Bottom line, I want to create a new provider for logging in to my web.
The big picture.
We are developing hybrid mobile application using ASP.Net MVC5 (with angular on front).
The entire application is based on web view except of the log in page.
The user can log in using his Facebook and Google account. This is done 100% by the native application (we have to do that way in order to invoke the mobile app and not the browser i.e open the Facebook/Google mobile application).
After the native application get the confirmation from the external provider it should log in to my website.
I had 2 ideas of doing it. The first was that the native application will send me(the ASP web application) the user email address (using Restful service) and some encrypted data, I will decode and validate it and if everything alright I'll sign in the user and return the authentication cookie.
The second idea was to do it in 2 steps, the native app will send the username and a token, then I (the ASP web application) will send back the token and receive an answer if the token is genuine and valid. If it is, then I will log in the user and return an authentication cookie.
In both ways I have 2 problems:
I don't know how to sign in a user with no username/password or Facebook/Google. How do I do it?
I don't know how to manually return authentication cookie.
The real problem is that until now I've only used the identity feature in the classic way.
Thanks from advance,
Shaul
Related
This is my first heavy task as a junior Rails dev so it might be a trivial. All the described applications work as microservices and my application can also be considered so
Rails app explanation
Rails 7
Ruby 3.1.2
Devise (API and web)
I've got Rails 7 app which is a single page dashboard with Devise to register/login users and show data from 3rd party API (let's call it main PHP microservice). User registration takes place outside the user's control via POST request from main PHP microservice to my Rails app. To login to the Rails app user needs to provide received SMS code each time. I need to implement that peace of login flow.
Problem explanation
The logging mechanism must include two factor authentication (2FA) which is handled by the main PHP microservice that sends an SMS (text message) with a code to login.
From a Rails side, when credentials (login/password) are correct a POST request is sent to the main PHP microservice to trigger 2FA. The main PHP microservice sends an SMS code (text message) to the user's phone which he later has to enter inside my Rails application.
So in a bullet points, the login flow inside my Rails app will be:
User provides login/password
If authentication credentials are correct, redirect to new window where the user must enter the SMS code they received on their phone
Login to the app when provided SMS (text message) is correct
3a. Trigger new 2FA process via POST request to the main PHP microservice and allow user to enter new code
What I was trying to use here is gem devise-two-factor but it use database to mark if 2FA is correct or not which I cannot use because one of the requirements of my ticket is not to use a database to determine whether 2FA is correct or not:
the gist is, username / password, and be able to set a cookie or add it to the session with the 2fa status for that session
Because a lack of knowledge, I cannot argue with this requirement and believe me, I tried.
Questions
From what I have read, to meet these requirements the safest way is to use an encrypted cookies. How to inject that to make it work with described devise login flow?
I visit an app that uses oauth social login
I choose say gmail; I get sent to gmail site
I log in to gmail and then get sent back to the app
When done with the app I log out
After step 4, even if I close the browser and open anew, visiting gmail opens my account straight away without prompting for a password. Keep in mind, I never let browsers save my password neither do I ever tick “remember me”
I’m not sure the average user will remember to visit gmail separately to log out; this would be disastrous on a public computer.
My question:
Is this a design flaw of oauth2 or is it an implementation flaw with the app in step 1 or is it an implementation flaw with google-login? Or is it technically impossible for the app in step 1 to log out of the social identity provider (in which case it’s not a flaw at all.)
The OpenID Connect core spec and the session management spec defines ways to both:
Sign the user out of an identity provider (link)
And force user re-authentication with the OP after a maximum
authentication age (max_age) has elapsed since last user
authentication. (link)
Trouble is I'm not sure if Google implement these things see this
I've tagged your question with OpenID Connect as authentication is not an OAuth2.0 concern.
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I'm designing an application that uses embedded Power BI reports that requires an authentication token from an Azure AD account to view the report.
On navigating to the page that holds the report, the user is directed to a Azure AD portal login, and once they enter their credentials they are redirected back to the correct page with a url that contains the access token. The token is then pulled from the url and used in displaying the report.
So my question is (seemingly) simple: Can I skip the navigating to another page and somehow hard code an Azure login into my app?
I'm not sure if this requires any of my code, as it's more of an abstract/general question.
But here is the redirect to the Azure AD login portal:
Response.Redirect(String.Format("https://login.windows.net/common/oauth2/authorize?{0}", queryString));
And here I fetch the code from the resulting URL after the user authenticates:
model.code = Request.Params.GetValues("code")[0];
Yes. AAD supports headless auth. Please see the example here: https://github.com/Azure-Samples/active-directory-dotnet-native-headless.
I'm building an iOS app with Rails on the back-end.
The Rails application uses Devise for authentication and I want to use the same service for the authentication on the iOS app. Is there any way that after authenticating, keeping the session even after the app restarts, so that it goes straight to the content of the app instead of the login screen?
I've looked around, but haven't found a clear answer.
Thanks on advance!
One solution could be to extend the existing devise models and controllers to also handle a token based authentication system. Based on the request type html or json, the app can choose to authenticate a user either by the authentication token and email or a combination of username/email and password.
The authentication token could could be saved on the client side and reset only when the user logs out.
I was recently working on the same problem and found these sources to be extremely useful.
https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
http://www.soryy.com/blog/2014/apis-with-devise/
https://github.com/lynndylanhurley/devise_token_auth