I have a web app that lets users sign in their twitter account. It also creates a user profile on my database as well and I need save their tokens so I'd have a unique Id. I plan to one way encrypt the tokens like passwords for security sake. My question is do I need to save the pair or just one of them will suffice as a unique Id?
Thanks.
Related
We think we have a challenge with Xero tokens possibly due to how store and retreive the access and refresh token.
We have an application that seems to disconnect some tenants/Xero Organizations from time to time. We are currently storing a single token (and using refresh and access tokens) without issue, but it feels like when a different user then authorizes a new tenant within our partner organziation, some of the previously authorized tenants stop working.
Do we need to maintain a new set of tokens per user who authorized the request? E.g. User A has a set of Access+Refresh Tokens and User B has a set of Access + Refresh tokens? If so, how do we keep track of what user has authorized which organization last? E.g. if User A authorized Org1 and User B authorized Org2, but then User A also authorized Org2, when our app (per schedule) needs to access Org2 do we just have to enumerate all the tokens and call GetOrganizations() to determine which ones they have?
Again, we have been operating on the idea that a single Access + Refresh token is all we should work with despite working with 100's of tenants/Organizations.
Any great advice on the proper way to store and re-use tokens for Xero would be really appreciated.
We used to store tokens separately, but the combined into single token as it seemed correct, but we still seem to have a few issues, not sure if we need to store a token per user (e.g. decrypt the Access Token, the get User ID, and store 1 pair per unique user id (access+refresh). Is this the proper way so that we don't have disconnect all the time?
Access tokens are issued per user per app. So user A would have one token pair for all the Xero organisations that they have authorised with your app and user B would have another pair for the organisations that they have authorised.
Storing 1 pair per user id would be a good idea.
Me and my team are developing an API to secure files,in that API we need Onedrive(cloud storage).we integrated Onedrive using MicrosoftGraph authentication as shown in the below link.
enter link description here
The thing is when i try to authenticate and sign in to pesonal account it works but for organisation account i'm facing the issue as shown in the below
We have recieved a bad request.****(AADSTS165000: Invalid Request: The request tokens do not match the user context. Do not copy the user context values (cookies; form fields; headers) between different requests or user sessions; always maintain the ALL of the supplied values across a complete single user flow. Failure Reasons:[Token values do not match;])****
pls help me technically.
Your token does not match the user context. This is because although you are logged in to your organization account, the token you use is still issued by your personal account.
The access token is unique. If you need to log in with an organization account, then you must set the organization account as the token issuer. You need to log in with your organization account to obtain a new authorization code, and then use the authorization code to obtain the token again.
Are there any unique and unchanging tokens available to me from Facebook and Google?
Once I get the tokens and user information back from Oauth login, it is then up to me to search my database for a user with that email and create an account if it does not exist.
The problem is, even if the oauth token and therefore email is authentic, I still want to use a second token in the database query when I look up the users.
Do Google and Facebook have any unique ID fields that I can bundle with the email when I create users to aid in the security of my login process?
p.s. I am using Mean stack and passportjs if there are any known validation or token generation packages that might help me.
Thanks.
Both providers expose a unique user ID.
Google documentation:
[...] you can safely retrieve and use the user's unique Google ID from the
sub claim.
To retrieve the Facebook user_id, make a call to:
https://graph.facebook.com/me?fields=id&access_token=xxx
Is it possible to obtain a users fb password, with granted permission?
I'm using it in a project that allows users to keep their sensitive data locked using their fb account.
It's for an iOS application, and right now I'm able to collect a users email, through the Facebook iOS sdk, and password, through a login "workaround", but I'm not sure if the app is going to get rejected due to infringement of facebook's and or apple's legal rights.
No, it is not possible to obtain a user's Facebook password.
I am not sure if the app will be rejected but I would personally avoid this solution.
I suggest to use the user's facebookId instead of the user's email.
If the secured data are stored in the app:
You only need the facebookId.
If the secured data are stored on a server:
Of course, checking only the facebookId isn't secure enough because anyone with a precise facebookId could login with it and get access to the "secured" data on your server.
What you need is two parameter to identify a user through your app:
The facebookId of the user
A secret key
You can send the secret key in your header request (or as a URL/BODY parameter if you want). It ensures that your server is called by your app an not from another source (a hacker).
What I would do to be more secure is to hash these two parameters in SHA1 so that even your request isn't readable. Then all you have to do is compare on your server the same key hashed in SHA1 with the one received.
For hashing a string to SHA1, here is a link : http://www.makebetterthings.com/iphone/how-to-get-md5-and-sha1-in-objective-c-ios-sdk/
I have a dilemma where to store secret tokens that I receive from twitter.
Options:
a. Put it into FormsAuthenticationTicket, encrypt it and put it into cookie. Is this secure enough?
b. Put it into Session and put user_name into FormsAuthentciation
FormsAuthentication.SetAuthCookie(String.Concat("<em>", screen_name, "</em>"), true);
That way I'd have to check if secret cookies exist in session first.
c. Store secret cookies in the database and store username in cookies like b.
Which one do you recommend and why?
Thanks a lot!
Since the token does not expire and your application is considered authorized for that user account, you need to store the token in something that lasts longer than a session.
In that case, I would store it in a database associated with the username.
I would not prefer storing 'username' with token, because user name is actually the screen name you get through xml, and one can easily change it.
Why not to store 'user id' with the token?