Honestly, I am not sure how to describe my specific problem but I can give a concrete example.
You have a web page that asks users to connect various social media accounts. Once they do this, you provide the connected accounts to a backend which can connect to each social media account (using oauth or auth or whatever) to pull different data and provide a social media analytics report. Assume this is all secure and safe, this is not the main concern.
Now suppose the following:
A third party website uses your services to determine if users can be eligible for sponsorship based on your analytics reports. They have their own form that they request users to fill out and at some point the form re-routes the user to your web page for the social media analytics part. Upon completion, your site must send that user back to the third party's website with the social media analytics report. How would you do this, securely?
I thought of something like the following:
The third party routes their user to your website by making a GET request with the following parameters: applicationId=some_third_party_application_id&callbackUrl=their_callback_url.
Your webpage could pull the applicationId and the callbackUrl from the parameters and cache it in localstorage or whatever.
The user goes through your flow by connecting various social media accounts and your webpage sends these connections to a server which computes the social media analytics report.
The analytics report id is returned to the webpage by your backend and now the webpage can send back this id of the analytics report to the callback url that was initially specified in step 1.
The flow resumes on the third party's webpage and they can then call another api of yours to get the analytics report details from the id of the report you sent back via the callback url.
The third party then uses the details of the report to determine if the applicant is worthy of sponsorship.
I guess another example of this flow could be like credit reports for like a car loan or something. You would apply for a loan on one website that integrates with a credit provider. The credit provider sends back the report to the auto loan provider and this is done seamlessly and securely.
How is this done/implemented in the examples I have outlined securely? Are my thoughts on the right track?
Related
I have this website where Bank users register using API and then Bank can use our SSO login API to log their users directly from Bank's mobile App or website. Now the Bank wants to log into our website via Banno's OAuth. Such that users log into Banno via Bank and then login directly into our website.
How can this be achieved? How will banno know which user to login? How to make it without having users to come into our website and fill user's login details? Can anyone help?
It sounds like your scenario is looking for Banno to be the 'Identity Provider' which is supported by our OAuth + OpenID Connection implementation in our Authentication Framework.
It'll be a good idea to take a look at the Consumer API OpenID Connect Example for inspiration.
When you run that example project, you can navigate in your web browser to https://localhost:8080/login.html. That'll show a page with a "Sign in with Banno" button. The page is meant to be a generic representation of what a non-Jack Henry web page would be.
Imagine that the button was formatted to say "Sign in with [Financial-Institution-name-goes-here]", it would be the same concept.
When you click the "Sign in with Banno" button, you'll be redirected to the Garden demo institution. This happens because the example project is configured to begin the authorization flow and use Garden.
If you're not signed in as your user in Garden, you'll be prompted to sign in.
It's worth noting that the username + password are never shared back to the example project...the user is logging into their (Banno-powered) financial institution.
After signing in (and accepting the permissions which have been requested), your web browser will be redirected to https://localhost:8080/me which finishes the authentication flow.
That page then displays the Identity Token for your convenience as a developer.
The content of the Identity Token is usable to cross-reference the user to your existing system and/or to prefill out registration forms.
Hope this helps!
I am trying to track all CRUD activities on my web app. I am using React and .NET with MySql. Idea is that if someone edits let's say client data (phone number, address, etc...), I want to have something like an activity log where I will see WHO edited that client and WHAT he edit.
Let's say You are an admin, and you go to list off all clients, then U click on one and get redirected to the preview page of that client. On the bottom, you will see the activity log.
We want to provide seamless access for all our users to SP's like publishers. The SP's are independent and provide services to a lot of different companies, i.e., we each have independent IdP solutions.
We want it to work as if there were no authentication, i.e., the user find a link on the Internet and follow it. If the site provide special services (that we pay for) for our users we would like them to use our own IdP (but only for our own users) to authenticate them.
Our current SAML setup requires that the SP support IP-address recognition and/or use specific domain names, i.e., the user access a specific domain name or come from our IP-ranges so the SP knows which IdP to redirect to but if our user comes from any other IP-address and don't access a specific URL the system is lost.
How is this solved?
I think a cookie given by the SP every time the user gets authenticated (from our network which the SP recognizes) can solve this but is that the standard? And it is not really a solution as it requires that our users have visited them at least once from our network!
This isn't so much a SAML question as it is an identity provider discovery problem which isn't specific to the protocol. How is a publisher supposed to know / decide that a particular user should be redirected to your IdP via SAML or any other protocol? This isn't a tractable problem in a general sense. The publisher and you will need to agree on a contract between two entities (you and these publishers) when it comes to these special users / services.
One possible implementation of IdP discovery that doesn't involve domains or IP ranges is a dynamic lookup of the IdP based on the user's identity. User clicks a link, navigates to the publisher site and attempts to login with (for example) his identity of myname#mycompany.com . The publisher can then do a lookup of mycompany.com in their identity store of special users / services / IdPs and determine that this user should not be allowed to login with local (publisher-managed) credentials. Instead, the user should be sent to some 3rd party IdP via a SAML authentication request. The publisher can do this at the time of user login but before the user has a chance to enter their publisher-managed credentials, be it via your favorite AJAX technique or some other form of UI gratification.
The publisher could use a persistent cookie so that the next time this user comes to this publisher they'll know that this user "belongs" to a 3rd party IdP and redirect accordingly.
I am deeply into learning about App Script but there is so much the Google has to offer I'm a bit overwhelmed at figuring out what I need.
I'm designing an online volunteer application work-flow and eventually other things for a non-profit organization.
Here is how I envision the process flow going.
New user comes up first Web App page asks for first last middle and email address
First Last Middle are used together in some way to create a domain log on for the user using the provisioning API (already figured this part out) while prompting the user to create a password
At this point the user is passed to the actual application web app that runs only for domain users so that the relaxed rules of app script for user behind a domain can be leveraged and also so the entire ebb and flow of information stay behind our domain.
Now where I am unclear on is the jump from step 2 to step 3.
What would be the best and most painless (for the user not me) way to put together the transition from running the entry point app that creates the new users domain account as essentially an anonymous user identity to running the domain level app AS their new domain user identity.
I've been studying OAUTH but it seems that is more for external integration with things like drive and youtube etc. My goal with this project is to have everything (aside from things like client side validation and jQuery) running from Google's Cloud.
In #2 i asusume you have a pool of unused gapps accounts.
In #3 you need to get the user logged in in gapps first . For that you need to show a special login url that will redirect to fhe other app. Another is to do a manual oauth flow and use the redirect url to get to fhe new app.
I have a simple product catalogue for businesses. There is a catalogue's management interface for adding products. Each business has a unique domain name where all its products are listed.
I would like to extend catagloue's functionality and allow businesses to have their products listed on facebook.
Functionality of the facebook application:
- Each business can install application from catalogue's management interface (I would like to have a button that opens facebook in a new window and prompts user to authorize access to one of user's existing Facebook Pages)
- installing application adds a Tab on selected Facebook Page,
- by clicking on a Tab visitor of the Facebook Page is presented with a list of products specific for this business. Data for that page is dynamic and can be accessed with a REST call and presented as json or html.
We would like each business that have a product catalogue with us to install application and have it automatically configured to use specific domain name when requesting product data.
Is it all technically possible? Could you point me into the right direction on how to
- install application from external website
- configure that application with a parameter (perhaps passed in url when requesting application installation)
- automatically add Page Tab for this application
Cheers,
Michal
Yes it is possible. But it'll be a little different from what you are thinking, i guess.
I recently implemented code to add a tab to a page programmatically, it is as follows(in PHP) :
$tabAdded=$facebook->api("/".$id."/tabs","post", array("access_token" => $access,
"app_id" => $fbconfig['appid']));
From the code we see that we need an app id, an access token, and the page id($id). $facebook is an instance of the FacebookPHPSDK.
So here's how we can get the three things in question:
First app id, you'll need to create a Facebook page tab app, select Page Tab in the app's Basic settings (where you can mention the page tab url. This url will have the content for a page tab.) You'll also need to enable website because you need to ask the user for necessary permissions (namely manage_pages). For your specific requirement you have to give the domain of the catalogue management app.
Second page id and access token, once you have manage_pages permission you can query the graph api to get the pages of the user using : api('me/accounts') this returns data with page name, page category, page id, page access token for all the user's pages.
#thaddeusmt has already mentioned that you can't create new applications, and need to use the same app, you have to read the signed request and get the page id, and serve content. All that will be left to do is link your customer domains to the correct page ids.
Hope this was useful.
You can install/uninstall (add/remove) application tabs to/from Pages using the Facebook API:
http://developers.facebook.com/docs/reference/api/page/#tabs
You cannot create new applications, however. So you will need to use the same application for each Page.
The way you can show different content for each Page in the Tab (using the same application) is by checking the Signed Request. This contains the ID of the Facebook Page. The code that serves up your application Tab can look at the Page ID and serve up the appropriate content for that Page.
I hope this helps get you on the trail. Good luck!
Yes it is possible.
It's a two way process
First you have to get page_access_token through graphAPI.
www.facebook.com/?fields=access_token
This will return Page_access_token.
Use page access token and use post method
www.facebook.com/yourpageid/tabs/
Post Parameters:
app_id= 'YourAppID'
access_token = 'access_token'
That way you can add your facebook app into facebookPage.