When resetting passwords in cognito from users with expired accounts. The verification code supplied via email displays as incorrect and does not allow user(s) to proceed.
Have tried as many ways as can think, same result
Related
I did a lot of research on how to implement 2fa on my app.
My app will enforce every user to use 2fa (I will use OTP).
I think that in my app, (because every user will need to use 2fa, and I will use only OTP), I can have only 2 steps:
Log in the user providing username, password and OTP.
If step 1 is successful, authentication is done.
From all the sources I found, the 2fa steps are always the same:
log in the user providing username and password.
If step 1 is successful, ask the user for the OTP token.
If step 2 is successful, authentication is done.
In my head, if I have optional 2fa, or 2fa using SMS/email, then I must have the step in the middle (authenticate the user, send the SMS/email and wait for the code), but with OTP, I already have the code and I can provide it in the same login form with the username and the password.
I haven't seen this kind of 2fa with only 2 steps, am I missing something?
Both of your examples are the same.
In the First scenario, the server is waiting for the user to enter OTP and the same process follows in the second scenario.
These are distinct steps in 2FA authentication
The user sends their username and password to the server to be authenticated as usual
The server confirms the credentials are correct and asks for a second input from the user.
In this case it’s a one-time passcode (OTP)
The user provides the OTP, and the server finally authenticates the user
2FA
I'm trying to set up Google OAuth2.0 from this guide and I have everything set up and running. I can get the authorization code, the access_token, and the refresh_token to show up in my console.log's. My question is which one of these tokens can I use to properly identify and log in a user to my backend?
In a normal scenario, a user would enter a username & password and that would uniquely identify them. However in the Google OAuth2.0 case, it seems the authorization code, the access_token, and the refresh_token all cannot be used to properly identify and log someone in. Is this understanding correct?
I read a similar post but it doesn't seem to provide a very recent answer that also securely identifies the logged in user.
If I cannot use any of the above mentioned tokens to securely identify and log in a user, is it even possible? How come I see other websites and apps use "sign in with Google" and "sign in with Facebook"?
Another solution I read in a different StackOverflow post said to just get the account ID and use that as an identifier. Isn't that insecure? Can't someone guess the account ID? Also this would be assuming these account IDs are private.
My question is which one of these tokens can I use to properly identify and log in a user to my backend?
the id token from open id connect.
explanation
You are confusing authorization and authentication.
Oauth2 a user to grant and authorize your application access to their data the access token gives you access to their data for a limited time (1 hour). If the user is off line you can use the refresh token to request a new access token. None of theses will tell you that a user is behind the calls.
open id connect allows you to authenticate a user logging in will return an id token
Id token verification
After you receive the ID token by HTTPS POST, you must verify the integrity of the token. Verify the integrity of the ID token
Error Message:- Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.
I have installed Openproject in Ubuntu environment.
Today morning i updated the Openproject.
When i tried to login using my user name and password I got the above error message
The database is Postgresql.
I could able to login to db.
what is the solution to resolve this issue and i am want to unblock the account.
All the accounts, including admin account could not able to login.
Create a new username and password with admin rights in postgresql DB.
Grant admin rights to the user.
Login to the website using the new username and password.
GO to adminstration - Authentication -
check
AUTOMATED USER BLOCKING
Block user after this number of failed login attempts
--Give the input Zero - 0
It will allow the user to login any number of times if they fail.
thanks
If a user provides both an email and phone, I need to require both to be verified. It looks like there isn't a way to do this without extra steps as described here
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
Is there a way to require both verifications?
Currently it looks like I have to wait for phone number to be verified, verify phoneNumbber first. After that call initiateAuth to get an access token to retrieve the userInfo and check if email needs verification, and send verification code out. From testing I saw that email verification does not block the initiateAuth request so a getUser request would need to be made before every initiateAuth request to see if verification is needed and not return an access token if email still needs verification.
I am on the Cognito team. The scenario described is not possible at this point (requiring email and phone number verification before sign in). If both phone number and email require verification, if a phone number is present in the user attributes, the verification code is sent to the phone number, it is prioritized. Also, the calls to verifyUserAttribute which would enable you to verify email require an AccessToken to mark email as verified.
Unfortunatelly, Cognito will only send you an email verification link if you do not provide a phone number when registering. If you provide an empty phone number property value, and a valid email address, in this case it'll send the email.
This is really awful, because SMS messages sometimes don't reach the endpoint in real time.
If you want to verify the two contact methods in the registration flow for example, you could do this (you must have your own otp verification flow for example):
Create the user with admin powers without notifying the user of the registration
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-create-user.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
aws cognito-idp admin-create-user --user-pool-id us-east-2_fggdfg --username 117979111 --user-attributes Name=email,Value=calderonr.robinson#gmail.com Name=phone_number,Value="+5732085654" Name=custom:id,Value="1179791" Name=name,Value="Robinson C" --message-action SUPPRESS
(This can be programmed after the otp verification that you develop)
Then assign the password to be confirmed
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-set-user-password.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html
aws cognito-idp admin-set-user-password --user-pool-id us-east-2_fggdfg --username 117979111 --password "loquesea" --permanent
Assigns as true the contact method that was verifying
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-update-user-attributes.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
aws cognito-idp admin-update-user-attributes --user-pool-id us-east-2_fggdfg --username 117979111 --user-attributes Name="email_verified",Value="true"
You can do all this perfectly with the aws SDK 2
A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.
However, I don't understand whether I should run the bind operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.
Thank you.
It's done in three steps:
Bind as an administrative user that has enough permission to search the directory.
Search the directory for the user. This is necessary because the user won't be providing his entire DN: he will be providing something else unique about himself such as his email address, a 'screen name'/moniker/alias, etc.
Bind as that user using the password credential supplied.
If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.