I am looking for some suggestions to implement authentication (and authorization) in our GAE app. Assuming that our app is called someapp, our requirement is as follows:
someapp is primarily for google apps users of the domain its installed for but can also authenticate users from other google apps domains.
For example, lets say google apps is configured on domainX.com and domainY.com. Additionally the admin for domainX.com has added someapp to their domain from the apps marketplace. The admin for domainX.com invites userA#domainX.com and userB#domainY.com log on to the application. Both google app domain users should be able to use their SSO (single sign-on) functionality.
As far as we know, current authentication options in the app engine allow either domain login, which allows only the users of one domain to log in to the app or federated/openid login which would allow the users of any domain to log in to the app. There is no in-between option which would allow only the users of previously authorized domains to log on to the app. Does that mean our only option is to leave aside google apps authentication and implement our own custom authentication?
Also in our sample scenario above, what if domainX.com and domainY.com have both added someapp. If userA#domainX.com navigates to someapp.appspot.com, which installation of the app will be used, the one installed on domainX.com or the one installed on domainY.com.
Authentication does not imply authorisation. All that the federated ID system does for your application is give you a username/userid that you can trust. So you can setup your user accounts tied to this infomation and rely on the fact that whenever you see that userid you are talking to the same user. Or in the case of domain-wide applications, whenever you see someone with that domain in their userid.
It is completely up to your application to decide if that userid has any meaning on your application. If I login to your app now with my google account, it should say "Oh I haven't seen you before, would you like to join?" ... it should (depending on your app) not just assume I'm authorised to use your application, just because I told you my name.
I'm not sure where you got the "domain login model" from? The only two choices are Google Account and Open/FederatedID neither of those attempt to restrict user access.
In your final example, users spanning multiple google accounts will see different results depending on if they have enable multiple-signin or not. Most users will be presented with a screen to choose which google account they mean before continuing.
Related
My flask application is deployed to App Engine and it seems to be functional and we are able to view it fine. We want to share the application with some HR folks for trying it out, but they are unable to view it - it is asking them to select a google account. Is there a way to disable this or remove user login so that those without GCP access can view the app?
I guess that your app engine is protected by IAP. For checking this, go to Security -> Identity Aware Proxy. You should have this page:
With the IAP slider in green to the right. For allowing the unauthenticated users on your service, you have to select your AppEngine service name, go to the right panel, click on AddMember. Now select allUsers and add the role IAP web app user
And save. If you want to allow on some Google accounts and/or user groups, do the same thing but not on allUsers but with the appropriate email accounts.
HOWEVER, if the IAP has been activate on the project, it's for a good reason. Be sure that you do not enforce your company policy by doing this. You also have to be authorized to perform this operation, all depends of your roles on the project.
I've already set up Google Auth for SSO with my webapp. This was in Django app using python-social-auth. This Django app had the ability to add azure ad integration and this worked.
Well it worked for users created under a directory. However it wouldn't work for users under any other ones. I looked around and it seems to want to create a new directory/application for every copmany that uses this services to sign in.
(PS realise this might be closed as too broad but I tried to pare it down to the essential core here)
My question comes down to, can I authenticate Azure AD users in my 3rd party website without them having preregistered my site as an allowable source by their admin? Is there any functionality/setting/service in Azure AD that allows that?
can I authenticate Azure AD users in my 3rd party website without them having preregistered my site as an allowable source by their admin? Is there any functionality/setting/service in Azure AD that allows that?
As a matter of fact this is a general authentication related question, but the answer is no. Based on my understanding, users need to configure their app as a multi-tenant application and have the admin/user of the other tenant give consent depending on what permissions are needed. I would like to suggest you to check https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx for the details of how to add, update, or remove an application in Azure Active Directory (Azure AD), it shows the different types of applications that can be integrated with Azure AD as well.
I am working on a Google App Engine web app which exploits the Api Client Library (Python) to access drive and calendars.
When the user enters the app it is asked to log in with a Google Account. After that a second form is shown in which the Application is said to be not affiliated to Google and the user shall authorize it to access his data. In this second form the user can change the account (if it is logged with several).
This sometimes lead to inconsistencies in the app as the users.get_current_user() returns the former Account while the services accessed through the library refer to the second account.
I have been strugling on this for a long time Managing users authentication in Google App Engine
A solution would be to avoid the second account selection and forcing the user to authorize the application against the account which is currently logged.
Is there any way of doing so?
I am using the Python decorator oauth_required() and oauth_aware()
Are there any libraries that provide username and password login for Google AppEngine?
While I could try rolling one from scratch, I'd rather not try to reinvent the wheel if possible.
If not, would it be possible to turn my application into an OpenId provider and then use it to log in?
Try EngineAuth. It has many different options for authentication systems, including email+password authentication.
GAE, via its Users API, supports three types of login (Google accounts, Google Apps accounts and OpenId). For an example of the latter see this article.
The type of login used is defined when creating the app, see this for further details.
I want to create an application that allows a user to register and login to a django application with an external provider. In addition, I then want the user to be able to associate additional accounts with that initial account. Finally, I would like the user to be able to login to the application with one of the other associated accounts.
So if a user initially signs in with Facebook Connect, I want them to be able to link their Google account. Then, if they log out, they can log in with their Google account (via openid) and it logs the user in as though they logged in via Facebook Connect.
Does anything like this exist already? Or do I need to write it myself?
The perfect solution for you seems to be Django-SocialAuth. See here. From the page:
Here is an app to allow logging in via twitter, facebook, openid, yahoo, google, which should work transparently with Django authentication system. (#login_required, User and other infrastructure work as expected.) Demo and Code
Edit: I'm pretty sure that SO uses django-SocialAuth for it's login system, looking at the project's demo page.