I want to use Shopify for our commerce solution but to build out a custom admin/user settings system. The key hurdle I'm dealing with is users and authentication. Let's assume my site is a.com and my admin system is my.a.com on a different host. I want the user to be able to log in to both the Shopify site and their custom admin/user page using the same username and password (effectively SSO but without a third-party service).
Constraints:
I don't want to build a custom application as I foresee us ultimately going fully custom at some point down the road
Just in case someone asks, yes the admin/user settings page is complex/unique enough that it warrants a custom solution to provide a good user experience.
Possible Solution 1
Have accounts created on the custom admin site and use the Create Customer API to keep the two databases in sync.
Questions:
How do I handle the email validation coming from Shopify (the customer should be oblivious to Shopify as it's an implementation detail)
Possible Solution 2
Have all accounts created via Shopify and the admin site and create an associated on on the admin site.
Questions:
How do I handle authentication for a specific user across origins. The only OAuth scenarios I seem to be able to track down are at the app level not per user.
I greatly appreciate any insights you all may have. Thank you.
Related
The "Two Factor" requirement is configured per user. If we have multiple applications, how do we achieve that
for application A (e.g. a webapp) 2FA is required
but for application B (e.g. a native app), for the same user, 2FA is not required (never, not even for the first time it is used)?
I'm aware of the trustComputer attribute but I don't think it helps for this problem.
Two Factor is at the User level in FusionAuth. This is by design since if the user has selected to protect their account, then they should be forced to provide their additional factor regardless of the Application they are logging into.
There isn't currently a way to change this behavior and we would need to understand the use case in detail as well as any security issues with allowing specific Applications to bypass two-factor authentication.
You can open a feature request on the FusionAuth GitHub issue tracker here: https://github.com/FusionAuth/fusionauth-issues if you want. Please provide as much detail about the use case and why some Applications allow two-factor while others don't. This will help the FusionAuth team assess the implications of adding this feature.
Planning on creating a Google Assistant Application that allows our customers to access business data. The problem I am having is understanding how a given user would link his account to his "instance" of our multi-tenant solution. I think the deeper problem is know which Tenant URL to associate with a particular account. I know I can implement the Accounting linking using Oauth, I have just yet to see how this could work with a single Assistant App accessing multiple tenants depending upon account.
You can get additional info from the user, by asking him, and save that in your context, and then you can request for a sign in. this way, during the sign in process, you can use the context to sign in the user into the proper tenant
Suppose I started with an ASP.NET5 MVC6 webapp based on a default Visual Studio 2015 web application template with individual user accounts and Google+ (FB, LI) authentication enabled.
Then I created two signup pages, one for consumer users and one for professionals. I want the application to create consumer user accounts if users came from consumer signup page. And I want the app to create professional user accounts if users came from the professional signup page.
What should I do to customize the default solution?
pass role parameter to /Accounts/ExternalLogin, then somehow preserve it through OAuth process and fix user creation logic?
same but use cookies to pass role info?
or maybe have 2 copies of external login infrastructure - each responsible for its own account type?
Isn't is a common problem - how to pass additional information to the code responsible for account creation?
What should I do to customize the default solution?
Quite good explanation with examples:
ASP.NET 5 Documentation -> Authorization
I want ... create consumer user accounts ... and ... create professional user accounts...
In my opinion you can use (create) one account type for all (in common Db) and then during registration process you can assign additional properties to this account. You can use Roles or Claims, so this allows you to personalise user experience depends on 'account type' (using Authorisation).
If you just want have only customer/professional accounts, probably Role-Based Authorisation will be simpler to use, however Claims-Based Authorisation is little bit more elastic and will be beneficial in the future.
I'm just about finished with a solution built with ASP.NET MVC. Apart from a few bits and pieces, I only have security to do. I was wondering if there is some sort of starter code somewhere which I can build into my application (or build my current files into) which will do the following:
Subscription page for tenants (think they are called tenants, see note below), which will assign a administrator to the account.
A way to invite others to join and work on the tenant's data.
User groups and roles to limit what each of these other users can see/do.
Standard Login/forgot password pages
It doesn't need to handle billing, but if it does, it's an added bonus
My understanding of a tenant here is a person that signs up and then invite others to access their data. It is also be called vendor sometimes.
I'm sure there must be something out the box, because the above are features of most SaaS apps nowadays. I'm aware that I will need to add clauses to all existing queries to ensure that tenants don't see each other's data.
Any solutions that anyhow know of? Please let me know. Thank you
I am looking for a way for my users to be able to login to both of my Joomla sites (one running 1.5 and the other 1.6) using the same credentials. For example, if a user registers to my Joomla1.5 portal, when they use that same info for my Joomla1.6, they get logged in without having to re-register and vice versa.
I guess an authentication plugin would be the best solution in combination with a XML-RPC service? Joomla1.5 site's plugin is triggered which "communicates" with the Joomla1.6 site where the user is already registered, if the credentials check out, a new user is created and the user automatically gets logged in.
Thanks in advance for any ideas/help.
You are trying to do two very different things that will require two very different plugins. First, you need a bridge to handle user table synchronization. You not only have to create a user for each site, you have to sync everything about both accounts each time anything changes. This would include changing email address, password, or even user name plus any other related data such as the use groups that the user belongs to. A good place to start would be jFusion, which is designed to bridge Joomla with other software packages but can certainly be modified to bridge Joomla sites. JFusion also has the added advantage of creating user sessions for each connected software package for a single unified login, which would be the second piece of the puzzle you would need to solve once you get the users sorted out.
http://www.jfusion.org/