I am wondering how I can go directly to a HTML-form authenticator registration page from a Conditional Multi-Factor action (MFA).
In a switch action I want to go to a HTML form authenticator create account page.
The setup right to the HTML form is by using a conditional Multi-Factor action (MFA).
Switch -> MFA -> HTML-form
But can't figure out how to redirect directly to the create account (registration) page in HTML form. So that I don't first see the sign in HTML form page and have to click the Create account link
There is no built-in functionality to go directly to the registration page, but you have some options.
You could use the Attribute Prompt action to collect the data you want to register. Then you add a Autocreate Account action that will register the account. If you configure an Account Manager that has the option Set Password after activation enabled, the user will get an email with a link that prompts the user to set the password for the account.
The flow would be Attribute Prompt -> Create Account -> Authenticated, and the password will be set out of band.
Second option would be to create a custom action using the SDK that collects the data you need and creates an account using a Credential Manager and an Account Manager. Using the SDK is not available in the community license.
Related
I want to create a calendar event using Microsoft Graph with the app's admin username and password. Actually, my logged-in user does not have access rights to edit that calendar.
They only need to, by clicking the button in my app, perform flow that will send admin's username and password using for example Basic Auth without using token and get permission to create calendar event using:
https://graph.microsoft.com/v1.0/me/calendars/{calendar ID}/events
Is it possible to use Microsoft Graph without using tokens and Bearer Auth?
I want the user (with some action from my app) to produce a flow in which the app with the admin's credentials access the admin's calendar. Users only need to click the button. The user is just someone who starts the flow.
We create users with their email address. We send email to each user with a link to change password api with changePasswordId. When user clicks the link, he will be redirected to change password screen where he can set the password and access the application. This works.
But, now we want to allow users to register with their social Idps upon receiving invitation/verification email. Can't see any fusionauth documentation on this part.
Questions are as follows
How to let user select their social Idp while verifying their email?
Can a user have multiple logins with different Idps for one application in FusionAuth?
Is there any linking api which links all external user accounts with their fusionauth user account?
The flow we are expecting is :
Invite User -> User clicks link -> User will be presented with set
password and social logins-> User chooses google -> Google
authenticates user and returns token back to fusion auth -> fusion
auth links user's google account with already created (invited) user
account. -> Next time user logs in with google account -> Fusion auth
identifies the user and allows him to access the application.
Updated :
Let me try to explain our situation and need, with less focus on the password setup task:
We need to set up new users that are associated with google based education accounts on custom school domains. Teachers and students that might have addresses like first.last#middle.school.com We need to take the class roster from Google Classroom, initialize accounts for each student in our backend via our API which also creates FusionAuth user and app registrations for each.
Schools don't often want kids setting passwords on vendor sites. When we send the account confirmation / verification email to the new cohort of students they would ideally be directed to the approved and configured method for that domain (perhaps Google, Microsoft, other SAML or password). If we can't get selective about the confirmation method shown after the student provides her invited email address then we could present multiple confirmation options on the same screen and let the teacher direct the students to the correct choice.
But in summary we need to avoid requiring password setup and support confirmation with the invited social account when required by the school.
If I understand your use case correctly, what you want is to add the "Login with Google buttons" to the Setup Password workflow. This is different than the Email Verification workflow, so if you are looking for a way to log users in with their social profiles during Email Verification, that's something completely different. In fact, I don't think that is a use case because after the user verifies their email, they need to log in again and they can do that using their social profile.
Unfortunately, FusionAuth doesn't fully support the ability to allow someone to use the Setup Password workflow using a social login. It might be possible though using the Email Templates and Theme editor in FusionAuth. I haven't tested this, but you could try it and see if it works.
What you would do is to pass in a URL parameter to show the social login buttons during the Setup Password workflow. This would be something you could do in the email template for Setup Password like this:
Click this link to setup your password:
<a href="https://example.com/password/change/${changePasswordId}?showSocial=true">
Setup Password
</a>
Then, using the Theme editor in FusionAuth, you would add some code in to show the buttons like this (the ?? part is to handle when the parameter is missing):
[#if showSocial?? && showSocial]
show social buttons here
[/#if]
You could give that a try and see if it works for your use case. If it doesn't work, you can always open a feature request for this on our GitHub issue tracker and we can see if it receives enough upvotes to get on the roadmap. You can also engage FusionAuth professional services to build this feature for you as well.
For your other questions, you can have as many logins with external IdPs as you want for a single user. The user is unique by their email address.
I'm not sure what you mean by "linking api", but if a user logs in with an external IdP, their tokens from those external providers are stored on the user object. You can look up those values and then call third-party APIs with their access_tokens.
UPDATE 8/27/2019
Ah yes. The social login buttons do require all of the OAuth parameters, so this solution won't work because those parameters aren't part of the Setup Password workflow.
I guess I'm confused on how this actually works and whether or not this is a workflow FusionAuth should be handling. Social logins aren't generally used for account verification. They are normally used for account creation. For example, you could just send the student to FusionAuth before their account is created, they login with their Google classroom account, and then they have a FusionAuth account. Is there any reason the student can just login in after their account is created? Is that not essentially the same thing?
Could you do something where students that have accounts in Google Classroom are created in FusionAuth with a randomly generated 32 character password (for security) since they will be logging in with Google regardless. You can then just send them an email with a standard login link.
For students that login in with a username and password to FusionAuth directly, send them a Setup Password email. This will let them pick their own password.
In terms of account Linking, FusionAuth links accounts automatically based on email address (the unique login identifier actually). Therefore, you don't need to call any extra API to associate the social login with a user.
I might still not be clearly understanding the use case, so feel free to contact us directly using the form on our website. We might need to setup a web conference to discuss your needs in detail.
I've successfully Integrated my application with QuickBook Online. I successfully implemented DirectConnectToIntuit, SigninWithIntuit, Disconnect scenario and Test according to https://developer.intuit.com/docs/#api/deki/files/3143/recipe_for_review_success.pdf. I have a situation with DirectConnectToIntuit, SigninWithIntuit for multiple user. Consider the SigninWithIntuit scenerio:
When a first user comes, they click SigninWithIntuit in my application, add their username and password, authorize by Intuit and comeback in my site. As the user is new and his email address is not in my database, I show him the account creation form. When this user submits the form after filling it in then I the create database entry, create the user etc, then login and show ConnectToQuickBook button(G. in the above doc). Everything is OK up to now.
When another user is created in the same QuickBooks online company, then this new user clicks on SignInWithIntuit in my application, and they come back to my app after authorization. For this user, I will not show the account Creation form, I just create this new user and assign as a user of the previous created company, login and show the ConnectToIntuit button. But how can I determine the company of the user? I don't have an access token or access token secret yet to do that.
Can you please suggest me one or more specific option to identify new user of an existing company in my application.That will be very helpful
thanks
sabbir
Sometimes when a user logins into a site with Google's OAuth 2.0 they choose the wrong account to login with. Normally this isn't a problem if the user has more than one account registered with the browser, google will automatically show the user select screen:
But if a user has only one account and is logged in, this screen is skipped. Instead I need Google's sign in panel to always appear, so that I can be sure the user has the option to try and enter the correct account. I tried using approval_prompt = "force", but that forces the acceptance of permissions rather than simply showing the login page.
How can I force Google's OAuth 2.0 to always show the login screen?
(and never automatically skip it)
Add the parameter prompt=select_account to your authorization request.
This will cause the account chooser to always be shown, even if the user is only logged in to one account. Users will be able to select from their accounts, or add a new one.
For example: https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.com&scope=profile+email&access_type=offline&prompt=select_account
I Want to Create an app for iOS Device which have only admin login and user register with names and email-id do not need their password but user does not need to login here.Only the admin can login and can view the user information only.
MY Question is:"For admin login page (UserName and Password)have match from the web Server which is using same as their Website username and password"?
am beginner
Thanks in advance
If you want to use the same web server you could have a separate route for login through the app say : '/login/admin'. This route has to be on the same web service which the web site uses.
You can then use the same validation that is used for the website but now you would also need to check that along with a valid username and password the user type has to be admin or any other flag that you system uses to distinguish users from admins.