I am developing MVC website. In my website all the pages are based on user permission( based on theirs role). Like some of the user will have permission for all pages and some of all only permitted for fewer pages.
In the menu itself if the user not having permission we need to display some tool-tip like, there is no permission. For every request we are hitting DB and getting permission details. Instead of hitting DB for every request, shall we maintain the permission information for that user in server session?
Related
we have a multi-tenant graph app and we are experiencing some unexpected behavior.
When a first user (non-admin and from another tenant) want to connect to the (enterprise) app, he logs in and gets the message 'Need admin approval'. This is normal, as the required permissions demand this.
Let's say the user knows the administrator login/pass, he clicks on 'Have an admin account, Sign in with that account', he logs in as administrator and approves the consent.
But then a code is generated for that administrator account and is posted back to my initial application(website). Resulting in the user having an access token for an administrator (which does not have SPO in our situation thus failing our application).
My very simple question: how can i just consent the app with an administrator account but without the flow posting back a code for that administrator to the redirect-url.
Is this possible?
Thank you
Ok, i think my problem is solved. Upon activating the app in our settings, we can direct the admin to following url:
https://login.microsoftonline.com/(tenantid)/v2.0/adminconsent?client_id=(clientid)&state=12345&redirect_uri=(redirecturl)&scope=(permissions)
We get redirected then like we receive a token, but having the state that also comes in the redirect url we might use it to display another message to the user.
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I am trying to understand how to create MVC5 website with Active Directory authentication. Also I want to manage users. So for this I created a simple project in VS2013 and selected "Windows Authentication". When I run the application I get authentication popup to enter AD username and password. After that it does says on top right "Hello AD/UserName!".
But I am not seeing logic where it actually calls for authentication. Also I want to save few AD users to database and allow only them to login to website. How can I do this? Also how will my other web pages know whether user is already authenticated. Thank You.
One Approach-
Instead of selecting 'Windows Authentication', you choose 'Anonymous' (doesn't remember exact word here)
Implement logic to Authenticate user against Active Directory. Once user is Authenticate, store that user object into 'User' property of Current Context. So that you can access it and authorised user in subsequent request.
As you are aware, AD can only authenticate user against it. Providing access to few of them is authorisation part which we need to handle as part of our application. Since you want to enable access to website for few people of AD, what you can do is add those users in your application's database and allow authorisation to those only.
I have a website where users can create an account and log in. This is stored in a database on the server. I also want users to be able to log in with Facebook etc, and thus skip the account creation. I don't know how to combine this and keep it persistent in the database. Any good examples on this use case?
Let's first see how logins work in general. When a user is logging in for the first time, a session id is generated for the user and is stored in the browser of the user as a cookie (note that there are mechanisms to store session id without a cookie, but let's assume you require a cookie for simplicity).
For subsequent requests to other pages in the same website, the cookie is also sent along. With this cookie (which has the session id), the unique user can be identified.
So, all that you require to know to identify a user in the server side (upon a web request) is the session id.
Having said that, if you want to include facebook etc into the login mechanisms, you need to do two things:
Connect your website with facebook (you will require a facebook developer account and some keys. Look here). When you do this successfully, if the user selects facebook login, your website should redirect to facebook login page and once the user logs in into facebook account, facebook will redirect back to your website with a token. This token is an indication that the user is a 'real' user. If required, you can use the token to get more details (such as facebook id, email address, name, etc.) from APIs facebook.
The second step is the same for any authentication flow. You need to generate a session id for use by your server and then save the session id in cookie.
What I have specified is the general flow on how your requirement could be achieved. The mechanics of how to do this will depend on the server side technology that you are adopting (such as ASP.NET, Ruby, etc.)
Additionally, if your website requires storing information about the user behavior / user activity, you may need to additionally check if the user logged in via FB already exists in your database. If not present, you can store the user's facebook id or something to uniquely identify the user later. With this as the primary key / user id, you can store user activity (such as inserting a record in orders table if the user purchases a product).
My facebook application is installed on multiple pages as a tab.
When a user clicks on the tab link from a page, if the user has not authorized my app, I redirect the user for authorization.
After authorization, the user is redirected to my site with the "code" value. Now, at this point, I can get the "access token" for this user but I do not have the current page id.
I need the current page id in order to show the page specific data to this user.
However, after the user has authorized my user, when the user comes back later, i get the page information from the signed request. But I also need the page information immediately after authorization.
When your app first loaded as a tab, you can read the "signed_request" and compose the redirect_uri with it.
var encodeURI = encodeURIComponent("http://myapp.com?pageid=123");
and redirect your user to somewhere like
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=encodeURI&response_type=token