Force google to show account chooser and consent screen - google-api

I am able to use both prompt=consent and prompt=select_account individually, but Google doesn't seem to allow me to combine them. I tried the prompt=consent+select_account as suggested in an answer of Force google account chooser, but that fails with the error: "Invalid prompt: consent+select_account".
The doc (https://developers.google.com/accounts/docs/OAuth2Login) says "A space-delimited list", so I tried consent select_account but that fails with: "The requested URL was not found on this server."
I also tried combining prompt=select_account and approval_prompt=force, but Google doesn't like that either.
Anyone else have luck with combining consent screen and account chooser?
Update:
This is my JavaScript method creating URL for getting contacts from gmail
$scope.importGmailContacts = function() {
provider = 'gmail';
$scope.importing_from_gmail = true;
window.open(protocol + "://" + host + ":" + port + "/contacts/gmail", "_blank",
"toolbar=yes, scrollbars=yes, resizable=yes, top=0, left=0, width=600, height=600, prompt='select_account+consent', approval_prompt=force");
}
I have tried setting prompt and approval_prompt both collectively and individually but it does not seems to work. Refer to this question.

You need add: access_type=online&prompt=select_account+consent:
private static final String AUTHORIZE_URL
= "https://accounts.google.com/o/oauth2/auth?"
+ "response_type=code&access_type=online&prompt=select_account+consent"
+ "&client_id=xxx&redirect_uri=xxx";
private static final String SCOPED_AUTHORIZE_URL = AUTHORIZE_URL + "&scope=xxx";
..

I just tried this and it DID work when space-delimited:
options[:prompt] = 'select_account consent'

https://accounts.google.com/o/oauth2/auth?client_id=XXXX&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code&prompt=select_account+consent&approval_prompt=force
Results in the error
That’s an error.
Error: invalid_request
Conflict params: approval_prompt and prompt
Prompt and approval_prompt parameters can not be used together.
prompt Optional. A space-delimited, case-sensitive list of prompts to present the user. If you don't specify this parameter, the user will be prompted only the first time your app requests access. Possible values are:
none Do not display any authentication or consent screens. Must not be specified with other values.
consent Prompt the user for consent.
select_account Prompt the user to select an account.
If memory serves approval_prompt is the older way of doing it and google added Prompt sometime in 2012. I cant actually find any documentation on approval_prompt anymore but if memory serves it was the same as doing prompt=consent it just requested access again.

Related

Run a process as administrator from non admin user - local admin credentials

I have a Window 10 vb.net main process (tester) that needs to create a process to clean up certain registry area. The products we test have a single FTDI serial port adapter, but over time these instances build up and slow the registry to a crawl.
As the main process starts, the desire is to use an off the shelf utility, DeviceCleanupCmd.exe, to search and remove the driver instance build up. This requires administrator privileges for that sub process. I've been able to do this on XP with script, but the system is running with full administrator privileges. Since it's not on the network, there's very little risk.
Moving forward, we are trying to replace the XP system with a Windows 10 Enterprise box that is network connected. I wanted to incorporate the equivalent of the script into the vb.net process and I modified the vb.net application to use
Process() with StartInfo.Verb = "runas"
Local user credentials (not a domain user) the application provides to start the sub process.
Using this method, my sub process executes, but not with administrator level privileges. The Stackoverflow reference below explains that I can't use this method and have to use CreateProcessWithLogonW. I understand Ian Boyd's concerns for security in the post.
Run process as administrator from a non-admin application
I have followed the Microsoft implementation that follows and am still having issues.
https://learn.microsoft.com/en-us/troubleshoot/dotnet/visual-basic/start-process-as-another-user
Here's the essential part of my code. You will see that I truncated the MS example to use the W2K portion, as we won't be going back that far!
wUser = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(UserName + Chr(0)))
wDomain = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(DomainName + Chr(0)))
wPassword = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(Password + Chr(0)))
wCommandLine = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(CommandLine + Chr(0)))
wCurrentDir = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(CurrentDirectory + Chr(0)))
Result = CreateProcessWithLogonW(wUser, wDomain, wPassword, CREATE_DEFAULT_ERROR_MODE, 0&, wCommandLine, CREATE_NEW_CONSOLE, 0&, wCurrentDir, si, pi)
If Result <> 0 Then
CloseHandle(pi.hThread)
CloseHandle(pi.hProcess)
W2KRunAsUser = 0
Else
W2KRunAsUser = Err.LastDllError
Status = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, CType(0&, IntPtr), W2KRunAsUser, 0, strMessage, Len(strMessage), 0)
MsgBox("CreateProcessWithLogonW() failed with error: " & W2KRunAsUser & " " & strMessage, vbExclamation)
End If
Please remember that my target administrator user is only resident on the PC I'm running the application on - not on the domain. I've verified that I can login with the credentials and run DeviceCleanupCmd.exe with success. In order to login locally, I must use a \ before the user. When I run the code, I've attempted the following, with the error message that Windows 10 supplies after the colon (:):
Providing "user", "password", and "domain" (I know it's not required): The directory name is invalid.
Providing "user", "password", and domain as "": The directory name is invalid.
Providing "\user", "password", and domain as "": The directory name is invalid.
Providing ".\user", "password", and domain as "": The stub received bad data.
Providing "user", "password", and domain as "computer name": The directory name is invalid.
Providing "non-admin user", "password", and "domain of user": DeviceCleanupCmd.exe runs but complains 'No admin privileges available'.
Because the application is complaining about an invalid directory name, I've purposely placed the DeviceCleanupCmd.exe in a C:\sub-directory that is not protected by Windows (Like Program Files). Attempt 6 above would seem to prove that there's not rights/access violations.
I have also tried CREATE_NEW_CONSOLE in place of CREATE_DEFAULT_ERROR_MODE and same results as above. I've proved the user is being decoded, as when I provide an incorrect password, I get "The user name or password is incorrect".
#Hurshey provided the insight to look at the Windows Task Scheduler and the following links support full configuring the task + incorporating the exported XML into NSIS - my target deployment method.
https://www.windowscentral.com/how-create-automated-task-using-task-scheduler-windows-10
https://nsis.sourceforge.io/Talk:Scheduled_Tasks

Google gapi.auth2.getAuthInstance().isSignedIn().get() is always false when multiple google accounts

I am having a weird problem with google gapi auth. For some reason, the value for gapi.auth2.getAuthInstance().isSignedIn().get() is always returning false. This is my setup:
gapi.load("auth2", initAuth2);
initAuth2(){
gapi.auth2.init({
client_id: "xxxxx-yyyyy.apps.googleusercontent.com",
hosted_domain: "domain.com",
redirect_uri: "http://localhost:4200",
ux_mode: "redirect",
}).then(performAuth, error=>{
console.error(`Error initiating gapi auth2: ${error.details}`);
});
}
performAuth(googleAuth){
const isSignedIn = googleAuth.isSignedIn.get();
if(!isSignedIn){
googleAuth.signIn();
return;
}
const user = googleAuth.currentUser.get();
console.log(user);
}
I have two google workspace accounts sign in the same chrome profile. When I run this script, I get the prompt to select an account. No matter which one I choose, the flow just keeps looping. The reason for that is that the line const isSignedIn = googleAuth.isSignedIn.get(); is always returning false.
Things I've tried so far:
I thought that maybe the client_id was corrupted so I generated a new one. Same behaviour.
I though the GCP project was corrupted, so I created a new project with new credentials. Same behaviour.
Thought there was an issue with cookies, so I deleted and clear cookies and history. Same behaviour.
Thought is was related only to localhost so I deployed to the web. Same behaviour.
If I change the init options from ux_mode: "redirect" to ux_mode: "prompt". It works. However, that is not the desired experience. Also, if I only have one google workspace in the chrome profile, it works. Even more interesting... if I use a client id from an older project... it works! The problem is that the consent screen shows the wrong app name.
I know this question is similar to this one, however I feel it's different because none of the above troubleshooting works. Any insights?
There is a case for the exact same problem here, it is most likely a bug in the api set

"Insufficient permissions" on google calendar api's acl.list

I'm getting Insufficient permissions when trying to call the acl.list method of the google calendar api via python.
service.acl().list(calendarId='primary').execute();
*** HttpError: <HttpError 403 when requesting https://www.googleapis.com/calendar/v3/calendars/primary/acl?alt=json returned "Insufficient Permission">
I'm using the scope 'https://www.googleapis.com/auth/calendar' as recommended in the documentation. Additionally, other API methods do work, for example service.calendarList
service.calendarList().list(pageToken=page_token).execute()
What am I missing?
Here is the code I'm using based almost entirely on the sample they provide:
import sys
from oauth2client import client
from googleapiclient import sample_tools
def main(argv):
# Authenticate and construct service.
# import pdb;pdb.set_trace()
service, flags = sample_tools.init(
argv, 'calendar', 'v3', __doc__, __file__,
# scope='https://www.googleapis.com/auth/calendar.readonly')
scope='https://www.googleapis.com/auth/calendar')
try:
page_token = None
while True:
calendar_list = service.calendarList().list(pageToken=page_token).execute()
for calendar_list_entry in calendar_list['items']:
print calendar_list_entry['summary']
page_token = calendar_list.get('nextPageToken')
service.acl().list(calendarId='primary').execute();
if not page_token:
break
except client.AccessTokenRefreshError:
print ('The credentials have been revoked or expired, please re-run'
'the application to re-authorize.')
if __name__ == '__main__':
main(sys.argv)
You might have to delete existing credentials, in the form of .json files. I had a similar "Insufficient permissions" problem, and I had to delete stored credentials. I had the additional problem that because of trying out some of Google's scripts in their tutorials, unknowingly I had credentials stored in a hidden .credentials folder in my home directory (users/home). Since they were hidden, I had to look for them through Terminal (on Mac), and delete them there. Once deleted, the problem was solved, since I could create new and proper credentials, suitable for the scope of my new script.
Something is wrong with your authentication. Insufficent permissions means that you don't have access.
I can verify that the scope https://www.googleapis.com/auth/calendar is enough to display ACL.list on the primary calendar.
You have to find the location of "calendar-dotnet-quickstart.json" file and delete it. I used .NET example and I have to debug the following code the find exact location.
string credPath = System.Environment.GetFolderPath(
System.Environment.SpecialFolder.Personal);
credPath = Path.Combine(credPath, ".credentials/calendar-dotnet-quickstart.json");
Then change scope as bellow and rebuild the solution.
string[] scopes = { CalendarService.Scope.Calendar};
You will notice that google will ask to confirm the access again.

The like-button show my like-count, but it's not visible in the facebook api

If i go to https://developers.facebook.com/docs/plugins/like-button/ and enter https://www.ballantinesbarproject.fr/?name=epicerie and select box-count as layout.
the like-button shows a like count, as expected, since I liked the page. However, if I look in facebook api:
REST:
https://api.facebook.com/method/links.getStats?urls=https://ballantinesbarproject.fr/?name=epicerie&format=json
FQL:
https://graph.facebook.com/fql?q=select%20url,%20like_count%20from%20link_stat%20where%20url=%22https://ballantinesbarproject.fr/?name=charlatan%22
(though one user claims, he can se counts in the fql-api)
It says there is 0 likes. How come?
Following query is the proper FQL Query for retrieving like or comments count for a link
select url, like_count from link_stat where url="https://ballentines.herokuapp.com/?name=charlatan"
I have debugged the above Query with Graph Explorer
Reference : https://developers.facebook.com/tools/explorer/145634995501895/?fql=SELECT%20like_count%20FROM%20link_stat%20WHERE%20url%20%3D%20%27https%3A%2F%2Fballentines.herokuapp.com%2F%3Fname%3Dcharlatan%27
If you check on above link, you would get proper like_count (now 3). Screenshot below
If you check above Screenshot the application selected is "Graph API Explorer" which is the default App while debugging with Graph API explorer.
If you are logged in with your proper Developer Account. the application Dropdown would also have your Application.
So after switching to your Application, click "Get App Token" and then submit the Query.
Now the like_count would come 0 for the same query. See Below Screenshot.
Now click on "Get Access Token", this would ask you to Allow the App if you not already done so. After "Allow App" proper User Access Token would be loaded in "Access token" box and now again Submit your Query. Now the "like_count" would be 3 as expected.
So you would need proper User Access Token to retrieve proper information from "link_stat" FQL table and App access token wont work for it
Hope this helps.
I guess you should use the following FQL:
select url, like_count from link_stat where url="https://ballentines.herokuapp.com/?name=charlatan"
Gives me
{
"data": [
{
"url": "https://ballentines.herokuapp.com/?name=charlatan",
"like_count": 1
}
]
}
as result...
The Open Graph debugger shows that the og:type meta-data is missing. That could be related to the problem. Can you add it?
https://developers.facebook.com/tools/debug/og/object?q=https%3A%2F%2Fwww.ballantinesbarproject.fr%2F%3Fname%3Depicerie

How to get Basic Authentication Information in a Firefox Extension?

I'm coding a Firefox extension and want to get Basic Authentication information for a website (or for the current document).
How can I get Basic Authentication Information in a Firefox Extension?
Here is some sample code for using nsIHttpAuthManager:
Instantiate the component:
var proxyAuthenticationComponent = Components.classes["#mozilla.org/network/http-auth-manager;1"].getService(Components.interfaces.nsIHttpAuthManager);
Set the information:
proxyAuthenticationComponent.setAuthIdentity('http','192.168.0.1',80,"basic","Some Realm","","","username","password");
Get the information:
var domain = {}; //Will contain {value: ""}
var username = {}; //Will contain {value: "username"}
var password = {}; //Will contain {value: "password"}
proxyAuthenticationComponent.getAuthIdentity('http','192.168.0.1',80,"basic","Some Realm","",domain,username,password);
I used this in a Thunderbird extension.
Hope this help.
I couldn't find an exact answer and don't have time to experiment now, but it seems that the only way is to manually examine headers using NsIHttpChannel.
EDIT:
Ok, I've found nsIHttpAuthManager:
This service provides access to cached HTTP authentication user credentials (domain, username, password) for sites visited during the current browser session.
Looks like exactly what you need.

Resources