This document states:
Note: even if you include the name or email scopes, nether will not be included as claims in the token which Azure AD B2C receives from Apple. Apple provides these values in a non-standard way as part of the authorization response payload. Azure AD B2C will not be able to read these values and you should collect them from the user separately if needed.
Is this information still up to date? (Document seems to be older than 1 year). Are there any plans to facilitate this?
Does this actually mean that it is not possible to use Apples Private Email Relay Service in conjunction with AADB2C or is there an other way to contact users using Sign In with Apple through email? (I'm aware that I can query the email from the user with a simple text field as a last resort.)
Unless Apple provide these values in the standard way (e.g OIDC) the guidance is still correct.
AFAIK you should receive an email address back from Apple -- it will be the actual email of the user if they choose to share it with the app, otherwise it will be the one with the relay service address.
Related
We currently have a solution where we implement 2FA ourselves over Twilio Programmable SMS.
We're also using Twilio Verify for Payment PSD2 authorization.
We're now looking to migrate everything to Authy to make use of the Authy app and I have the following questions that I'm hoping you can help me with.
User Migration. I understand in authy, users need to be registered to our application. How can I register all our current users? Is there any way to bulk upload them, or do I have to write a script that calls the API to register them one by one?
User Number phone update. Sometimes our users will update their phone or email in our system. If that happens, how do I update that info in Authy? I couldn't find anything in the docs about that. Do I need to call the api to remove the user and readd with the new info?
Migrating from Verify PSD2 to Authy PSD2. Is the implementation very different? Is there any sample I can look through, as the documentation seems to mainly be talking about QR codes, while what we want to do, is to send it over SMS or Authy depending on the user's choice.
Thanks for your help
Sam
Twilio developer evangelist here.
You will need to write a script to register your users. When you have registered a user, you will receive an authy_id for the user, which you will need to store with your user record.
If a user updates their phone number then you should update the Authy user. To do so, you will want to delete the old user and re-register with the new phone number. You will then receive a new authy_id and you should re-confirm the user can authenticate by challenging them for a new code before you complete the update. If the user updates their email then you can do the same process of deleting and creating a new user though you should receive the same authy_id back if the phone number hasn't changed (though this will add the email address to Authy's representation of the user).
Check the documentation on PSD2 compliant authentication with Authy here. If you are sending SMS messages, then you should set the action and action_message parameters, which tie the message to the authentication. For the app based authentications you can do it via Push Notifications (in which you can include transaction details in the push). If you don't want to implement push, then you do need to get your user to scan a QR code in order to tie the transaction to the authentication (the regular code generated by the app is not connected to a transaction, so is ineligible for PSD2 authentication).
Let me know if this helps at all.
I am using google's oauth2 to allow users to register/login into my site (php library). The first time a user attempts to login I get the user's email address and google+ id which are provided by the Google OAuth2 API (with the user's permission).
In a different part of the site I need some information from the user's youtube channel. I am using the incremental authorization to get the extra permissions as it is recommended (and described here: https://developers.google.com/identity/protocols/OAuth2WebServer#incrementalAuth ).
The problem is that I don't have a unique identifier for the user between the calls, in order to keep track of him/her in my side of the application. A user, for example might have multiple youtube channels and each one can be associated with a different google+ account/id and a different email address, which most of the time is not a real address but a provided email with the format 'username-XXXX#plus.google.com'.
I was wondering if google's apis can return a unique identifier for the 'parent' account of a user across different apis.
Thanks in advance.
I have Rails web application.
I have simple user's authentication with email and password.
Now I need to add OAuth authentication with Google, but I need to allow only users that use Google Apps. Is there any best way to do it or I just need to check their domain and allow all except #gmail.com?
Notice: I've already seen documentation about specifying hd URI parameter, but it works only for some specific domain, and I need any, but not #gmail.com.
Include email in your list of OAuth scopes. Then, in the token you get back, there will be a hd attribute if it's a Google Apps account. If the hd attribute is not present, its' a consumer account. Be aware that it's possible to create a consumer account that has an address of something other than #gmail.com or #googlemail.com. For example, I can create a consumer account with the address jsmith#yahoo.com or jsmith#acme.com as long as I can get email to those addresses. Thus the need to check hd instead of depending on the domain name.
Suppose I have an email address that only receives a specific type of email, i.e. an automatically generated receipt email from a transaction.
I would like to build an iOS app to receive the email text from this email address and parse according to a predefined format and display the results. Is it possible to do this without dealing with the email server directly from the app?
Meaning can I for instance piggyback off the native mail client (assuming it is set up to receive pushed email sent to the email address). I tried looking through Apple's docs for iOS but could not find anything useful. Anyone know of something?
3rd party apps have no way to integrate with the Mail app or to make use of any configured mail account the user has setup on the device.
However, you can write an app that can access external email accounts if the user provides all of the usual email account details. The App Store has several 3rd party mail apps that serve as replacements for Apple's Mail app.
If your app is written to work with a specific email account, and not one entered by the user of the app, then you can hardcode all of the account details in the app.
Your app is basically a run of the mill email client. You just have to know how to access IMAP or POP3 accounts, retrieve the emails, and process them as needed.
Again, there is no way your app can intercept or make use of any emails accessed by any email accounts the user has setup for use with the standard Mail app.
There are at least two aspects to your question:
How do I get an email to open in my iOS app?
Put the data in an attachment and see this link
What format can I use in an email attachment to transport persistent
objects?
I've had decent results with NSKeyedArchive as an interchange format. There are lots of other choices, depending on what generates the receipts attachments.
Post a followup with your choices. Good luck!
I am using Twitter as an OAuth provider for ASP.NET MVC 4 web site. I would like to be able to follow up with a registered user at a later date, either by email or via a tweet. Outside of having the user follow me on Twitter, do I have any other options to communicate with the user?
Here is what I unsuccessfully considered:
It appears that there is no way to get access to the email address since Twitter OAuth API does not return it.
It appears I cannot send a direct message unless a user
follows me on Twitter.
"Read/Write/DirectMessage" permissions seem
too intrusive -- all I want to do is send a user a message that a
new product is released -- I don't need any of the write
capabilities that this level of permissions provides.
To recap, if a user used Twitter to sign in to my website, what are my options to contact that user at a later date?
Thanks.
Twitter's solution for this sort of person-to-person communication is the Direct Message, however, Twitter has (rightfully) decided that both parties need to consent to this channel being available. This decision is intended to reduce the amount of spam in the Twitter ecosystem.
Posting public tweets that mention the username will get your users' attention, but it is also broadcasting their relationship with your company to the entire Twitter ecosystem. You will, essentially, be advertising their relationship with your company without their permission. This approach will bring you headaches sooner or later.
Email is probably a better choice for the sort of announcement to existing customers.