We are trying to use Google's OpenID Connect for a business web app but are concerned that the user will leave the app open and an unauthorized user will sign-in because the user is still signed into Google so OpenID Connect just let's them right in.
We've tried using max_auth_age=0 parameter. This has been replaced by max_age in OpenID Connect.
I do see that Google App's control panel at admin.google.com does usually re-prompt the user for a password while any other login won't. But looking at the authorization URL I don't see anything that would be triggering this to happen.
Here is our current authorization URL:
https://accounts.google.com/o/oauth2/auth?prompt=select_account&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww....com%2Fauth%2Fuserinfo.profile&state=%2F&redirect_uri=https://www.foo.com/callback&response_type=token&client_id=...
Perhaps if we added a certain scope that could trigger Google to go into high security mode, but I haven't found anything so far.
There's no way to control re-authentication as indicated in: Google OpenID Connect: Receiving a 500 error when supplying the "max_age" parameter to an authentication request nor step-up as recorded in: https://groups.google.com/forum/#!topic/google-federated-login-api/KT6pSp4VNaQ
Related
I attempted to ask this question before, but after some research, I have distilled down and reworded the question a bit better.
Two things about our set up:
We have a Connected App for pulling data from the chatter_api.
We have an Auth Provider (OIDC) in Salesforce.
During our app's oauth authorize flow, if the user is not logged into Salesforce, a login screen is presented. That's expected behavior, of course, but we want to be seamless and skip the login if possible.
In our scenario, most of the time, the Salesforce user session will not yet exist. But the user WILL be logged in at our Auth Provider. Login screen even shows "Or log in using: <our Auth Provider>". My question is, can we somehow configure our authorization flow to automatically attempt SSO and skip the login screen (assuming successful SSO)? Any other ideas?
Try to do it in another area,not in connected app. Setup->My Domain, scroll down to login options and leave only the SSO checkbook.
From now on navigating your branded login page (mycompany.my.salesforce.com) should auto redirect you to your Auth provider (and if you have valid session - back to sf). You'll still be able to use sf username & password on generic login page (unless you blocked it in My Domain) and by "hacking" your way to the mycompany.my.salesforce.com?login url
I'm a bit of a salesforce / web noob, but am testing out the customer 360 external identity licences, along with customer users. My main goal is to authenticate a customer user using OAUTH, get an access token, then use the Salesforce web APIs to access some relevant bits of info for the customer user. However I just can't seem to figure out how to get the customer user authenticated despite being able to do the same just fine for my personal admin user account.
I have the following setup:
a bunch of external identity licences
a profile with the external identity user licence assigned, with the API enabled setting checked.
a connected app setup with relaxed IP restrictions set, all users may self authorize set, OAUTH settings enabled, device flow enabled, and the full access OAUTH scope selected.
an end customer contact with an associated end-customer user, assigned to the external identity profile and thus external identity user licence.
And I'm POSTing to the test token endpoint (https://test.salesforce.com/services/oauth2/token).
I've tried two auth flows, password and device flow for IOT as I want to integrate this with a command line app (which the IOT flow is good for apparently), and while both succeed for my personal salesforce user credentials, they both fail for my test user account credentials.
The server response for the password flow is as follows:
{
"error": "invalid_grant",
"error_description": "authentication failure"
}
End-customer users don't appear to have a security token so I've just been using the password on its own. I can't seem to find a way to generate a security token for these types of users but suspect this could be the issue for this flow.
When trying the device flow the returned verification uri is always https://test.salesforce.com/setup/connect but attempting to login on this page as the customer-user fails with this error:
Please check your username and password. If you still can't log in, contact your Salesforce administrator".
I am definitely providing the correct customer user credentials here so have no idea why this fails.
Does anyone have any ideas on how to get this working?
#eyescream nudged me in the right direction so here's the solution for anyone in the same position as me.
Authentication of external identity customer users is not done using the normal OAUTH REST endpoints (https://test.salesforce.com/services/oauth2/token or https://login.salesforce.com/services/oauth2/token).
Instead you have to setup an experience cloud site, add your customer user profile to the sites list of member profiles, then authenticate using a site specific AUTH endpoint.
For example, if your experience cloud URL is https://sandboxname-companyname.instanceid.force.com, then your OAUTH token endpoint would be at:
https://sandboxname-companyname.instanceid.force.com/services/oauth2/token
Extra things to note:
customer user accounts cannot authenticate using the username-password flow.
the device flow for IOT (or command line apps) will return a verification URL that customer users cannot log in to (https://test.salesforce.com/setup/connect). You can instead use the experience site connect URL (https://sandboxname-companyname.instanceid.force.com/sitename/setup/connect)
We have a desktop application that requires the user to login. We're using OIDC (Auth code with PKCE) to do the login. I'd really like to be able to launch a browser and go to our website and log the user in automatically without resorting to anything dodgy.
From my understanding of OpenID Connect, I'm pretty sure this can't be done. Am I correct, or is there a mechanism I've missed?
This should work fine if the user has a valid session cookie with the OpenID Provider (OP) in the browser. There's no need to send something to the browser, as the user is already authenticated there.
When subsequently your native app requests authorization, the OP can authenticate the user based on the existing session, provided that request parameters like prompt, max_age and acr_values allow for that.
Context:
I am implementing a Single-Page-Application using Auth0's implementation of OpenID Connect Single Sign-On with Google as my identity provider.
Browser is Chrome v59
auth0.logout() below refers to the auth0-js library which is included in my app as a dependency of the auth0-lock library. My webpack config is pinning auth0-lock to v10.18.0.
Problem:
When logging out, if the user doesn't want to be logged out of their Google sign-in session, I execute this code:
auth0js.logout({
returnTo: "http://localhost:8080"
});
This works fine, logs the user out of their Auth0 sign-in session, redirects the browser to localhost and the Google sign-in is left intact (user can re-authenticate with my app using Google creds without having to enter login details).
If the user explicitly indicates they also want to be logged out of their Google sign-in session as well, I execute this code:
auth0js.logout({
returnTo: "http://localhost:8080",
federated: true
});
The "sign out" part of this works, the user will be logged out of both the Auth0 and Google sign-in sessions. But the browser ends up being redirected to the Google account page (where google will ask them for their credentials, since they were signed out of their Google session).
Question:
Can anyone provide an idea on how I can force the Google-logout flow redirect back to my app instead of the Google account page? Or is this something that Google is doing on purpose (i.e. there is no way to get Google federated sign-out to redirect to my app)?
Unfortunately, the returnTo URL available for some connection types is not available for Google social connections.
I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:
support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
Access the user's Google Analytics.
Here are the steps I have done.
I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
I get redirected back to the callback page.
I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.
Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?
If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.
Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.
If you are asking how to identify user for future logins, you have two options:
Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.
Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.
If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).
When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.
Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.
So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force