We are using OAuth in our apps to login to repositories such as Google Drive, OneDrive and Box.
We allow the option for the customer to create a default user, so we use login_hint parameter to pre-populate the default user. Since the box with pre-populated username is editable, if the customer decides to modify the username, and tries to login with a different username the page is reloaded with the default username again, instead of logging in. On the second attempt the user is able to login with the new username.
Is this a known behavior? I would expect the user to be able to login the first time. This also works inconsistent, sometimes user is able to login with modified username from the first attempt.
Related
We are tracking a forgot password workflow action using adobe site catalyst. The flow happens something like below
User requests for forgot password
He provides the email address and clicks on create new password
New password generation like is send to his email address
User clicks on this link and generates a new password
First 3 actions occurs in the same browser. The 4th activity can occur in the same browser or a different browser. Because of this, site catalyst considers that user as a different one (different visitor ID) and considers that as a totally different visit. Ideally the number of users who completes activity 4 should be less than that completes 1,2,3.
But for us, we are seeing more users who completes activity 4 which could be because of this different visitor issue.
Can someone please suggest a better approach to solve this?
You might want to try overwriting the Visitor ID.
I do not know how your site works in the backend, but generally, and theoretically (as I have yet to be asked by clients on to implement this):
Extract the Visitor ID when the user provides the email address and clicks on create new password. You might want to check the appendVisitorIDsTo (Cross-Domain Tracking) function out and see how the Visitor ID query parameter is implemented.
Send the Visitor ID along with the email address to your backend controller that spits out the template forget password email.
In the template forget password email, append the extracted Visitor ID as a query parameter in the reset link.
In DTM (if you are using DTM), modify your Marketing Cloud Visitor Service tool enable this configuration: overwriteCrossDomainMCIDAndAID.
When the user clicks on this reset link, the Visitor ID should be the one that is initially created for the user.
You might want to read this answer as well.
Sometimes when a user logins into a site with Google's OAuth 2.0 they choose the wrong account to login with. Normally this isn't a problem if the user has more than one account registered with the browser, google will automatically show the user select screen:
But if a user has only one account and is logged in, this screen is skipped. Instead I need Google's sign in panel to always appear, so that I can be sure the user has the option to try and enter the correct account. I tried using approval_prompt = "force", but that forces the acceptance of permissions rather than simply showing the login page.
How can I force Google's OAuth 2.0 to always show the login screen?
(and never automatically skip it)
Add the parameter prompt=select_account to your authorization request.
This will cause the account chooser to always be shown, even if the user is only logged in to one account. Users will be able to select from their accounts, or add a new one.
For example: https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.com&scope=profile+email&access_type=offline&prompt=select_account
I got the SSKeyChain working and tested that what is retrieved is same as what was previously stored. I am conducting all of this in the login action when user presses the button. I want to know if what I am doing is correct or not (illustrated in steps below):
User launches application for first time, landing page has creating account or logging in.
User provides logging in credentials and presses the button
In the body of the action, I take the parameters query database (HTTP) and if response is valid, user proceeds. If not, user requested to re-enter credentials.
Once and if user login successfully, I will use SSKeyChain to store his credentials (but what use are these credentials for me in the future?)
What I am really asking is: what is the use of SSKeyChain in above scenario? Also if the user login successfully, where am I going to store his credentials (is it via SSKeyChain) so that next time he will skip the login screen (like facebook, twitter apps).
In a ASP.NET MVC application, is it possible to log someone out, if the login credentials is used on another web client?
For e.g.,
1) user login from PC A, with user id admin
2) another user logs in with user id admin from PC B
3) PC A gets signed out
I would look at setting a token on the client cookie. This token can be checked for subsequent calls and if it doesn't match then kick the user off.
So, in terms of a use case...
Create a table - LoggedInUsers that has, say, the UserID, Token
When user logs in on browser A you can check against the LoggedInUsers table to see if they are currently logged in and have a matching token. If they don't exist, then create a token and store it in their cookie and add the entry to the table. If they are in the table and do have a matching token then they are the same browser. If they are in the DB but the token doesn't match then you choose whether you want the new user to have their token overwrite the existing one or prevent logging in.
now ever page call should check the LoggedInUsers table so you can log the user out if they are logged in via another browser.
Hope that makes sense...
i can't see the utility of this function, because everybody save information about members on database and not in the web.config file, so we need all the time to write our own function to authenticate which checks if the user exists on the database with the corresponding password.
There are cases when you need to authenticate the user without asking him for the password. Here is the situation where I used it:
I have a website using the asp:Login control. I authenticate users using username and password on the click of the login button.
Then, I was asked to implement another type of login, parallel to the existing one (the user could choose), the one using OpenID.
So basically, after the email provider ensured me of the user's email, I automatically authenticated it without asking for username or password.
Something like:
if ((hasUsername(email)))
{
FormsAuthentication.SetAuthCookie(userName, true);
}