I prompted for the "email" permission in my Facebook application. However, the permission dialogue allows users to change their email address. I have seen some websites like ww.imdb.com that prompts for email permission, but don't allow users to change the email address.
I want to do the same. How to do this?
I have figured it out. Just go to application settings -> Advanced Settings.
In Migrations section enable the "Enhanced Auth Dialog" option and Save.
Now, you will see the new version of permission dialogue box that does not allow users to change the email address.
IMDB implemented Facebook authorization via usage of OAuth 2.0 protocol (see Authorization Request in OAuth 2.0 specs for details)
If you using any of the flows listed in Facebook documentation for authentication you'll not be allowed deny possibility of changing email.
In fact I'm think this is an issue that Facebook does not allow changing of email in the plain OAuth 2.0 flow (and will file a bug about that!).
Related
We have had Microsoft Outlook email configure in our X2CRM previously. Since, the Microsoft has updated their Exchange and disable the Basic Authentication, we are left without any email integration with the CRM.
Do you have any idea of a fix for this or when it will be updated by the X2CRM?
I have tried the Manage Apps section from the CRM. Though, it does not recognize my email credentials anymore.
The latest versions of X2CRM have already resolved this issue. In the latest version (currently 8.5) that I am using, there is a new drop down option with text Outlook Email Account with Oauth2 which is the OAuth2 integration with Microsoft. You can choose this option and proceed.
On the next screen, you can simply input your information and it will open the Microsoft authorization window and ask you to proceed. You just need to verify the permissions being granted and proceed to link your Microsoft account in X2CRM.
You might also need to verify with your Administrator to ensure
that Outlook Integration is updated and enabled for your email
address.
I understand that to use the Admin SDK only works with OAuth2.0 protocol, which requires that the logged on to Google and use the credentials that are created in developer console. My situation is that I'm implementing a process to enlist employees in our application and create an account in google, but not all our users have admin permission to enlist google accounts.
I made my user functionality and working properly (because my user is admin) but when upload it to production, another user could not create the user accounts when creating an employee, send the error that had no permissions to use the resource / API, obviously this person did not have administrator permissions.
So how do I send the credentials of an administrator account from server-side so that they can create user accounts on google?
not what I mean?
translated with Google Translate
There are two options available:
1) Store an admin's credentials.
In this method, you have an admin account go through a special authorization flow, and store their access_token and refresh_token in your database. Whenever you need to make a request that requires admin privileges, use the admin's stored credentials instead of the user's credentials.
2) Use a service account to impersonate an admin.
Service accounts can be granted domain-wide authority, allowing them to impersonate any user in the domain. When you need to make a request that requires admin privileges, use the service account to impersonate a domain administrator.
Option #1 is much simpler to code against, but requires a special admin flow in your application.
Open Google Console and select your project. You will find permission menu. When you will add a member at the time you have to give permissions there.
I have an application that creates sites, including registering the domain and configuring the DNS. When a site is created, I'd like to add the domain to Google Webmaster Tools and add a sitemap to the domain.
I'm using the new Webmasters Service in the Google API PHP Client with a service account. Authentication is done with a Service Account and OAuth2 as described in the docs; this works to some extent in that I can add a site and access the list of sites to confirm that it has been added, but the permission level for the site is "siteUnverifiedUser" and, with that level of access, attempting to also add a site map triggers an HTTP 403 error "(403) User does not have sufficient permission for site".
Earlier versions of the API seemed to support verification, but that has been removed and the documentation no longer mentions it. How can I go about verifying that my service account has access to the domain so that I can add sitemaps to it?
The short answer to this is that Google's Site Verification API can be used to verify ownership of the site, then other operations like adding sitemaps will also be permitted.
I have recently implemented the SSO functionality for a Google Apps Marketplace app we are developing. In simple words: it provides a way to retrieve the Google Apps' user's email and log him in in your website, without the need of authorization on his end. You just need the consumer key and consumer secret, provided by Google to the app during installation on your domain (the installing user also authorizes (a one time action) any other permissions you request in the Manifest file).
Now I have somehow managed to get the SSO user login working using JanRain's OpenID PHP library and adding Google Apps as provider using the PHP Extensions for Google Apps OpenID Discovery.
However, after logging in, I need to implement a functionality that will retrieve all users in a given Google Apps domain. I've already did that using oAuth2 authentication and the following Directory API. However, this requires the existense of a consumer key, consumer secret and a redirect URL (that must be registered in the Google API console).
Is there a way to remove this convenience and instead allow our users to directly be able to get their Google Apps domain's users, using the existing SSO authentication we made in the background while logging him in? Otherwise, it will be too much hassle for the user to register the app at the Google API console, enter the correct redirect URL and set it up in our website and then he will be able to get his domain's users.
Regular users cannot use the Directory API, you'll need to authenticate as an admin user to make Directory API calls.
Depending on your needs though for accessing all users, you may be able to get by with requesting access to the user's Contacts scope and grabbing a copy of the full Global Address List which contains information on all non-hidden domain users as well as non-hidden groups and shared contacts.
I'm writing an iPhone app which works against my own server.
Basically, it's a forum where users can post. I don't want users to sign-in for an account on my server but I rather prefer them to login using any existing account they have: Facebook, Linkedin, Foursquare, etc.
So from the app itself, I want them to be able to login using their existing account which will then allow them to post on the forum.
My question is that: when a user is posting a message, how can I verify whether or not he is logged in with any service? I need to validate it both on the client and server side. I plan on writing the server side using PHP.
Thanks
See this question for a similar discussion (just limited to Facebook sign on). Here's a high-level overview of what should happen (taken from that discussion I linked to):
User opens the app on the phone. Chooses a service with which to authenticate.
Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
Your app takes the token and sends it to your server.
Your server receives the token and validates it. It checks it against the service's API and (at least for Facebook and Twitter) get the corresponding user ID.
Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn't been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
The session key is used for all further communication between your app and your server until the user logs out.
On the phone, you're going to want some OAuth library to allow users to authenticate with another service. You'll probably want to use the Facebook iOS SDK to allow them to use Facebook and use one of the suggested OAuth libraries here for your other authentication services. I have only used the Facebook SDK, so I can't speak as to the general OAuth libraries.
Once logged in, the phone should not store the access token, only the session key.
Assuming that users can use more than one service to access their account, you will also want some way of connecting two services to the same user (probably by email address).
It's up to you to decide how your app and your server communicate. I'd go for a JSON+REST API for communications with the server.
Another option to get your users to login using multiple services is Socialize (www.getsocialize.com). It's an open source SDK that manages your users and authentication so you don't have to implement all the steps that cbrauchli has outlined above.
I was exploring if better/easy to use/implement options exist in 2020 using third party libraries to allow login with social accounts. And found two options:
AuthorizeMe - https://github.com/rubygarage/authorize-me & https://rubygarage.org/blog/authorizeme-ios-libary
Auth0 - https://auth0.com/learn/social-login/ & https://auth0.com/blog/using-centralized-login-to-add-authentication-to-your-ios-apps/
AuthorizeMe supports:
Facebook
Twitter
Google
Instagram
LinkedIn
plus custom providers
Auth0 supports:
Facebook
Twitter
Google
Microsoft (Windows Live)
Yahoo
Instagram
Amazon
LinkedIn
Github
PayPal
vKontakte
Yandex
Box
Baidu
Ren Ren (Xiaonei)
Weibo
Shopify
Wordpress
Yammer
SoundCloud
and custom providers as well
Disclaimer: I am not affiliated with Auth0 or AuthorizeMe.