Does Yammer support Yammer OAUTH 2.0 Resource Owner Password Credentials Grant as suggested in the RFC - https://www.rfc-editor.org/rfc/rfc6749#section-4.3 ?
No. The supported flows for OAuth with Yammer are documented at https://developer.yammer.com/authentication/. This flow is generally only supported by first party apps for any service that supports OAuth because credentials are entered directly in the application.
Related
As Google does not support "client_credentials" grant in OAuth, how can I access the users mailbox on behalf of him (machine to machine)?
My Java application would be able to store any user credentials in a secure place.
Thanks for a pointer :)
UPDATE
Thank you for your response. But I am not sure, if this explanation solves my use case. Let me better describe the environment:
Since several years, I have a background Java task which runs without user interventions:
The user enters once his normal username and password credentials which are saved in a secure place.
The Java task regularly connect (thru IMAP) to the users mail box (e.g. john.doe#gmail.com) thru the Java Jakarta Mail API to read and process any new incoming mail from the users inbox.
To support a more modern authentication, I would like to switch the authentication to OAuth 2.0. The used Jakarta Mail API already support the IMAP connect thru the use of an access token, so I only need to add the code to ask the authorisation server for the access token.
Questions:
Is this possible with Google OAuth?
Which OAuth grant type must be used? First I thought "client_credentials" should be used, but Google do not currently seem to support it.
Thanks!
Domain-wide delegation lets you do that:
In Google Workspace domains, the domain administrator can grant third-party applications with domain-wide access to its users' data — this is known as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
This is obviously a very powerful capability, so make sure to:
protect the service account appropriately
only grant the least set of OAuth scopes that's necessary.
Note that domain-wide delegation doesn't necessarily require service account keys.
We are developing the bot application using Microsoft Bot framework and decided to use a website as a channel.
Question is, our website (Channel) is secured with Azure AD Authentication once user is logged in the website. How we can use the same authenticated user token for the Bot to authenticate the user.
Thanks
Here's a Web Chat sample that shows how to do Single Sign On (SSO) for apps that use Azure Active Directory (AAD)
Note that this is not an easy task, but it is possible.
For other users not using AAD:
SSO for Enterprise Apps sample
SSO for Teams Apps sample
I need help integrating Azure AD B2C and Google APIs. Briefly, I created a tenant on Azure AD B2C, policies and a Native App. Users can register to my app and sign in without any problems. Now I need to use Google APIs to access the logged-in account's information and manage some information (Google MyBusiness data). How can I achieve that. Is that possible ?
Furthermore, even if that is not connected to Azure AD B2C, how can I request to the user to accept that my app to view MyBusiness data?
UPDATE: I understand that I need to authorize my app to https://www.googleapis.com/auth/plus.business.manage Google scopes. Is it possible to request that scope during Google SignIn application authorization process?
Thanks everyone.
As part of the authentication exchange between Azure AD B2C and Google (as well as other identity providers), an access token is issued by Google for use by (and only by) Azure AD B2C, where this access token is used by Azure AD B2C to access the authorized information for the authenticated end-user.
Currently, Azure AD B2C does not pass this access token through to the relying party application (i.e. your native client application), therefore applications can't access the information for the end-user.
UPDATE on 20 June 2019
Using a custom policy, you can pass the access token from the external identity provider through Azure AD B2C to your relying party application.
From the official Azure AD B2C FAQ:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
Can I configure scopes to gather more information about consumers from various social identity providers?
No, but this feature is on our roadmap. The default scopes used for our supported set of social identity providers are:
Facebook: email
Google+: email
Microsoft account: openid email profile
Amazon: profile
LinkedIn: r_emailaddress, r_basicprofile
I have an ASP.NET Core Web API app and to secure it, I've implemented JWT Bearer authentication. The next step is managing user access and issuingJWT token.
Initially I considered using Azure AD B2C but it doesn't seem to support my business requirements. So I'm now considering using Identity Server 4.
Is Identity Server 4 run as a completely separate application? Also, am I understanding it correctly that it is used as:
A web interface for users to register and login
Also a web app with API that issues the JWT token
In other words, does Identity Server 4 "act" as my own Azure AD B2C service?
IdentityServer 4 is a Web app (Login & Logout pages) with an API that implements the OAuth 2.0 and OpenID Connect specifications. The samples provide a simple user login and logout views that you can change to your liking.
Regarding the user registration process, you may add that to your IdentityServer4 implementation or have that as a separate web application.
Similarities to Azure AD B2C
This came from another blog article
Authorization
Azure AD B2C allows you to model user roles as membership in groups
that you define. You can’t currently get a token containing those
claims, but you can use the Azure AD Graph API as a workaround to
retrieve the group memberships, and use them in authorization checks
inside your application. It’s a little tricky right now, but
improvements to this are on the B2C team’s roadmap.
API Authentication
Azure AD B2C can provide tokens for authenticating API access via
OpenID Connect, but beyond that the functionality is limited. The
OAuth 2.0 Client Credentials flow isn’t supported, and B2C doesn’t
include any API key management features, so you’ll need to roll your
own code if your services need to support API key authentication.
Another article with PROS for IdentityServer4.
IdentityServer 4 is an authentication framework capable of out of the
box Single Sign On (SSO) and security for your APIs, and most recently
support for implementing your own authentication protocols and tokens,
with a sample implementation for the WS-Federation protocol and SAML
tokens. SSO works across all applications regardless of whether they
are using OpenID Connect or WS-Federation.
Summary
IdentityServer4 is similar to Azure AD B2C with more functionality as noted in the linked articles.
I am planning to expose an existing ASP.NET WebAPI API to mobile applications. I'd like to use OAuth2 resource owner password credentials flow via Dotnetopenauth so that users can enter their username and password into our mobile application login screen (rather than opening up a screen in a web viewer, etc.) and receive an authentication token.
As such, our setup is as follows:
Resource Server - An API built with ASP.NET Web API
Client - A mobile application
Resource Owner - The end user
I've been playing with the OAuth2ProtectedWebApi sample and while I understand what it is doing I'm not sure how to convert this to the resource owner password credentials flow.
My questions are:
Should I post a request directly from my login page to the TokenController, bypassing the UserController in this example completely?
In a resource owner password credentials flow, where should authorization accomplished? For example, in order to validate the username:password against Active Directory or a database, where should the logic be placed in such a flow?
Any suggestions would be greatly appreciate,
Thanks
JP
Why do you want to use DNOA? Resource owner flow is now part of Web API v2 - and quite easy to implement.
I wrote a walkthrough here:
http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/
The article describes the flow and where to do user authentication.