Password resets have been being handled by a script. Now the server that the script was running on has been retired. I can't find where to set the password reset url to the gmail default. Any help would be appreciated.
The path the user takes is
settings => See all settings => Accounts => Google account Settings => security => password
This takes the user to a broken link.
In the Admin Dashboard choose
Domains
Click the hamburger in the top left corner
choose Security
choose Set up single sign-on with 3rd party IdP
Remove Change password URL
Click Save
Related
I've set up my asp.net mvc app according to this sample and if you see that line in startup.auth.cs, it says that when the user clicks on "Forgot Password" link, it should redirect to my app at which point it should catch that error in the line 101 that I've linked to and then redirect the user to the proper reset password flow.
However, when clicking forgot password, the flow is never directed back to my app, but rather I see this screen:
Where can I check as to why this happens? Is this supposed to be in my sign in policy or is there some setting in application or tenant?
This happens if you enable development mode in your custom policy.
Either remove the lines, or set it to DeploymentMode:Production.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights
Just recently starting using IdentityServer4 (IS4) playing around with samples and so on.
I have a setup where run IS4 (using the included sample UI MVC) configured with Google as an external provider. I also have an API setup, as well as a client (MVC web app). When authenticating, and the user clicks "Google" in the "External Login" section, he/she is redirected to Google as expected. However, after supplying the username and password, I expected to the see Google consent screen, but instead I am redirected back to the consent screen in IS4. Why is that? Should the end user not give consent that his/her Google profile information is being accessed, on a page which clearly is from Google (i.e. HTTPS and Googles certificate)?
I acknowledge that since I am also requiring consent from the user to access my API I might end up with 2 consent screens (one for profile info from Google, and one for API access from my own IS4 configuration), but if I did not have an API in my setup and simply wanted to use IS4 in a federated setup to provide ID tokens, I would not have a need for the consent of my own API and thus would expect only to see the consent screen from my external providers (e.g. Google, Facebook, Twitter, etc.).
I have my external provider configured like this:
services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.ClientId = "<my client id>";
options.ClientSecret = "<my client secret>";
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
});
Could someone please enlighten me :-)
Thanks
From Google' help:
To set up your project's consent screen and request verification:
Go to the Google API Console OAuth consent screen page.
Add required information like a product name and support email address.
Click Add Scope.
On the dialog that appears, select the scopes your project uses. Sensitive scopes display a lock icon next to the API name.
To select scopes for registration, you need to enable the API, like Drive or Gmail, from APIs & Services > API Library.
You must select all scopes used by the project.
When you're finished adding details to the OAuth consent screen, click Submit for verification.
A Verification required window displays.
Add scopes justification, a contact email address, and any other information that can help the team with verification, then click Submit.
Note: The consent screen
settings within the console are set at the project level, so the
information that you specify on the Consent screen page applies across
the entire project.
So, what you need is to disable consent for your client in IdSrv and enable it in Google.
Additionally, as described in this answer,
By design, the consent screen is not shown in the scenario with account selection and profile/email scopes only requested..., since the account selection UI already shows the email and profile (name/picture) information that will be shared with the app.
As added by #Mike Wilcox:
When including a sensitive/restricted scope, if not verified for the scopes added, you will see a not verified screen during consent oauth flow. You can pass through by clicking advanced - > go to [app_name] (unsafe)
There is a playground: https://developers.google.com/oauthplayground/ where you can test this out.Click on the settings icon in the top right and then check the "Use your own OAuth Credentials" box to then enter your app creds. You can add scopes and test out there.
You don't have control when you redirect to external idp since it is a delegated authentication. I don't know how Google have implemented their OAuth flows but the following might be reasons as to why consent screen is not shown:
You are not requesting any scopes that require user consent
The user already gave consent to access to his/her info to your client (you should be able to check this in Google account pages)
Your client is configured to bypass consent screens (this is possible in IDS4 by setting RequireConsent flag to false, but I would doubt you can do this in Google as a 3rd party OAuth client)
From various googling and reading https://www.jhipster.tech/security/#oauth2 , I gathered that in order to have mobile/social integration with JHipster generated app I should use OAuth2. Am I right to think this way? (I can't seem to find a clear cut answer to this)
I created a new application with JHipster v5.1.0 with OAuth2 enabled. I noticed a couple of features missing with regards to user management. Below are my questions.
How does a new user register a new account?
How does a user change password / reset forgotten password?
Hopefully someone with experience on the above can help clarify.
Thank you in advance.
For social login, yes your best option is OAuth 2.0. You can use JWT for mobile development with React Native (via JHipster Ignite) and Ionic (via Ionic for JHipster), so it's not necessarily required for mobile.
For user registration and change password, you'll need to enable those options in Keycloak or Okta. This blog post shows you how.
To summarize:
For Keycloak, you can enable registration by navigating to http://localhost:9080 and click on Administration Console. Login with admin/admin and click on the Login tab. This screen allows you to enable forgot password, remember me, and verify by email as well.
To enable self-service registration in Okta, you’ll need to navigate to the Classic UI from the Okta Developer Dashboard. There’s a link to toggle between the two in the top left corner of your screen.
Then navigate to Directory > Self-Registration and click Enable Registration. Set the default group to ROLE_USER, the Default redirect to a Custom URL with http://localhost:8080 as its value, and click Save.
NOTE: If you get an error that says 'http://localhost:8080' is not a valid redirect URI, it’s because you need to add http://localhost:8080 as a trusted redirect under Security > API > Trusted Origins. After making this change, navigate to Directory > Self-Service Registration and edit the settings to configure the custom URL again. It should work this time.
I just added the Security to Jenkins.
Jenkins’ own user database enabled
Matrix based security configured
Now i'm configuring and installing the Role matrix plugin.
In case someone want to change his password he just have to login, click on this user configuration and change his password, what if they forgot their password or if I want to change their username?
What is the standard procedure to follow bt the administrator in order to reset change his password, or at least delete and recreate the user?
What if the admin want to change a username? is there any standard way to do it?
Thanks
If you are the admin you can change password of any user through
'People' --> 'Select_any_user_listed' --> 'Configure' --> 'Password'
Just erase the old password and write a new one there.
if you want to delete a user go to:
'Manage Jenkins' --> 'Manage Users' --> 'press the red button corresponding to the user'
or go to this url:
http://<jenkins.url>/user/<username>/delete
I am using LDAP mode of authentication and have written web service and clients to enable gerrit users to reset their passwords should they happen to forget it. For that, I added the following line into gerrit.config file:
[auth]
httpPasswordUrl = http://domain.com:port/Register/ChangePassword
However, this link is not visible anywhere on gerrit, either before login or post login. Can someone guide me on how to make this link "visible" to one and all (users)?
This link is displayed in the Settings -> HTTP Password screen. So this link cannot be used for users who forgot their password. I don't think there is an option to display such a link for non-logged-in users.
A possible solution would be displaying a custom footer / header which adds this link: https://gerrit-review.googlesource.com/Documentation/config-themes.html#_html_header_footer