We're building an app using ASP.Net Identity for authentication. We allow users to login using their Facebook or Google account. Or the user can create an account in our app.
We're implementing the password reset feature and came across an issue we're not quite sure how to handle. Say a user is using their social account to log in to our app. Should they even see the 'Forgot Password' link on our Login page, if they go there? It seems obvious this shouldn't even be an option for those users using their social account to log in, but we wanted to make sure we were not overlooking anything.
If a user goes to login page he is most likely not authenticated, so how will you know if to hide the 'Forgot Password' link?
In ASP.Net Identity a user can have a local login AND external account logins at same time, its built in. So if a user logged in with an external account press 'Forgot Password', the framework will create a local login for that user with a 'reseted' password (he will not reset the external login). That user will end up having to 2 ways to login in his account.
If that should be an option? In my opinion, it should.
How about change the password of the user if you have already collected the mobile number or the email id of the user so the reset password link can be sent to his/her email id and the password can now be reset.
Yes the user will be having two ways to login to the application.
Related
I'm developing an iOS app with a server-side component. Users can create and login to accounts with an email/password combination. I'm also building in an option to alternatively login via Facebook. If the user logs in via Facebook I will need to create an account for them using the email we get from Facebook - but what do I do about the password? The server obviously requires a password to create an account. Should I use something like their Facebook user ID as a password (doesn't seem secure), do I force them to create a password? What's the standard practice here?
You can set a button text or alert saying "Use Facebook data for Registration".
After clicking on the button, you can redirect the user to the registration screen.
Fill up all the data with his facebook data then leave the password and confirm passwords blank to let him choose his password.
Trying to use his personal Facebook data as password may be the cause for rejection of your app on Appstore.
I have the sign-in with linkedin functionality working on my asp.net mvc site.
I noticed that when a user is already logged in to LinkedIn in the current browser that when I click the button to sign in with linkedin on my site that it automatically signs in to my site with the user that was already logged in instead of asking for a LinkedIn username and password.
Is there any way to ignore any already logged in users and ask for the username and password EVERY time someone hits the button to sign in with linkedin? I don't want anyone to be surprised about who they get logged in as... as I was when I accidentally added the wrong LinkedIn login to my account on my site because of this.
Users can register an account on my site via the default authentication method that requires a username, email and password.
To allow users to login via facebook, I am using the facebook gem with Omniauth gem.
Existing guides shows me how to authenticate the users up to the point where they can confirm their details ("is your first and last name correct?") before successfully tying the uid and provider to the user record.
However, it does not check if the email is the same.
Does anyone know how to check if the email is the same and if it is, request the user to provide their password to the account already registered on my site either on the same screen for confirming user details or a new screen with just a password field and a message indicating that he needs to confirm he owns an account on my site with the same email facebook provides.
Should this be done on the model or controller layer? How would you go about doing this?
How can I use both registerable and omniauthable modules in Devise?
Specifically I'd like to be able to let users do the following:
Register/login with email and password
Register/login with Facebook (via omniauth)
Attach or remove a Facebook account to their account so they can login with either their email or their Facebook account.
I don't know how to do 3 at all.
1 and 2 are done, but where it gets weird is if the user registered with a Facebook account, I don't need to show (or require) them to enter a password to update their profile.
So, how can I...
Let users attach a Facebook account to their current account so they can login with either.
If the user only signed up with a Facebook account, how do I hide (and not require) the password fields when editing their settings.
Let users attach a Facebook account to their current account so
they can login with either.
in the user setting page add a link to "link to Facebook account"
the link just drive the user through the normal Facebook authentication processes using the OmniauthCallbacksController, just make sure in your OmniauthCallbacksController facebook method you add some code to see if the user is already logged in and if he is you just add an authentication token for the user (I have a table that stores the authentication token for each user)
If the user only signed up with a Facebook account, how do I hide
(and not require) the password fields when editing their settings.
Take a look at this: https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password
Hope this help.
You might find this article interesting:
http://www.ruby-on-rails-outsourcing.com/2011/05/06/how-to-merge-facebook-account-into-existing-user-account-using-devise/
Just ran through this myself as I was looking into the same thing, and it worked great for me, but one additional note that is incredibly easy to overlook as it's barely mentioned in a single paragraph; don't forget to generate a migration to add facebook_uid to the user model.
I have recently implemented login to my via facebook connect. So now users have 2 ways of logging in to the site. The old way of registering an account and the new way (facebook connect).
One thing I would like to do is link a new facebook connect user account to existing accounts if they logged in the old way.
Has anyone had any success doing this?
Very good question I think and lots of people will benefit from an answer.
What you need to remember is that accounts are only linked so long as they are authorised to be linked through Facebook. What you should do is maintain a second table of linked accounts in your database so that you know who is who and if they are linked with Facebook.
You should read this integration comment, it provides a lot of useful information.
http://crazyviraj.blogspot.com/2010/01/test-cases-for-basic-facebook-connect.html
It doesn't really say how to do things, but it makes sure you tick all the boxes of what you should be doing.
ie:
Sign Up should fail if the user denies
permission to the app (category: sign
up)
Since we need access to an email
address, Sign Up should fail if the
user provides publish permission but
denies email permission (category:
sign up)
If the user provides an email address
that already exists in your system,
fail Sign Up. Make sure no YouFace
backend tables are modified (category:
sign up, 1:1 mapping) PS - when this
happens, I didn't find a way for you
to de-authorize YouFace on the
Facebook user's behalf. The user must
manually do this if they wish you use
the same account but provide a
different email address.
Accounts created using Facebook
Connect should not be able to login
using YouFace's default email/password
login system (category: sign in,
account security). PS: Since YouFace
accounts require a password and those
created using Facebook Connect don't,
make sure to insert a random password
hash into your table to avoid silly
errors
Accounts created using YouFace should
be able to sign in without requiring
to be signed into Facebook, even if
when a link to a Facebook accounts
exists (category: sign in)
Any many more
You should be asking for permanent access through fb connect authentication. Once you've done that, you'll get a token which gives your permission to access someone's Facebook information, and that token will not expire unless the user explicitly removes you from the permission list or changes his/her password.
Once you have the token, associate that token with the user / create a new field in your user table to store it.
To associate the user with a Facebook account without the user logging in, you can try to match by email. It's not 100% accurate but it's pretty good. Facebook doesn't give you email addresses in text form but you can get email hashes from FQL. Since you already know user email addresses, you can calculate the hash for all of your user emails and search through your user base for matches every time a new Facebook Connect user signs up.