I have a crawler that used to use an impersonation account to crawl users calendars.
Now, I can not use this impersonation account and need to find a way for the crawler to work.
Is there a way to access user's calendars without using the impersonation account?
If there is a way, would you please explain how to do it and what do I need to do to make it work?
Also, would you point me to a sample code if there is one as a reference?
Thank you,
Rad1
Actually, those users could grant you a Delegate access to their mailboxes.
After that, access their folders from Microsoft.Exchange.WebServices.Data code like this:
rootfolderId = new FolderId(WellKnownFolderName.Contacts,
new Mailbox(delegateEmail));
well the only way other than impersonation is to know the passwords of each user, which is not practical solution.
Related
I'm trying to get some data from a user (searchconsole):
the user first grants permission on a website.
Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.
What is the easiest/safest way to achieve that?
Should I use the same token for both servers?
or is there a solution using the service account impersonation? (I'm stuck on that one)
use the permission on the web server to add the service account as a searchconsole user?
I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers.
I also read the doc and all examples I could find, but didn't find my case even though it seems basic.
Should I use the same token for both servers?
Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.
or is there a solution using the service account impersonation? (I'm stuck on that one)
Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.
In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts
use the permission on the web server to add the service account as a searchconsole user?
I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.
For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.
Should I use a Service Account or an OAuth 2.0 Client ID?
I'm struggling to understand Google's documentation on authenticating for their APIs. I'm creating a basic application that will help users add and modify Google Calendar events for a single Google account (the account is shared between all users). I only need the application to access that one account, it'll never need to access any others.
It seems to me that Service Account would be best for this, but Google's documentation suggests Service Accounts should only be used for automated processes (unless I'm misunderstanding). For instance this page contains the following, describing when to use Service Accounts.
Would my application qualify as acting on the users behalf?
If so, I would want to use OAuth Client ID credentials, which will ask the user to sign in to a google account. In this case, is there a way I can guarantee they only sign in to the one account I want modified?
I can't find any decent documentation on the OAuth authentication requests to figure this out myself. If there is any could you point me there?
I'm sure I'm misunderstanding something basic here, but thank you for any help!
First off you should know that you can only use service accounts with Google aclendar api if you have a google workspace domain account.
You can then set up a calendar and a domain user that the service account can act on behalf of to control the access of that calendar.
Assuming that your application is going to preform all actions on this calendar then yes i would say that you could use a service account for this. If your app bacly has a ui with a calendar on it your just using google calendar to store the data.
However if you intend to share this calendar with the users themselves, this way they could see it within their own google Calendar account. Im not sure a service account would be the way to go.
If you want the users to be able to see it and make changes then you may want to just use Oauth2. Grant them access to the calendar and then request access to their calendar account.
Drawback to that option is going to be the verification process. You will get access to all the users calendars and your going to need write access.
If you can go with a service account you really should consider it it will save you a lot of hassle with verification.
I'm trying to use the Microsoft Graph API to get the calendars of all the users in an organization. Is there a way for an admin with the appropriate permissions can get all user calendars with one request to the API? I'm aware that it is possible by first retrieving a list of all the users then using the user IDs to send a request for each's calendars. I'd like to avoid this approach so that I can avoid making too many calls to the API. I'd also like to be able to do this without every using having to share their calendars with the admin. Does support for something like this exist? Thanks.
No, it is not possible to get all Calendars of all users in one request.
You can do it only over the way you described.
There are two part to your question:
1: Get all calendars of all users in call: This is not possible.
2: Get access to calendars with users explicitly sharing the calendars. This is possible using app-only access tokens.
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.
I have a requirement whereby I have to check the credentials of users created using SDK.
When you fetch the users the password is not returned, hence comparison cannot be done.
I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.
Thanks.
Google does not ever return the value of the password. That would be a monumental security risk.
See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.
If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis
At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.
I'm working on a web application that uses the ASP.NET 2.0 Membership and Roles providers with Forms Authentication. There are various roles in the system. I need to have a user role that is essentially a super-user that can "login" as any user account (in effect impersonating the user).
Does anyone know if this is possible using the providers? Any ideas?
One approach I was thinking of was to logout the super-user and sign them in as the desired user with
FormsAuthentication.SetAuthCookie(username, false);
And adding a variable to their Session to flag them as a super-user. I think this would work, but I was just wondering if there's a smarter way to do it without directly using the Session object?
Asp.net approach doesn't support the concept, so you are right on trying to find an alternate way.
Something that you can do is add the IsSuperUser info to the authentication ticket UserData property.
Why don't you have a SuperUser role that can do anything? Then the user can be just part of that role.
If what you really need to have is an ability for an administrator to impersonate someone else, I don't know what is the additional flag for? If it marks the currently logged in user giving him super powers the same will be achieved by setting up a role. If you, however, need to just impersonate someone else (e.g. this is help desk and you need to see exactly the same as the end user sees) - I would just check the credentials normally, then check if a superuser is logging in and who they want to impersonate and based on that just authenticate the logging in user as the one that he's willing to impersonate.
I hope what I wrote makes sense...
Here is what I would do. Sorry no graphics, on ipad here in bed...
1) use claims based architecture. Its easy to implement, see my project.
2) essentially impersonated user will have a second identity on the claims principal object, but will have different realm (realm may be wrong word, the string you use to create the identity)
3) You can construct the identity of the impersonated user and manually build their claims.... They should get written to the token immediately. I would look at a generic Claims Transformer class to do this.
4) You may need to adjust the way the site behaves, based on the presence of a impersonated identity, but thats the fun part.
Working WIF implementation
https://github.com/wcpro/scaffr-generated