Are there any unique and unchanging tokens available to me from Facebook and Google?
Once I get the tokens and user information back from Oauth login, it is then up to me to search my database for a user with that email and create an account if it does not exist.
The problem is, even if the oauth token and therefore email is authentic, I still want to use a second token in the database query when I look up the users.
Do Google and Facebook have any unique ID fields that I can bundle with the email when I create users to aid in the security of my login process?
p.s. I am using Mean stack and passportjs if there are any known validation or token generation packages that might help me.
Thanks.
Both providers expose a unique user ID.
Google documentation:
[...] you can safely retrieve and use the user's unique Google ID from the
sub claim.
To retrieve the Facebook user_id, make a call to:
https://graph.facebook.com/me?fields=id&access_token=xxx
Related
Me and my team are developing an API to secure files,in that API we need Onedrive(cloud storage).we integrated Onedrive using MicrosoftGraph authentication as shown in the below link.
enter link description here
The thing is when i try to authenticate and sign in to pesonal account it works but for organisation account i'm facing the issue as shown in the below
We have recieved a bad request.****(AADSTS165000: Invalid Request: The request tokens do not match the user context. Do not copy the user context values (cookies; form fields; headers) between different requests or user sessions; always maintain the ALL of the supplied values across a complete single user flow. Failure Reasons:[Token values do not match;])****
pls help me technically.
Your token does not match the user context. This is because although you are logged in to your organization account, the token you use is still issued by your personal account.
The access token is unique. If you need to log in with an organization account, then you must set the organization account as the token issuer. You need to log in with your organization account to obtain a new authorization code, and then use the authorization code to obtain the token again.
I am building a website that uses OAuth2.0 and OpenId-Connect (of some third party vendor) to authenticate user.
Before redirecting the user to the vendor's OAuth page, I am not asking the user to enter a unique UserID on my website, I was thinking of using the user's emailid that I receive as a part of IDToken after the Authorization process is done, as the user's User Name(unique identity) for my Website.
But the OpenID specification here
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
says that emailid is optional and may not be returned.
So the questions is, is it a standard practice to ask the User to provide with a unique name (that I can use as user's identity on my website), before I initiate the OAUTH/OpenID-Connect process?
The sub claim must be unique per issuer. Required Claims will always be present. You can use the iss + sub to uniquely identify users.
To add more information, every OpenID connect provider need to provide a /userinfo endpoint to fetch the users information using access token.
here is the specification
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
Best reference for my question is Getting the user profiles from ADFS3.0 which shows the token ADFS OAuth is returning. My problem is that there is no GUID in this token. UPS are always emails, which can be assigned and changed. I need a GUID that would uniquely identify one user for now and later. If I search LDAP there is a GUID for a user entry. So my question is : is it possible to get that GUID in the OAuth token?
Thanks,
-Jayant.
There are different end points in Identity server. One of the end point is UserInfoEndpoint which actually contains user information. And also it is not safe to get the user information in the Access Token by itself as the user information can be leaked if the token is used by someone else.
You can use the access token to query the userinfoEndpoint and get the user details. Also you can ask for permissions to access this information and when needed you can use the access token to get the GUID.
Is the GUID is the SubjectId that is unique for the user? Cause I think in any Identity server they have SubjectID unique to user.
I have a web app that lets users sign in their twitter account. It also creates a user profile on my database as well and I need save their tokens so I'd have a unique Id. I plan to one way encrypt the tokens like passwords for security sake. My question is do I need to save the pair or just one of them will suffice as a unique Id?
Thanks.
I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:
support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
Access the user's Google Analytics.
Here are the steps I have done.
I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
I get redirected back to the callback page.
I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.
Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?
If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.
Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.
If you are asking how to identify user for future logins, you have two options:
Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.
Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.
If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).
When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.
Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.
So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force