I'm doing an MVC application which includes a form.
The form consists of a variable list of users (participants on a team).
For each user I would like them fill out some information. If they are already registered they can chose to login through FB or Google+ and the system will retrieve information about them automatically.
When the user logs in through e.g. Google, a cookie is saved on their computer. As long as the cookie is still active it will prevent any further credentials to be inputted as google will just accept the cookie and not prompt for credentials. This will prevent other users (team members) to use this service.
Is it possible to force external login providers to ALWAYS require credentials (or perhaps a parameter which sets the expiry of the cookie).
Thanks in advance.
Frederik
Related
I need to login to Auth0 without login prompt on my intranet under certain circumstances.
I have a very particular use-case, where I have created a very special user in auth0 called "analytics" which has access to some of our analytics in Tableau.
I created it, so I know the login password and can create refresh tokens with unlimited life.
I had to create this user in auth0 and have it managed by auth0 because that's how our company access Tableau and I can't change this policy.
In another web application, which doesn't use Auth0 at all and has its own authentication methods, I need some users to have access to the ressources that the "analytics" user can access. (there also, no way to change this web application to use Auth0, because that's another company policy and I can't change it)
To achieve this, I have no choice but to allow all logged in users of the web application to be also automatically logged in as "analytics" in auth0.
Since this is an intranet, it is perfectly ok to hardcode a refresh token or login password. Also there's nothing too confidential about the analytics in question.
I know how to use the refresh token to call an API, but I don't know how to use it to "login" the user, e.g. his browser has the right cookie so auth0 knows that his browser is indeed him.
Is there any way to achieve this ?
I don't understand very well the OAuth 2.0 protocol, hence my question.
I'm looking to use an identity service such as Azure B2C, Auth0 or OKTA to secure my application.
After the user signs up for an account, I need to display a custom registration form in my application in order to complete the registration. This form requires a business process behind the scenes and therefore it can't be part of the Identity Service (IDS are quite limited to capturing static data).
How do I ensure the user has completed the registration form on my application, when they sign in?
I'm thinking of using a claim such as "RegistrationComplete" and setting this to False when the user signs up. After they've signed up I can update this claim to be True.
I can't find any information online about this scenario so I not entirely sure its standard best practice.
Disclaimer: I work at Okta
Okta does have some features which should allow this. You can pull properties from the user's profile in Okta and put those properties on tokens as claims when the user is authenticating. So the user profile holds the state you care about. Your app/service can then read this claim from the token to determine if the form should be shown. Once the form is complete, your backend service can use the Okta APIs to update this user profile state, and then send the user through the authorize flow again to get a new token with the updated claim (specifying to not prompt for re-authentication when going through the authorize flow again).
There is a restful provider feature in azure ad b2c. Using the Rest Apis from any service along with custom policies in b2c, we can get user input and save that user input to any database. The REST apis can be used to orchestrate any step.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom
Using the Google Sign In SDK, a user can sign in via OAuth2 with some default scopes requested. It can be beneficial to not request every scope an app may need up front, and instead to request additional scopes at a later time so as to not overwhelm the user at sign up.
Google outlines the process for doing this here.
The issue is that, after a user has signed in with Google, upon requesting additional scopes the user has the ability to switch Google accounts and authorize those scopes using a different account before returning to my application.
Is there a way, similar to calling -[GIDSignIn signIn], to explicitly specify which user I want to signIn and not allow the option of changing accounts?
I am not familiar with Google Sign in SDK. Most of what I have done has been written myself so I don't know how that SDK really works. However that being said the Authentication server does support something called Login_hint which should allow you to force them to use a specific user.
login_hint email address or sub identifier When your application
knows which user it is trying to authenticate, it can provide this
parameter as a hint to the Authentication Server. Passing this hint
will either pre-fill the email box on the sign-in form or select the
proper multi-login session, thereby simplifying the login flow.
More info
login_hint can be the user's email address or the sub string,
which is equivalent to the user's Google ID. If you do not provide a
login_hint and the user is currently logged in, the consent screen
includes a request for approval to release the user’s email address to
your app. (Read more at login_hint.)
If memory services Google Sign in SDK does work with openId connect so it should be possible.
If you have authenticated with an APPID and APPKEY and a specific user (meaning when prompted the users username and password have been entered and authenticated) and the system has sent back a USERID and USERKEY. Can you then make an API call to authenticate that user into D2L so the user arrives at the D2L MY HOME page?
In addition to that...
if the USERID and USERKEY for a specific user are stored in a DB, can you use that data alone to authenticate the user into D2L using an API call so the user arrives at the MY HOME page with no additional login prompt?
I understand that if the USERID and USERKEY have expired this would not work.
There are several different issues in this question.
Active web session for a user. Currently, D2L's Valence platform's user authentication does not work this way. The LMS will only provide back a UserID/Key pair as part of the auth process when it can confirm that it has an active session with a user:
API-calling client makes a request directly to the LMS to retrieve a UserID/Key pair for a user.
a. If the LMS has an active session with a user, (generate if necessary and) return the UserID/Key pair for that application/user pair.
b. If the LMS does not have an active session with a user, go through the login process it has configured to authenticate a user: this could be to redirect the calling web request to the LMS' own user login page, or that redirection could go through a third-party service that the LMS uses to authenticate users (for example, a configured SSO IDP).
What this means: if you use the API to initiate the auth process to retrieve a UserID/Key pair, the calling web browser will (as part of that process) already have an active web-session with the LMS. Either the user will be asked to log in using whatever auth process the LMS uses for that, or the user will already have done so and the calling browser will know that (because it has cookie state indicating an active session).
Programmatic logins. Currently, D2L's Valence platform does not support direct participation in the user authentication process: there are no calls to authenticate the user with the LMS by providing a userid/password or any other secret shared between the user and the LMS. The Valence security model specifically seeks to avoid having the API-calling client know about the authentication secret shared between the user and the LMS.
A client using the Valence Learning Framework APIs needs to either:
Initiate the authentication process by requesting a UserID/Key pair from the LMS (in which case the LMS will seek to auth the user; see the previous answer)
Rebuild a user context by using a valid UserID/Key pair from a cached state that it has already gathered from the LMS (which, in turn, will have required a real user to authenticate with the LMS)
UserID/Key pair expiry. Note that these auth tokens provided to the calling client by the LMS are intended to be long-lived. They should out-last the current web session that a browser will have for the user. Thus, a client application should treat those as secure data especially in combination with the client application's own ID/Key pair (since the user ID/Key pair is bound app's own ID/Key pair). While we expect client applications to cache these authentication tokens, we also expect them to be cached as sensitive information.
A user's ID/Key pair generated for an application will expire when one of these events happens:
The arrival of the expiry time associated with the ID/Key pair when the LMS generated it (the LMS admins can ensure that the default expiry time value for these tokens is "indefinite")
The user's password changes (either by the user or an LMS admin resetting it)
An LMS admin manually revokes client app access for the user
I'm creating an MVC web site, and I want to mix forms authentication (the built in authentication) with Twitter authentication in my site (eventually it will have Facebook/Google authentication too).
The approach I'm taking is this:
- I let the logic to create users and validate users/passwords from the Forms authentication as it comes out of the box.
- I created a new users table where I save the name of the user, the id of the user in my site and the authentication service of that user ("Forms", "Twitter", "Facebook").
- When the user logs in using any of the authentication methods, I create a standard Authentication cookie, adding the user id and authentication service to the UserData of the cookie.
Now, I want the user to be able to stay logged in after he closes the browser, no matter which service the user used to log in. With this I mean, that if the user opens the site again, he won't have to authorize Twitter again on the site.
Right now, with the cookies approach, MVC loads the user information from the cookie and the user seems logged in when he enters the site, exactly what I want.
The problem is that if the user revokes my site's access, the user's authentication cookie will still be valid, and the user will appear as logged in, even though the authorization for my site was revoked.
My question is, is there a way to validate the authorization in the moment MVC loads the information from the authorization cookie?. I know I can use a custom AuthorizeAttribute and validate this on the AuthorizeCore method, but this will be invoked only when the user is accessing a ActionMethod that requires authentication.
Thanks for your help.
Write an HTTP module that implements IHttpModule and handles the HttpApplication.AuthorizeRequest event.