Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.
Related
I did my best to find a similar problem, but I did not come across one. I speculate this error may have been introduced with Instagram recently changing its API. I'm wondering if anyone else came across the same issue.
I use instagram for authentication. The problem is that, when a user is logged in to Instagram on another tab, if he clicks the instagram sign-in button to log in to my app, he lands on the instagram authorization page and is asked to enter username and password. The problem is that instagram is supposed to auto-redirect to my app directly since the user is already logged in on the browser. But this doesn't happen. Moreover, even if the user enters wrong password or empty user name, instagram still redirects to my app with the logged in user. So the browser definitely knows that the user is logged in to instagram. I am quite sure that the problem is related to instagram, because when I change the provider settings to twitter, redirection occurs with no problem.
And this problem occurs for returning users as well.
For reference, I use rails 4 and my authentication strategy is omnioauth-instagram (no devise). I mainly followed this tutorial http://www.sitepoint.com/rails-authentication-oauth-2-0-omniauth/ for authentication. I am still in development mode so I use localhost.
EDIT: Here is the instagram notice:Instagram Platform and documentation update. Apps created on or after Nov 17, 2015 will start in Sandbox Mode and function on newly updated API rate-limits and behaviors. Prior to going Live, and being able to be used by people other than the developers of the app, these apps will have to go through a new review process. Please read the API documentation or the Change Log for more details.
I started creating my app before nov 17th.
I am using the code that gets implemented in a new MVC Project for user to Log into Google,Yahoo, Etc.. I have it all working but what I notice is when I try to log-in with Yahoo, there might be another user (my brother-in-law) logged into Yahoo on my machine, so when I try to log-in, it tries to register him. That is annoying, so I want it to force the user to re-enter their username/password on Yahoo (google, etc). Is that possible? This seems like a security flaw also. If I was in my app and then logged out, but did not log out of Yahoo, Google,etc.. anyone could come along and log in to my app. That hole is so wide and obvious it tells me I am probably doing something wrong, because they would not have designed it that way. I am thinking I need to destroy some cookie or token on my site when the sessions ends or I log out..
I am currently developing an app that will use the FB SDK (for the first time) to log a user into the app. The flow is typical, I assume. User taps "log in with facebook", facebook graph authenticates, then we do a call to our api and log the user in via their facebook email (only) we have on file.
However, whats freaking me out here is, theoretically if some knew our api_token, and knew that calling a POST to a login url with only a valid existing email to log them in, isn't that a security issue since they could actually log in as someone else. Am I over thinking this? Understandably, they'd have to know every aspect of the api to do any damage. But still, I'm not feeling comfortable with this flow. Am I missing something?
This shouldn't be something you have to worry about. Facebook first protects you by having the requirement for the user to be logged into Facebook. Next, the user's UID(readily available to anyone) and your API Key isn't enough. They'd still need your API Secret Key (which if someone has is a bad thing) to sign requests as you.
What you're really using is OAuth (though Devise, through OmniAuth). I'm not an expert but you can read more here: http://hueniverse.com/oauth/guide/security/
When a user registers via OAuth, you aren't going to have a password set for them, and that's not a huge deal as they have to also first log into Facebook. It might be a good idea though to ask them to set a password if they ever edit their account, that also means they can sign in the old fashion way if they desire/delete Facebook/etc.
I have a facebook application that the user has authorized. I want to re-authenticate when their token has expired. The problem is that when the user is already logged in to Facebook, and they have already authorized the application, facebook just redirects back to the redirect_url. I don't want this behavior as the user may have multiple facebook accounts and the one they're logged in to may not be the correct one.
The initial facebook authorization happens via server side authentication.
I want to either:
pick which one [account] to authenticate with (this is ideal) or
force them to re-authenticate their facebook credentials
I would like to avoid using the javascript sdk to force logout then re-login in if possible. I would like to keep everything server side for maintenance reasons.
You can configure omniauth-facebook to force reauthentication by setting auth_type to reauthenticate.
I don't know how to force to re-authenticate users. ( that would be the better solution ) But It's the first time I hear someone who wants the token expires faster. (Token last 2 hours, https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/ ).
Your use case it's really unusual:
"the user may have multiple facebook accounts and the one they're logged in to may not be the correct one"
Who has multiple Facebook accounts?
Maybe if your are a developer, you will need an extra account, but it's better to use this:
https://developers.facebook.com/docs/test_users/
Regards
Ivangrx
force them to re-authenticate their facebook credentials
The OAuth dialog offers a method for Re-Authentication – but I’m not quite sure if that fits your needs, so you’ll have to give it a try.
I would like to know the best way of implementing automatic login to my web site. What I mean by automatic is this:
I've already signed into Google. I now go to my web site and its login page. Instead of clicking on the link to login with Google I would like the web app to detect that I'm already logged into Google and bypass the whole login page.
1) Would I use the DotNetOpenAuth.OpenId.RelyingParty.OpenIdAjaxRelyingParty.HttpApplicationStore to get associations?
2) Or do I need to look at cookies.
To your "1) Associations" guess, no. Associations that the RP may already have with Google are irrelevant to who the user is at the browser or whether they're logged into Google. Your "2) cookies" won't work either because browser isolate Google's cookies from those of your RP so you have no insight into that.
Hbas was right. I think Auto Login user to website when user is logged in to FB or google - DotNetOpenAuth has the answer to your question.
Distant memory suggests that Google had a way to disclosing to an RP that the user was logged into a Google account (with no way to identify which user or auto-login that user) with the idea being that the RP could then promote the "login with Google" button since you know the user has a Google account. However that wasn't well advertised (privacy concerns probably) and I can't find any info on it at the moment.