is a iOS app and I don't have a website or a URL to give this form.
The consent form:
What do I put in the place of the Authorized Domain and Homepage links?
or
Am I going about the verification process all wrong? Is there another way for mobile apps?
First, if you don't have a domain for it then it is impossible to remove the unverified stuff on your screen.
Second, the domain field is something like google.com, youtube.com where you going to attach the tag for verification. Which, this domain currently you don't have.
Third, the application homepage link is your website.
Lastly, from my experience no special cases for mobile and web process when it comes to that stuff showing on the screen.
The app will show that unverified screen once you are using a sensitive scope that requires app verification regardless if it's a mobile app or web app.
This just my local test page.
is there some parameter to show my product name ?
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=750613625541-ju0p2hvmml1eahjmt9l4f01gdtp9s33o.apps.googleusercontent.com&as=-2201fc670d7b92ee&nosignup=1&destination=https%3A%2F%2Fwww.storage.com&approval_state=!ChRxdl9WYmw4YURnUWxCemhGSTFUZRIfMC1LRl90bTZ2Z2NaWUg3R0Q2SDQtRUVFOEJjeHpoVQ%E2%88%99ADiIGyEAAAAAWVH50eZlchIgJ3-_vV2dZuQUMH9bhmmI&passive=1209600<mpl=nosignup&oauth=1&sarp=1&scc=1&xsrfsig=AHgIfE_ysFUz37usqpUy0VanY6KxOc5Kkg&flowName=GeneralOAuthFlow
This is the url of authorization in my App.
This used to be possible as a is a setting in the Google developer console.
Google developer console -> credentials -> Oauth consent screen tab
Google has been making a number of changes to the OAuth consent form recently. This is a direct consequence of the Gmail phishing hack a few months ago. One of the changes is as you see it the website of the application is now being displayed instead of the application name. This it was thought would be easier for users to understand WHO they are granting access to their data rather than what application has access to their data. This is not something you can change.
I am using MSCRM authenticated through ADFS.I have two active directories A and B.I setup a one-way forest trust between A and B so that users in B can access my resources in A.I currently use ADFS for login.my problem is it is not friendly for a user to key in A\username or B\username to login to my webpage.Therefore I wish to build a custom login screen and maybe provide a radio button for the user to choose whether they belong to domain A or domain B.Because i use MSCRM,am I sort of forced to us ADFS?
MSDN provides a series of entries about ADFS 2.0 Sign-In Pages Customization.
From the linked overview page:
The Sign-In Pages expose extensibility points that allow a developer
to perform the following customizations: Change the accepted and
default authentication types.
Customize the theme of the Sign-In Pages and add a company logo image.
Customize the behavior and layout of Sign-In Pages that are seen by
the end user, such as the Forms Authentication and Home Realm
Discovery pages.
These customizations can be done by modifying the Web.config file of
the Sign-In Pages Web application or by modifying specific pages.
On a side note, as far as I've seen on our customers with IFD environments, you don't need to specify the domain when you sign-in, plain username and password seem to work (I'm not very expert in ADFS, but I understand that it "knows" which domain to authenticate against).
I’m new with the marketplace and I’m developing an application to replace google's login with my app, which uses strong authentication.
To use it you don’t need to install anything, it’s only a matter of configuration of your google app. When you try to access mail.google.com/a/yourdomain.com it will redirect to our application where the validation process occurs, and after validating it will return to google web site.
Same happens with logout and password change, you will be redirected to my app.
When a user needs to change the account password, we use google admin api to change it, of course, it requieres a previous authorization from a domain user with administration privileges.
Question is, how to publish an application like this on the market place?, I don’t see how to do it according to the new regulations from november 19th, for example, the application type and the fact that it should be an installable listing.
Someone who can give me a hint or example.
Thanks in advance.
Fernando.
--- EDITED --- to answer to Koma
The thing is, we already have the application, what we're doing now is to do some changes to make it ready to use it with google apps.
There’s an option in the security section called “set up single sign-on (SSO)” where you configure 3 URL’s for:
Sign-in page URL (URL for signing in to your system and Google Apps)
Sign-out page URL (URL to redirect users to when they sign out)
Change password URL (URL to let users change their password in your system; when defined here, this URL is shown even when Single Sign-on is not enabled)
When you a user needs to change your account’s password you will be redirected to our application (because google have delegated that responsibility to Us). There, through OAUTH and Google Admin API, we will change the password for your google user.
We want to be listed in google’s marketplace as a solution for strong authentication delegating that functionality to our application, but we don’t see how because the user that will use our solution doesn’t need to install anything, and according to what I understand we are forced to upload something to be listed
Does that make sense to you?
From what I read, you want to replace authentication with your own. That's not feasible with a market place app.
You need to implement a SAML identity provider
https://developers.google.com/google-apps/sso/saml_reference_implementation