Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue
Related
I have an expo (react-native) app and use the expo-local-authentication library to authenticate users to the app.
My current flow looks like this:
At first login, when the user logs into the app or signs up, I store the username and password in expo-secure-store.
Once the user session expires, and the user clicks the button that says "Login with Biometrics", I look into the secure store and see if there is a previously stored credential (username and password), then I authenticate the user with those credentials, and get the authentication token. The authentication token is then used to call other endpoints.
One user reported the following issue with this:
User A logs into the app for the first time. Their username and password (usernameOfA, passwordOfA) gets stored in the secure store.
The next time User A logs into the app with biometrics, we use their stored credential to log in, which works as expected.
Let's say, User B logs into the app from the same device as User A. Now, the username and password (usernameOfB, passwordOfB) gets stored in the secure store and replaces the credential of User A.
User B does their thing and logs out of the app. But here our secure store still has the credential of User B.
When User A comes back and logs in to the app with their biometrics, because credential of User B is still stored in our secure store, the account of User B gets logged in, instead of User A.
PS.
We could remove the username and password of user from the secure store when the user logs out of the app, but we want users to be able to login again with biometrics even after they logout of the app.
Also, we logout user everytime they close the app, so if we remove the credential on every logout we wouldn't be able to login user with biometrics the next time.
I seem to have not understood the flow of implementing biometrics. What other information should I include to distinguish the correct user is logging in to the app? Or is there a different way to authenticate users with biometrics? I am looking to understand more about the flow and would appreciate any recommendations or resources. Thank you.
I am not able to find proper documentation on how to get started with the scenarios below:
Forgot password. I have setup the reset password policy in Azure AD B2C and the user can click Forgot Password which redirects the user to a controller action in my app. But I'm not really sure what to do from here.
Reset password from user profile in my app. In my app, I would like the user to be able to click "Reset Password" which would redirect the user to having their password reset.
For both of the scenarios above, I would like Azure AD B2C to handle the password reset by asking the user for their email and then emailing them the password reset link and then handling the password reset appropriately. How can I do this?
There are two use cases for password reset:
If you click on the link in the signup / signin page, you get the error code AADB2C90118 which is returned to your application. Your application then needs to run a specific user flow that resets the password. Refer a simple ASP.NET sample that demonstrates the linking of the user flows.
If the user has already signed in, you can simply provide a link. This link invokes the password reset policy that is configured on the B2C side.
I have a React Native app that uses Okta's hosted login page to authenticate.
When a user successfully authenticates for the first time through the PKCE flow, on every other login afterwards, they get automatically logged in as the same user.
I've used additionalParameters: { prompt: 'login' }, but it only asks for you to re enter your password and if you click signout, it brings you to a Citrix page that doesn't change anything about the flow - they still get logged back in as the same user after the fact.
I've tried using both the revoke and logout endpoints which actually changes the cookies a bit, but doesn't affect the flow same goes with restarting the app.
The only way is to clear hardware settings in xcode.
This may not even be an Okta specific issue, perhaps a general OIDC issue.
How does the hosted login page store and know you've previously logged in and how can that be fixed?
Problem:
I am using Aws Cognito using google as external federated identity for auth of my application:
problem is it logs me in with the last user when having only one signed in google account. Basically it seem its simply not able to logout the user completely.
Heres what is happening :
I am logged into google with e.g user a#gmail.com
I login into cognito via the external federated identity use the above email and login. All iz well.
I now logout and want to login into cognito using 'b#gmail.com', now say I created the account using another browser and never used the current browser, so browser does not know about this.(In short I am logged into just one gmail account in this browser.)
When I try to signin I am shown the option to 'Signin with Google' but it never presents me the account selection screen and directly logs me in.
I am using the screen cognito shows at https://mydomain.auth.auth.us-east-1.amazoncognito.com/login
Using Prompt:
I see that google itself has a way to force the user to select an account using the 'prompt' : select_account option. But I see no way to specify this anywhere in cognito.
Question :
- Anyone have any fix / workaround to above problem? I need a way to 'always' show the account selection so that he can choose or use a different account.
Did you try the logout endpoint from cognito ?
- Yes, This is happening even after I send the user to the logout endpoint of cognito, which is probably supposed to logout the user.
I'm using Google OAUTH2 for my website. I can successfully login using the google authentication.
Here is what I want to do is:
1) user goes to website homepage and user signs in by clicking "sign in with google" and login is successful and user is taken to logged user dashboard page.
2) user comes back after half hour, user goes to home page and they should get automatically redirected to logged in user dashboard instead of homepage since they already have a valid session.
question - how can you detect if the user is already logged in? Should I be storing the access_token in the session to detect this? what's the recommended way to acheive this with Google OAUTH2?
Yes, you can store the access token in the session, but keep in mind that it could be expired. You should be able to get a new one with an immediate request.
You could also try and do session synchronization from JavaScript, if your site does not have its own session management:
https://developers.google.com/+/web/api/javascript#gapiauthchecksessionstatesessionparams_callback