Using One Time Password as main authentication - oauth

I need to implement the equivalent of One Time password, meaning that I need the flow:
User enter contact address (phone number, email ....)
The server generates a short password, send it to the user through mail/sms/pidgin
User read the message, and copy past the code in the app.
Server authorize credential and approve login (create a session/return token to the user)
I do not want to the user to type/update/reset any other password, once the one time password has been entered, he is logged in.
I am looking at OTP for this, but all I can find for OTP is to be used as MFA in combination of the user actual password.
Is there a name for such login flow? Any literature about it?
Thank you

Such a flow is usually called a "magic link".
https://auth0.com/docs/connections/passwordless/guides/email-magic-link
https://docs.magic.link/welcome

Related

Implementing username reset rails 5

I have a rails app and I have implemented devise, password resets etc that are built into devise.
I have a username field, however, I now need to allow the user to reset this too from the login page following the same flow as the way devise does password resets (recoverable).
I have a forget page where the user can select whether they have forgotten their password or username, the password flow is built-in devise, however, I'm unsure how to go about doing the username reset.
I have the views, but I need help with the backend so the flow I need is the user clicks that they have forgotten their username, they enter their email, they get sent a username reset email with a link with a generated token, clicking that link should send them to a page where they can reset there username.
Some images for reference
Any help here would be great.
#debugabug I think it can be an api call when user clicks on forget username or forget password. Having code common for both is better than to duplicate it.
The API call is a POST call with email address in case of 'forget username' or username in case of 'forgot password'. Based on the incoming parameter, backend can decide the next workflow.

How do I save a user to a database after OAuth with Google Sign In API?

My question is similar to What data can I save in my database to verify a user with Google sign in API?
I've built Google Sign In correctly and I get a response from the API like this:
{
"iss":"https://accounts.google.com",
"at_hash":"xxx",
"aud":"xxx.apps.googleusercontent.com",
"sub":"xxx",
"email_verified":true,
"azp":"xxx.apps.googleusercontent.com",
"email":"xxx#gmail.com",
"iat":xxx,
"exp":xxx
}
The SO link above says to save the sub field as this is a unique identifier. I can save the email/sub no problem. My question is: How do I allow this user to sign in next time with an email/password form, if they choose to do this, versus OAuth? I guess I could force them to sign in thru OAuth, then verify they're signed in and have them create a password, but I don't know if that's the best way to do this.
The "sub" parameter is only guaranteed unique for the "iss" parameter. So the combination of "iss" and "sub" is globally unique.
If you MUST store a password you will need to ask the user. Some apps put in a random-complex password for every user as some application frameworks require a password. This may be helpful if they forget they used Google to sign in for you to do you due diligence in assigning a temporary password for the user with the email address.
You should of course consider that the email address is globally unique at any given time, but could be reassigned in some cases.

Login or create for Devise on Rails?

I intend to build a customized logic on Devise on Rails. Here is the logic: user can try to login, and if the does not exist, then it will create the account for the user. Just to skip the registration process.
Now sure how to hack into Devise. Please help!
Thank you in advance!
Edit: Sorry that I didn't make it clear enough: I have implement the on-create-validation on the user model to authenticate with another system. Logic is:
If success with another system's authenticator, then create a new user with the same password and login user.
Else login fail.
You know that if someone make typo he will create new account and will be mad that all of his/her stuff disappeared? When there is small amount of user then it isn't problem. But when your society will grow then it can make you some black-PR. You should rather check by AJAX call that there is user with that email/username/nick and if not then show the registration form, but on other hand this can be security issue if your users are signing in using non-public data like email or if username is different from nickname shown on your page.
Why would you want to skip the registration process? I don't see any benefits.
First, the user can enter the wrong username or password by accident.
Second, the user can enter the right username, but the wrong password. So he/she already is a registered user, but still get a new account.
Third, when a new user is automatically registered, how does the user actually now what his username or more importantly, his password will be?
Personally, why not just add "Remember Me" or "Forgot Password?" to your login form. If, for any reason, the user doesn't want to enter his login data or simply doesn't know his password required to login he can use these options.
Or, if you are working with permissions, why not just make a guest user if someone is not logged in?
What if they type in the wrong password or username on accident? Then you just automatically create them an account? IMO that would be a bad user experience. You either know your account or you don't. If you have an account and can't remember then you use the 'Forgot my ...'. If you don't have an account, then you go signup. You could implement oAuth and use accounts from a multitude of sites (i.e. Github, Twitter, Facebook, etc.) that would make it easier.

FormsAuthentication.Authenticate() Utility?

i can't see the utility of this function, because everybody save information about members on database and not in the web.config file, so we need all the time to write our own function to authenticate which checks if the user exists on the database with the corresponding password.
There are cases when you need to authenticate the user without asking him for the password. Here is the situation where I used it:
I have a website using the asp:Login control. I authenticate users using username and password on the click of the login button.
Then, I was asked to implement another type of login, parallel to the existing one (the user could choose), the one using OpenID.
So basically, after the email provider ensured me of the user's email, I automatically authenticated it without asking for username or password.
Something like:
if ((hasUsername(email)))
{
FormsAuthentication.SetAuthCookie(userName, true);
}

Devise sign in and sign up using single form

I'm trying to do the following: I have a page with a form for login and password.
Is it possible to use this form for both registration and authorization. For example i'm visiting the page for the first time and enter my email and password. Then if such email already exists i get an error, otherwise an account is created for me. Searching for the way of implementing this gave no results.
Does anyone know hot to make it possible?
This approach has one drawback: If user mistyped password then he would probably never login again. Solution - to use email for password recovery.
Other approach is to let user input email and while user will type password check if email is already in database. If it's not available then add password confirmation field to the form.
How to make it possible? Just program the necessary logic on server-side and client-side.

Resources