I need this for a Metro Style app, which can't use Passive authentication, and doesn't have WIF.
So far I've managed to get a SAML token from ADFS 2.0.
I now need to send this token to login.MicrosoftOnline.com, which will return me an SWT token to give to [mysite].sharepoint.com, which will give me cookies to include with REST requests.
ADFS 2.0 and login.MicrosoftOnline both talk WS-Trust. I've found many samples on the web that shows how to send the token request to MicrosoftOnline, but they all rely on sending the username and password along. In this case, however, MicrosoftOnline doesn't have permission to authenticate the password directly. My only option is to give it the SAML token.
The username and password I'm using works fine when using passive authentication, so the credentials is not the problem.
Samples can be in any language (except klingon), but .Net is preferred.
A bit late, I did not see your question until today. I did manage to send a saml token to Sharepoint online with this code (using usr/pwd): http://sharepointwinrt.codeplex.com/
Maybe it will give a starting point for you.
Cheers,
Juanma
Related
First of all, sorry for my bad English :)
I am building a Gmail addon which integrates file uploading to an external website using their API. The API have an auth endpoint which uses plain authorization flow i.e. takes email and password of a user to authorize and return authorization token. That token is then used in the subsequent call of file uploading process.
My question is, it has been mentioned in gmail addon guide that an app should use oAuth when connecting to a third-party service. However, the related website's API do not have oAuth but use plain authorization flow. If I create a login form with email and password fields using the card service, would that be okay and approved by google to be listed in the addons directory? Creating oAuth on third party service is not in my hands
Thank you!
Q: would that be okay and approved?
My experience is that it is OK to use basic authentication (since a lot of APIs still use basic auth, it would be devastating if the use of API was prohibited), most likely you will be approved. However, if there ever be a version of the API that supports OAuth, please, migrate as soon as possible.
Caveats
You mentioned creating a login form in CardService - please, be aware that there are no "password"-style TextInputs, so all characters will be visible all the time + there isn't, as of yet, any support for input event, so you won't be able to emulate the behaviour easily.
If you are planning on storing the credentials, try to avoid using PropertiesService - it isn't considered a secure storage (though if credentials are to be entered only once, storing the token should be fine).
You will still be asked to implement the authorizationCheckFunction.
I'm using local strategy for authentication purpose using featherjs framework.
Besides username and password auth mechanism, client wants to login using username and OTP.
Can someone provide me hint, how can I achieve this?
I've studied existing framework featherjs-authentication, I could not understand how can I extend it to support this need.
I could solve the problem using package feathers-authentication-custom
It gives you a hook wherein you can add your auth verifier. In my case, I keep OTP associated with user id. When user calls authenticate with custom strategy, the verifier middleware gets called. Here I verify the OTP and pass back the token to the client.
Google offers two systems for accessing Gmail. IMAP and SMTP and a the Gmail rest api Gmail - Scope for SMTP is https://mail.google.com/. However with Gmail rest API, just the required scope (like send, modify) can be used.
What are the main differences between the implementation of these two for sending an email? I've been using SMTP to send the mails without any issues but since that involves having a bigger scope for OAuth2, I want to know if there are any possible risks involved in moving to the API approach.
Users.messages: send says there's a restriction on attachment size.
This method supports an /upload URI and accepts uploaded media with
the following characteristics:
Maximum file size: 35MB Accepted Media MIME types: message/rfc822
Are there any other differences that I should know about if I start using Gmail APIs instead of using SMTP connection for OAuth2.
Also, what is the reasoning behind providing full access as the only possible scope for SMTP/IMAP?
Note: I only requirement is the ability to send emails.
Using SMTP you are directly accessing the mail server located at mail.google.com. SMTP servers have been around since the 60's they don't have the ability to limit what access you have. When you log in you have full access to do what ever the mail server in question is capable of. To login to the SMTP server you need the login (most often email address) and password of the account you wish to access. Drawback to using the SMTP to connect to Gmail is that if the user changed the password you would then loose access. This day in age it is also considered by most to be bad practice for third party developers to be storing a users login and password in your system. For example: I would never give any application access to my login and password to Google. How could you ever prove to me that your system is secure? If your hacked so am I.
Now on to Oauth2. Oauth came about sometime around 2005 when people wanted to be able to access APIs without having to do something stupid like
http://awsom.api.com?login=xxx&password=XXX
If memory services it was originally created for the twitter API developers wanted to be able to access their users twitter account without having to store their login in and password. Again the main problem with this was the developer in question would then have full access to a users twitter account and if the user or the developer changed the password things would break.
So they created OAuth. The main features with OAuth are:
You can limit access you give an application: (readonly, read write)
Password change does not affect access
No sharing account credentials with developers of third party apps
So the main point for me as a developer using Oauth with any Google API would be not having to store the login and password of my users and not being affected by a password change. My users would probably say not having to share their login with me and being able to give my application limited access to their account.
Now back to Gmail. Google made a change about two months ago any refresh token(oauth2) that was created using a Gmail scope will automatically expire when the user changes their password. To my knowledge this is only Gmail. so that removes point number two from the features of oauth.
Which should you use is really up to you, assuming you need to be able to send emails. Then limiting access to read only in your application isn't something you need (point one). However in my opinion from a security standpoint I would never ask my users to give me their login and password and would always choose oauth2. Yes SMTP works, will Google shut it down, probably not users have always been given access to the direct SMTP server of their email provider its how applications like outlook work.
as for OAuth support with SMTP unfortunately I haven't done much research into that guess I need to read RFC 4422 . If you can use OAuth with SMTP servers then again I guess the question would have to come down to speed is it faster to access the SMTP server or the REST API server? I can really think of no differences. Attachments with the Rest API can be tricky. I may do a bit more digging on the subject.
Which is the correct way to perform a sign in on O365 Exchange in order to use EWS?. I know that exists ADAL to perform authentication against O365, but since the code it's highly tied with the tenant ADAL is not a solution for my problem.
I'm developing an iOS App that needs to interact with Exchange (O365) and I'm unable to perform the authentication correctly.
To use Exchange Web Services in Office 365, you can either use Basic authentication or OAuth. OAuth (which I think is what you mean by ADAL) is the recommended method. It's not tied to a tenant, but it does require that you register your application in a tenant (can be your own developer tenant) to get a client ID.
I am new to setting up ping federate identity provide configuration and writing code to get token. I have got a ppt file which explain how web client connects to ping federate server and get token. and they mention to pass client_id as param but I have no idea what is client_id?
Does anyone have any idea?
client_id is your user identity. When you call writetoken() method, it has parameters to pass... hope this helps.
I will assume you are using OAuth2 or OpenIdConnect and calling PingFederate to get an Access Token.
First, here is a detailed explanation of what a client is RFC 6749 Client Registration and its role in this authentication protocol.
Second, once you understand this topic. You must configure Clients on Ping. For that you must follow their documentation Client Management.
Finally, You must point your web application to the OAuth2 endpoints passing the client_id and client_secret, with that depending on which OAuth2 flow you are using will get you closer to get an access token. You can find more information about that on Ping Documentation Site.
Hope this helped.