I'm using owin authentication on an ASPNET MVC project. When using google I have the following problem:
1- The user signs in with the google account
2- The user signs out
3- The next time the user tries to sign in, the current google account is automatically used to sign in again without prompting the user is he wants to use another account.
Question: How can I, using the owin google authentication, prompt the user if he wants to use the current account or use a different one?
Thanks
If you are using external login provider (Google in your case) to sign in to your application, then your application will get authenticated by third party provider (Google in your case).
After successful registration asp.net identity framework store provider key return from third party provider in AspNetUserLogins table which will be used when sign in next time.
But the user sign out from your application does not means that the user sign out from Google. Because of that if you are using the same browser which is already authenticated for your Google account will allow you to login to your application using the already authentication Google account.
There is no simple out of the box option in Asp.Net identity framework to sign out from both external provider (Google) and your application when you are calling sign out in your application.
You have to call Google API to sign out from Google account when you are calling sign out in your application in order to achieve your requirement.
You can see this work item to get more details on this.
Related
We have a system that is using its own authentication system and I need to make it use our Google Workspace accounts to integrate with Google SSO so that when the user gives their credentials to the webpage, it will be authenticated in both google account and on our web app account.
Google default workflow redirects the user to its own form, so we have the problem of the password not being passed to our server.
Crossed my mind the fact that this would be too insecure to exist, but remember that all users that would log in to our website would have an account created in a workplace totally managed by us.
how could I auth the user this way?
Why not use "Sign-in with Google" -> OpenID Connect to access to the website. That way it will authenticate with Google.
Or add the website as a custom SAML application in the Admin console, and use Google as the IDP since the users will be provided by your organization.
We are currently working on an Angular node application which uses WSO2 Api Manager and Identity Server . The current mode of login is done through emails which gets saved as WSO2 Carbon users . We need to allow users to login using their google or facebook accounts using OAuth2. I have implemented the code for fetching access token,refresh token on login through google on click of a button from my app . But How can i link it to save this user as a user in our application's identity server . I found the below link which helps in the process: https://docs.wso2.com/display/IS570/Logging+in+to+an+Application+Using+Google#50629d9a6ddf4769ae2d8953c5a25645 .
Can anyone suggest me whether this one would help ?
I would like to know how the google account user details will be saved as a user in our identity manager ?
Is it possible ? If possible, what all data will i get from google ?
I assume that you have already done the configurations for the communication between your application and the WSO2 Identity Server according to the description in the question.
From the description, I'm not certain that you have done the configurations to federate the login to Google. Follow the below steps if you already haven't done so.
Generate OAuth client ID from the google developer console.
Configure a federated authenticator in WSO2 IS with google authenticator using the generated client id and secret values.
Add newly created IDP as an option to the first step of your application.
More information can be found in here. From Google, you can get email and default profile attributes of the user. Reference.
Follow the same steps for Facebook login as well. More information available here.
Now the federated login is configured. Now you need to enable JIT provisioning for the configured Identity Providers above to save the user in the Identity Server when the user is logged in with those social login options. More information available in here. You have a few modes to create the user in the Identity Server.
Is there any way to get access token from Azure AD using Windows Integrated login from ASP.NET MVC? I've just tried to use ADAL to login providing tenant, client credentials (id and secret) and user login but it responds that "Managed users must provide password".
That's an organizational account and I don't want to show consent screen to the user if they even need to provide password.
You should be able to do this using OpenID Connect. I believe you can use the OpenID Connect sign-in request by decorating a class or method with the [Authorize] attribute. See this document for more details to see if it helps. https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-native-headless/
I'm building a system with a web and a iOS app. The web part require authentication that can be used on the mobile part and vice versa.
I want to add support for google sign in on the web and on the mobile part. For test i've used the code from
https://developers.google.com/identity/sign-in/ios/start-integrating
for iOS and
https://developers.google.com/identity/sign-in/web/
for the web part.
scope are the same on Application and web (email, profile)
Expected flow
User sign in with google and grant access from mobile (or web)
user go to web site (or application)
user sign in with google
no need to grant permission again
What i got
User sign in with google and grant access from mobile
user go to web site
user sign in with google
same permission are asked again
How can i avoid asking permission again? from the documentation (https://developers.google.com/identity/sign-in/web/cross-platform-sign-in)
seems to be possible to obtain the expected flow but in practice i am unable to obtain it. iOS and Web are in the same google developer project.
I've made this work as expected following this guides: https://developers.google.com/identity/protocols/CrossClientAuth
https://developers.google.com/identity/sign-in/ios/offline-access
what you have to do is the following:
first add
[GIDSignIn sharedInstance].serverClientID = #"SERVER_CLIENT_ID";
in your iOS appDelegate. When the user authenticate through the app you can now retrive a token valid for your server_client_id via serverAuthCode attribute of your GIDGoogleUser object.
Send the token to the server and validate it on the token endpoint (/oauth2/v3/token) redirect_uri must be empty while grant_type must be authorization_codeotherwise you will have a 400 response.
Your server is now authenthicate and when the user will log on the website permission will not be asked again.
I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:
support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
Access the user's Google Analytics.
Here are the steps I have done.
I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
I get redirected back to the callback page.
I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.
Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?
If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.
Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.
If you are asking how to identify user for future logins, you have two options:
Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.
Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.
If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).
When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.
Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.
So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force