I am using IMAPSYNC and I want to authenticate to a user who has MFA (multi factor authentication) enabled.
I thought this would be as simple as swapping out the users password for the app password but it doesn't appear to be authenticating.
I've tried the following methods
--host2 outlook.office365.com --ssl2 --authuser2 user#example.com --user2 user#example.com --password2 apppasswordgoeshere
--host2 outlook.office365.com --ssl2 --authuser2 user#example.com --user2 user --password2 apppasswordgoeshere
--host2 outlook.office365.com --ssl2 --user2 user#example.com --password2 apppasswordgoeshere
What is required for MFA. I've tried to consult https://imapsync.lamiral.info/FAQ.d/FAQ.Office365.txt but only one anecdotal remark about MFA is mentioned but that doesn't appear to be working.
Related
I've currently installed freeradius on a CentOS server so that I can use a MFA with google authenticator.
The main purpose is the user submits it's username and password(with GoogleAuth code added to password) and freeradius checks against a AD Server if its ok to access.
Well so far so good the Radius server comunicates with AD and validates the user as long as the username has the format user#domain.local
I wanted to be able to allow the user to only submit the username and not adding the #domain.local to the "textbox"
Is there anyway I can tell freeradius pam module to add the suffix to the authentication ?
I am trying to implement a reset password flow with devise token auth gem: https://github.com/lynndylanhurley/devise_token_auth
The end client will be a mobile device (e.g. iOS, Android). I am uncertain as to how the native clients will be able to catch the url to reset password and display a password form through deep linking. Here are the general steps as I understand them:
Fire a POST to auth/password with an email and redirect_url
This will send an email with a link to reset the password and an included reset_password_token query param.
Clicking on the link fires a GET to auth/password/edit
This GET then fires a http 302 redirect to the redirect_url sent in the first request with the reset_password_token in the query params. The redirect_url should route to the form intended to display a password field to reset a user's password. On mobile clients, ideally this would be handled as a deep link.
I am confused as to how the mobile apps will handle step 4. I heard it's difficult to deep link in a native app through a 302 redirect/may not be possible. Is there a part of the flow I am misunderstanding perhaps? I'd appreciate any clarity on how I can implement this flow successfully for mobile clients.
For reference here is the guide I am following from the official docs: https://devise-token-auth.gitbook.io/devise-token-auth/usage/reset_password
Problem: Missing OAuth 2 Refresh Token.
The problem is that the localhost version receives a Refresh Token as part of the granted token but the same code running in GCE does not.
Details:
I have written a Python Flask application that implements Google OAuth 2.0. This web application runs in the cloud with a verified domain name, valid SSL certificate and HTTPS endpoint. This web application unmodified also runs as localhost. The differences between the runtime is that the localhost version does not use TLS. There are no other differences in the code flow.
Other than the Refresh Token is missing and I cannot automatically renew a token, everything works perfectly.
I have researched this issue extensively. API problems such as access_type=offline etc are correctly implemented otherwise I would not get a Refresh Token in the localhost version.
I am using the requests_oauthlib python library.
gcp = OAuth2Session(
app.config['gcp_client_id'],
scope=scope,
redirect_uri=redirect_uri)
# print('Requesting authorization url:', authorization_base_url)
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="select_account",
include_granted_scopes='true')
session['oauth_state'] = state
return redirect(authorization_url)
# Next section of code after the browser approves the request
token = gcp.fetch_token(
token_url,
client_secret=app.config['gcp_client_secret'],
authorization_response=request.url)
The token has refresh_token when running in localhost but not when running with in the cloud.
This Google document discusses refresh tokens, which indicates that this is supported for web applications.
Refreshing an access token (offline access)
[Update 11/18/2018]
I found this bug report which gave me a hint to change my code from this:
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="select_account",
include_granted_scopes='true')
to this:
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="consent",
include_granted_scopes='true')
Now I am receiving the Refresh Token in the public server version and the localhost version.
Next I searched for documentation on the prompt option and found this:
OpenID Conect prompt
prompt (Optional)
A space-delimited list of string values that specifies whether the
authorization server prompts the user for reauthentication and
consent. The possible values are:
none
The authorization server does
not display any authentication or user consent screens; it will return
an error if the user is not already authenticated and has not
pre-configured consent for the requested scopes. You can use none to
check for existing authentication and/or consent.
consent
The authorization server prompts the user for consent before returning
information to the client.
select_account
The authorization server
prompts the user to select a user account. This allows a user who has
multiple accounts at the authorization server to select amongst the
multiple accounts that they may have current sessions for.
If no value is specified and the user has not previously authorized access, then
the user is shown a consent screen.
I think the Google documentation should be updated. On the same page, the following text appears:
access_type (Optional)
The allowed values are offline and online. The
effect is documented in Offline Access; if an access token is being
requested, the client does not receive a refresh token unless offline
is specified.
That statement caused me a lot of confusion trying to debug why I could not obtain a Refresh Token for the public server version but I could for the localhost version.
I have an issue when logging in with Facebook in my iOS app. Everything works ok until I change my Facebook account password. After that, I open my app and it requires that I login again. But after I re-enter my new password and login succeeds, I get the new access token with this call [FBSDKAccessToken currentAccessToken].tokenString and discover that access token is invalid.
I tried to debug with the Facebook Debug tool and I always get this result:
Error validating access token: Session does not match current stored
session. This may be because the user changed the password since the
time the session was created or Facebook has changed the session for
security reasons.
Please help me! :( I need to send this access token to my server so my server can get the user info. But after users change their Facebook account password, the token will become invalid and then my server code doesn't work.
I would like a Web site (Rails 3.1 with Devise and Omniauth) and a mobile application (iOS5) to share authentication. By this I mean I would like a user to be able to SSI to the site with Facebook, or SSI to the mobile application and have the mobile application talk to the website's API using the user's credentials to authenticate to the website.
I currently have the web side working nicely with a User being able to SSI to an account. I also have the mobile application working, supporting user SSI. Both are using the same Facebook application.
My problem is finding something shared between the two that I can use for the Mobile application to authenticate against the site. Obviously both have access to the same user ID, but this doesn't seem very secure. My mobile application has an Access Token, but this differs from the website's access token, though they look similar, and my mobile access token expires while my web access token does not.
Web/Rails Token (Not real):
DDDAKnu1dg40BDHEWN0VDssxs8GGF8ZBEEOb38HnS0IUEQC1NSufmPCcGeFkTuw39ZDl7OhlZBD2jwJEqXdAZCtZBflJRQKZB4ZA
Mobile/iOS Token (Not real)
BDDAKnu1dg40BDEo3YjZD2hIwjfZB4slXJj3fmHfzLh5q1xZD0ShfJCb6PMjnApkpM0FTuGGvWnzZBQy4GZCMuysEEqhMz8YgruD53TXKTZC0GPFkfVe0b6fe8wieLLOZDDZA
Using Facebook's access token debugger I get the following (Everything removed is identical between tokens):
For Web/Rails Token:
App ID:
XXXXXXXXXXXXXXXX : SomeAppName
User ID:
XXXXXXXX : My Name
Issued:
1327507734 : 8:08 am Jan 25 2012
Expires:
Never
Valid: True
Origin: Web
Scopes: email offline_access
For Mobile/iOS:
App ID:
XXXXXXXXXXXXXXXX : SomeAppName
Metadata: {"sso":"iphone-safari"}
User ID:
XXXXXXXX : My Name
Issued:
1327507734 : 8:08 am Jan 25 2012
Expires:
Never
Valid: True
Origin: Native Mobile
Scopes: email offline_access
Just for the record, the way I have ended up handling this is to pass the mobile token to the server and have the server check the token's authenticity. Once this is confirmed I can check authenticate against my records using uid and email.
You have to do small change in facebook API, in authorization, change from
[self authorizeWithFBAppAuth:YES safariAuth:YES];
To
[self authorizeWithFBAppAuth:NO safariAuth:NO];
Because somethimes there is problem with token when you want to auth by fbApp or Safari. I had this same problem, token in my web services was different because of this.
A possible method to solve this is to authenticate via facebook on mobile then send the an encrypted f_uid over to the rails app which will then decrypt the f_uid and see who is actually logging into the server.