I know not all providers give out user email address, but assuming if they use oauth2 and the email field is not empty, can I say that email address must be verified ?
Using plain OAuth 2.0 (plus provider specific extensions that would be required for this scenario) this is not possible in a generic way. Using OpenID Connect, which is a standardized extension of OAuth 2.0 that provides login semantics this is possible through the standardized email_verified claim that is provides as part of the so-called ID token, and something can be requested explicitly in the authentication request.
Ofcourse it's possible. First you would have an intermediate form that would get redirected to from any provider, and fills in the fields, including email if available, if not available, then it will be blank for the user to fill it in and submit the form. You have to structure your application so that if a email address field is available and not empty and a valid email populate it in the field and allow the user to submit the form, then you would send the email verification email and perform any other step that you want when a user creates an account.
I would separate it out into events, and fire events when a user account is created. Then attach some listeners to listen to user account created event.
You can then create new event listeners and attach them to the event as needed.
Some good videos about Commands and Domain Events are available on Laracasts https://laracasts.com/series/commands-and-domain-events
Related
My question is similar to What data can I save in my database to verify a user with Google sign in API?
I've built Google Sign In correctly and I get a response from the API like this:
{
"iss":"https://accounts.google.com",
"at_hash":"xxx",
"aud":"xxx.apps.googleusercontent.com",
"sub":"xxx",
"email_verified":true,
"azp":"xxx.apps.googleusercontent.com",
"email":"xxx#gmail.com",
"iat":xxx,
"exp":xxx
}
The SO link above says to save the sub field as this is a unique identifier. I can save the email/sub no problem. My question is: How do I allow this user to sign in next time with an email/password form, if they choose to do this, versus OAuth? I guess I could force them to sign in thru OAuth, then verify they're signed in and have them create a password, but I don't know if that's the best way to do this.
The "sub" parameter is only guaranteed unique for the "iss" parameter. So the combination of "iss" and "sub" is globally unique.
If you MUST store a password you will need to ask the user. Some apps put in a random-complex password for every user as some application frameworks require a password. This may be helpful if they forget they used Google to sign in for you to do you due diligence in assigning a temporary password for the user with the email address.
You should of course consider that the email address is globally unique at any given time, but could be reassigned in some cases.
At our company, we are working with several aliases. The current situation is that one team of 10 has two aliases. In SalesForce, they would like to put the link to specific emails so that anybody out of the team can open an e-mail related to a claim for instance.
In the e-mail's link, there's the "/u/0" part that identifies the mail gmail account (firstname.lastname#...), but it seems that the aliases have a different number for everybody.
So to be clear when they open the same mail in the shared alias, the e-mail ID stays the same in the URL (logic) but the digit after the "/u/" changes for everybody.
Is there a way to generate a URL that will open the e-mail independently of the person that clicks on the URL ?
Edit:
I'll try to be clearer. Our Customer Service Center employees all have two e-mail adresses: an individual one, and a delegated one. Customers will send e-mails to the delegated one (accessible by all employees). So what we would like to do is copy the link of the e-mail into SalesForce so that any employee (who has access to the delegated gmail) can check the e-mail. But, as explained above, as the individual gmail adress is always identified by a "0" after the "/u/" chain in the URL:
https://mail.google.com/mail/u/0/#inbox/156b821f776b6d4a
the delegated gmail adress is identified by a number that differs depending on the person. So employee A will have "/u/144/" as link to the delegated gmail, another employee will have "u/345/ as link to the delegated gmail. This makes it impossible to access the e-mail by clicking the link...
Hope this little case-study makes the issue clearer.
Thanks in advance
Julien
I'm trying to do this too.
I think the only way (outside of paying for the Google business email system) is to have a database of user IDs that link to each user's gmail delegate URL.
I have a system that allows about 6 or 7 users to login, however they all share the login details (it's a small website, with no important information stored). I will have to force them all to have separate login details, and then have a lookup for their gmail delegate URL.
If you have a lot of staff, then you'd have to get their buy-in. Maybe send a global email around that links to a simple web form, that takes them through how to enter their delegate URL. Then store this in a database, with their own personal email (the other gmail account). You should make the form validation strict, so no garbage gets entered. For users who get stuck (fail validation for entering a valid gmail delegate URL), ask them to email support. 95% of staff should be able to handle this. The other 5% would just be an exercise in patience, in getting the rest of the data.
I have UserManager and am making a custom ApplicationUserManager. How do I incorporate a custom token provider and validator for something completely different than validating your account?
The way I want to use this is when the parts manager creates an order, it sends an email to all office managers. The managers all need to have a custom token and in this email, it has two buttons, a reject button and an approve button. Each will have a link back to my website, flagging the order appropriately.
I could generate a random string or numbers and save it to the database, one for each approve and reject, and each manager would get basically the same email with different userIDs in the callback url to tell the who approved or rejected the order.
I would rather create a function in the ApplicationUserManager somewhat like the .GenerateEmailConfirmationTokenAsync function and then .ConfirmEmailAsync, but for .GenerateOrderApprovalTokenAsync and .GenerateOrderRejectionTokenAsync. That way each user will have a completely different token that will expire after x amount of hours.
Can anyone point me in the correct direction. All the custom tokens I see online are all for validating your account.
I'm following the client side authentication as described at https://developers.google.com/accounts/docs/OAuth2UserAgent
I am routinely signed on to multiple Google accounts. Normally, the flow will prompt me to choose which account I want to authenticate with. However there are sometimes instances where it assumes the first account I signed in with, which is not the account I wish to use.
When users register with my service, they do so with a specific email address (and google id).
How do I qualify the oauth dialogue such that it will always take place using only the specified user?
On https://developers.google.com/drive/about-auth I can see a comment...
Note: If you want to use the user_id parameter to select the current user from
(potentially) multiple logged-in accounts,
also add https://www.googleapis.com/auth/userinfo.email.
The implies that there is a user_id parameter I can include in the oauth call, but I can't see it documented anywhere, and there is nowhere in the Javascript API where I can inject a user_id.
Add the user_id parameter to your Authorization URI.
gapi.auth.authorize({..., user_id: 'ali#gmail.com'}, handleAuthResult);
How can I use the AWeber API to automatically check whether an email address exists on a given user's list? The AWeber paradigm is baffling to me and their docs are poor. Essentially, what you get is the ability to put the AWeber login form on your site (just like this one: https://www.aweber.com/login.htm), so ANY AWeber user could use my site to log into their AWeber account and view their subscriber and list data. This is useless.
The API keys are moot: they simply establish that yes, I am a developer and yes, I have registered my app. The API keys have nothing to do with USER data.
This is not at all how MailChimp handles logins: each user can download their own API keys and use them to authenticate and then programmatically retrieve the subscriber data from their lists.
What I need to do is to create a "Members' Area" on my website, and in order for visitors to see the content in the members-only content, they must join my list. It's a simplified login form that would ask only for the email address (no password is necessary). But I cannot see how to do this with AWeber's convoluted oAuth restrictions. The only way I can currently check email addresses is by logging into my own form (the local copy of the https://www.aweber.com/login.htm form) and then checking the email address. That won't work programmatically. If I can't automatically access subscriber data, then what's the point of the API?
How can I automate authentication so my application can retrieve subscriber information from my user's lists without me having to log in?
The consumer keys identify your application, the access keys are what give the application access to an account, both are needed to make requests to the API.
There is a php quickstart for accessing an aweber accounts' subscriber data. http://engineering.aweber.com/quick-start-api-script-in-php/
Once you have the access keys generated, you must store them for future requests.