I have the sign-in with linkedin functionality working on my asp.net mvc site.
I noticed that when a user is already logged in to LinkedIn in the current browser that when I click the button to sign in with linkedin on my site that it automatically signs in to my site with the user that was already logged in instead of asking for a LinkedIn username and password.
Is there any way to ignore any already logged in users and ask for the username and password EVERY time someone hits the button to sign in with linkedin? I don't want anyone to be surprised about who they get logged in as... as I was when I accidentally added the wrong LinkedIn login to my account on my site because of this.
Related
We're building an app using ASP.Net Identity for authentication. We allow users to login using their Facebook or Google account. Or the user can create an account in our app.
We're implementing the password reset feature and came across an issue we're not quite sure how to handle. Say a user is using their social account to log in to our app. Should they even see the 'Forgot Password' link on our Login page, if they go there? It seems obvious this shouldn't even be an option for those users using their social account to log in, but we wanted to make sure we were not overlooking anything.
If a user goes to login page he is most likely not authenticated, so how will you know if to hide the 'Forgot Password' link?
In ASP.Net Identity a user can have a local login AND external account logins at same time, its built in. So if a user logged in with an external account press 'Forgot Password', the framework will create a local login for that user with a 'reseted' password (he will not reset the external login). That user will end up having to 2 ways to login in his account.
If that should be an option? In my opinion, it should.
How about change the password of the user if you have already collected the mobile number or the email id of the user so the reset password link can be sent to his/her email id and the password can now be reset.
Yes the user will be having two ways to login to the application.
Can an application check if anybody is logged into Facebook application in mobile ,if logged in get the user email Id from that and use it in their application?
To get a logged in users email address, you would have to authenticate with the API and the user would have to approve you using the Oauth workflow.
You can display a customized login / connect button using the Facebook API but if I recall correctly, that is an iframe that is embedded in your page, and you never see the email from that.
tldr; No. You need to authenticate using the Oauth workflow and have the user grant you permission.
First you have to authenticate user and then you can get logged in user profile information. For that you have to use Facebook API. Please check below link.
https://developers.facebook.com/docs/facebook-login/ios/v2.2
I am using the Facebook iOS SDK to allow quick sign-up of users in my app. Here is the flow:
User taps "Login with Facebook" button
Taken to Facebook app or Safari for login
Redirected back to my app
Show Sign-up for with pre-filled fields from FBGraphUser object
User creates account using data from Facebook
After they created an account, is it possible to authenticate with Facebook, and let them login to my app without having to enter the username and password they just created? How would the flow of that work?
Seems like I should be able to do the following:
User taps on "Login with Facebook" button
Authenticate with Facebook SDK
Return to app, and make a call to server, checking to see if there is a username matching the Facebook email
Allow the user into the app with no password, since they have authenticated with Facebook and have an account in our system.
Is this the correct way to do it?
That is very close. However, it is not enough to just check that the email/username is valid. It is strongly recommended to validate the token directly with Facebook as well.
See Use Facebook authentication token in API for a very similar concept and the Facebook docs about verifying token: https://developers.facebook.com/docs/graph-api/securing-requests.
I have implemented Sign in with Twitter on my web site using DotNetOpenAuth lib using asp.net mvc 3.
My problem is that every time the user click Sign-in with twitter it redirects him to a twitter page (even if he is already logged in to twitter).
I saw that sites like www.pinterest.com avoids this somehow.
How can I avoid the redirect to Twitter sign-in page if the user is already logged in to twitter?
This is called Sign in with Twitter. Redirect users to https://api.twitter.com/oauth/authenticate?oauth_token=xyz instead of https://api.twitter.com/oauth/authorize?oauth_token=xyz. If the user is has an active session with twitter.com and has previously authorized the application they will silently be redirected to the callback url.
How can I use both registerable and omniauthable modules in Devise?
Specifically I'd like to be able to let users do the following:
Register/login with email and password
Register/login with Facebook (via omniauth)
Attach or remove a Facebook account to their account so they can login with either their email or their Facebook account.
I don't know how to do 3 at all.
1 and 2 are done, but where it gets weird is if the user registered with a Facebook account, I don't need to show (or require) them to enter a password to update their profile.
So, how can I...
Let users attach a Facebook account to their current account so they can login with either.
If the user only signed up with a Facebook account, how do I hide (and not require) the password fields when editing their settings.
Let users attach a Facebook account to their current account so
they can login with either.
in the user setting page add a link to "link to Facebook account"
the link just drive the user through the normal Facebook authentication processes using the OmniauthCallbacksController, just make sure in your OmniauthCallbacksController facebook method you add some code to see if the user is already logged in and if he is you just add an authentication token for the user (I have a table that stores the authentication token for each user)
If the user only signed up with a Facebook account, how do I hide
(and not require) the password fields when editing their settings.
Take a look at this: https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password
Hope this help.
You might find this article interesting:
http://www.ruby-on-rails-outsourcing.com/2011/05/06/how-to-merge-facebook-account-into-existing-user-account-using-devise/
Just ran through this myself as I was looking into the same thing, and it worked great for me, but one additional note that is incredibly easy to overlook as it's barely mentioned in a single paragraph; don't forget to generate a migration to add facebook_uid to the user model.