In my app i am using Vimeo advanced api and retrieving the videos and other user details, every thing is good, but is there way to sign out api for Vimeo so that the user can sign out and another user can sign in. Is there any other technique to achieve that.
With the Advanced API, all authentication is stateless. The token you provide defines the user you have authenticated as.
There is no concept of "logging out" a user because technically a user is never "logged in" for more than one request.
If you wish to allow a different user to log in, simply stop sending the old access token and request one for a different user.
Related
TLDR: I've been struggling with the new Sign in with Google functionality and especially the part how I can let the user stay signed in. What I understand from the docs is that Google only tells "this is a user who would like to sign in" but basically I would still need to create my own backend to track that user.
Note this question is about the new Sign in with Google functionality, all the guides/questions I can seem to find are about legacy sign-in and this is quite well described here:
https://developers.google.com/identity/sign-in/web/server-side-flow
What confuses me most is basically already stated in the beginning of the guide:
https://developers.google.com/identity/gsi/web/guides/overview?hl=en#user_sign-in_to_your_site
You'll manage per user session state for sign-in to your site.
User sign-in status to their Google Account and your app are independent of each other, except during the sign-in moment itself when you know that the user has successfully authenticated and is signed into their Google Account. Users may remain signed-in, sign-out, or switch to a different Google Account while maintaining an active, signed-in session on your website.
I understand the basic principle behind OAuth and the part where you have to exchange the authorization code for an access token and you can verify this access token (which is perfectly described in the legacy guide), but this is now only required for OAuth2 in order to access personal data. If I understand correctly this access token can be used as an identifier for a specific session (as alternative to a password or session cookie).
With the new sign in policy you will only get a JWT which identifies the user. Also apparently the only way to get a JWT is as a response when the user clicks the Sign in with Google button and selects the account in the consent screen (which ideally should only occur once).
What I actually want to achieve is that when a user enters the site I want to send a request "Hey Google this user is visiting my site, do you recognize this session and is it still valid".
Maybe I'm thinking way too difficult, but what I just don't understand is how can the new Google Login actually help me remember and validate users?
After some more digging around I found a lead on this page: https://developers.google.com/identity/gsi/web/guides/migration#object_migration_reference_for_user_sign-in
Basically what I am looking for was provided by the depreciated GoogleAuth.isSignedIn.get() function, but the notes clearly show:
Remove. A user's current sign-in status on Google is unavailable. Users must be signed-in to Google for consent and sign-in moments.
Combined with the prior statement:
You'll manage per user session state for sign-in to your site.
To validate the assumption I did some testing with other web services where I logged in using Google, revoked the log-in access for that website from the Google console and when revisiting that website I was still logged in to the website.
My conclusion:
Google login only verifies the initial login
Google basically responds with "Yes this is a valid user"
I have to keep track of the user session using cookies/databases myself
I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.
The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.
Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):
Sign in with Slack
The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.
The slack documentation implies that subsequent login attempts will result in an automatic redirect:
After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.
Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.
(emphasis mine)
However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?
Update: Response from Slack
I reached out to the Slack team and got this response:
Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:
Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!
Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again.
This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.
Sorry for the bad news.
As of 11/17/19 the Sign in with Slack documentation has not been updated.
For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:
Sign-in with Slack
One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.
Note that this auth process is independent from the user logging into his Slack workspace.
Own authentication
Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.
Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...
after using oauth2 flow for slack ("Sign in with Slack") and making appropriate API calls, we need to make sure users are properly signed out of Slack as well, else, on a shared computer, subsequent users would gain access to their info.
we're using oauth2 with slack and all is well but we don't know how to explicitly log users out of slack. We spied a generic url (https://slack.com/signout/{first-part-of-oauth2-client-id-here}) which does take the user to their main page, with a dialog and a button. But in our case we've already asked the user if they want us to log them out of slack so that dialog is jarring (and redundant).
We can't find an api to allow for this use case.
This is NOT asking for access_token revocation (which we do as well), this is simply signing the user out of that particular computer (after they asked to sign out of our app)
After user being logged in with Google OAuth - is it possible to check if later user get logged out from Google?
Scenario:
User logged in in Google
User logged in on mysite.com using Google OAuth, and login state stored in session for 1 year.
User logged out from Google, but forgot to log out from mysite.com
After one week someone stoled user's laptop. Thief won't be able to use Google but will be able to re-use logged in user session on mysite.com
I wonder what are the ways to prevent such situation?
I don't want to put this burden on user - log out him from mysite.com and ask to log in again every day.
Would like instead use something automatic like:
When you logged in with Google OAuth you get some sort of ID
Every day you validate that that original session is still active, by calling something like
google.com/api/is-original-session-still-active?id=ID
Note: I suspect that you have your terminology incorrect i suspect you are using Openid connect and not OAuth2 to sign-in your users. However i will answer this question based upon Oauth2 as that's what you say you are using.
Oauth2
Oauth2 is used to grant an application access to a users data. When using an oauth2 token you are acting on behalf of the user. There is in fact no user interaction when using Oauth2 tokens.
If a user consents to your application accessing their data you will get an access token and a refresh token. Access tokens are good for an hour. Refresh tokens are long lived and will give you access to a users data for as long as the user doesnt remove your consent and that you use it at least every six months.
As Oauth2 is without user interaction there is no way to use it to see if a user is logged into their account. There is actually no Google api that would give you this information. This would IMO be considered privet user information and not something that google should be sharing with third party applications.
Suggestions
You may want to consider some changes to your application.
implement logout everywhere. If the user changes their password then all of the devices they have logged in should automatically need to be re-authenticated.
Your sessions should be good for only a week or two and you should enable sliding.
Tell your users to remove the consent of your application to their data this will also force them to have to relogin.
Specifically to know about user account security events that could impact users of your app if your app is using Sign In With Google, consider registering your app to receive events for Cross Account Protection.
I'm learning to use the twitter API for the first time. I want to build a website that allows users to post messages to their twitter, facebook and linkedin account. They will need to sign up first via the website's registration/authentication system, which is in not related to twitter, facebook and linkedin. Once logged in, they should be able to synchronize their twitter, facebook and linked in account with my website.
I'm starting development with twitter first. I followed this tutorial here:
http://www.1stwebdesigner.com/tutorials/twitter-app-oauth-php/
After authenticating, twitter sends me to this url.
http://mywebsite.com/?oauth_token=o7gIh4x8xAs1mcms6OKthLoLecL99WVbky2Gu6o4no&oauth_verifier=83Ip3jrMVDvnbIY3RXS5DH1FUZrWAHddwApnOBfm4
The first time this page loads, it properly retrieves all the authenticated user info. But when I refresh the page, the all the user info disappears.
My question is:
Are the query string parameters oauth_token=o7gIh4x8xAs1mcms6OKthLoLecL99WVbky2Gu6o4no&oauth_verifier=83Ip3jrMVDvnbIY3RXS5DH1FUZrWAHddwApnOBfm4 all that's needed to gain write access to a user's twitter account? Can I store these tokens in my database so that the user never has to be prompted to sign into twitter again?
You had better keep oauth_token (and oauth_token_secret too) in your database since you will use them for all the authenticated requests you will do for the authenticated user. As for oauth_verifier, it is a parameter only used during the OAuth Authentication flow. So you can get rid of it once you have got the final tokens.
For further details (and to ensure what you are doing is right), see the corresponding "Sign in with Twitter" page on Twitter Developers website : https://dev.twitter.com/docs/auth/implementing-sign-twitter.