If I use GMAIL to authenticate then can ANYONE use my app? how is this secure?

Question

User2142845853 posted

 

How can the gmail user list be controlled?   I setup the gmail authentication and it works for the app

 app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
            {
                ClientId = "9961223819-cjk4s3e---c7xhk7oe-cll.apps.googleusercontent.com",
                ClientSecret = "AUIvc3I---APAlPxmV5iI"
            });

Now it lets the Google part authenticate a user.  But this should only be for my own Admin but thats impossible because I would have to approve user's use of gmail and my app

is there a way to control an email address list, so only they are allowed to get access?  how can I maintain who gets access?

Will also ask my cat, I can guess the answer, (meow) but at least its something

Answer 1

User-718146471 posted

Well, what I would do is create a small table in the database that you would enter the appropriate email addresses. You can expand that to have a column titled AdminUser as Boolean. Then you compare the user email attempting to log on to the app and if that address has been authorized as admin, if it doesn't match, toss them to the unauthorized page. This may mean you will have to create a secondary authentication mechanism to allow only users on your VIP list to enter the site as admins. At least in my experience with AD, there were numerous attributes AD didn't offer and the AD Admins were not going to let me add extra stuff to AD.

Answer 2

User2142845853 posted

Great!  where do I intercept or catch the user email thats trying to login?

Answer 3

User-718146471 posted

Well first thing you need to do is examine the Google API to determine what variable would provide the email address. I'll see if I can find it but I would like your help researching this :)

Answer 4

User-718146471 posted

Hm, that was faster to find than I thought: http://www.oauthforaspnet.com/providers/google/

Particularly, check out this part:

Retrieve access token and other user information returned from Google

You can retrieve the access token and other user information returned from Google in the OnAuthenticated callback function which gets invoked after the user has authenticated with Google:

var options = new GoogleOAuth2AuthenticationOptions
{
    ClientId = "Your client ID",
    ClientSecret = "Your client secret",
    Provider = new GoogleOAuth2AuthenticationProvider
    {
        OnAuthenticated = async context =>
        {
            // Retrieve the OAuth access token to store for subsequent API calls
            string accessToken = context.AccessToken;

            // Retrieve the name of the user in Google
            string googleName = context.Name;

            // Retrieve the user's email address
            string googleEmailAddress = context.Email;

            // You can even retrieve the full JSON-serialized user
            var serializedUser = context.User;
        }
    }
};
app.UseGoogleAuthentication(options);

Answer 5

User2142845853 posted

yes by all means, have been scouring anything i can find.  will look at the google api also

was trying to put something "in place of" the google api, something that just offers some basic user control installed on my server.  cannot make AD and single user auth work that way

but Im sure it has to work

Answer 6

User2142845853 posted

excellent !   Illl apply this and post the results, something to search a table for the email and show success or need to contact admin knid of thing

Im not familiar with that dereferencing, interesting to learn it, 

OnAuthenticated = async context =>
        {


stuck in the code section;  what kind of notation is this? linq?   I will be trying it and find out, thanks

Answer 7

User614698185 posted

Hi rogersbr,

will look at the google api also

As bbcompent1 provided, you want to use Gmail to authenticate. You should take the following steps:

1.Navigate to the Google Developers Console.

2.Click the Create Project button and enter a project name and ID (you can use the default values). In a few seconds the new project will be created and your browser will display the new projects page.

3.In the left tab, click APIs & auth, and then >  Credentials.

4.Click the Create New Client ID under OAuth.

   1).In the Create Client ID dialog, keep the default Web application for the application type.

   2).Set the Authorized JavaScript origins to the SSL URL you used above (https://localhost:44300/ unless you've created other SSL projects)

   3).Set the Authorized redirect URI to:      https://localhost:44300/signin-google

5.Click the Consent screen menu item, then set your email address and product name. When you have completed the form click Save.

6.Click the APIs menu item, scroll down and click the off button on Google+ API.

7.Copy and paste the AppId and App Secret  into the UseGoogleAuthentication method.

Please see: http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on

Best Regards,

Candice Zhou