I set up an account creation page with a remember me and a jwt token verification via WorkOS. There is no password creation and just this verification (plan to add in password later if needed as the country uses OTP more than passwords)
A new user creates an account and selects remember me (using JavaScript).
The next time I sign in, I have my account populated like a*****#gmail.com.
A lot of websites I have seen have it so that when you click on this email, it goes to the full list of all gmails and you have to select that email again.
I’ve seen this remember me automatically sign in only if the user saves a password (like Facebook - see other profile accounts in sign in and you click and go in directly). But above mentioned this country doesn’t prefer passwords as much as OTP. I don’t have a password yet and really looking to avoid adding it in unless it is absolutely necessary to do this.
My goal: I don’t want to see this full screen of all gmail accounts in Google OAuth also referred to in documentation as the Account picker. I just want it to automatically sign in to the specific remembered account selected, assuming I have that gmail password saved.if the user doesn’t have the gmail password saved then, they will be directed to that specific emails sign in screen
How do I bypass this full list of gmail accounts and manual selection and just automatically sign in to my remembered email account?
I’ve looked at older answers on here but nothing seems to fully handle this. I’m wondering if this will help me achieve this.
https://developers.google.com/identity/gsi/web/guides/automatic-sign-in-sign-out
I’ve tried just having the email remembered and then they click on it and it asks do you want to sign in via gmail or magic link? That works and is better than not providing the remember me at all, but it’s only half way.
Related
Our website allows users to create a new account using a registration page where we collect username, email, passwords, avatar, etc. The users activate their account and then login and browse, buy, comment, etc like normal.
We recently added the Login with Google button to our site as an additional option. Currently the system does the following:
Get a post request from Google
Verify the signature on the JWT and prepare the credentials
Do some security checks on the request
Check if the email exists with an existing user in our system - if it does, authorize them and login
If the email and sub don't exist, create a new account and load the data from Googles credential POST to make a new account
The conflict here is whether or not we should be doing step 4 on existing accounts that were not created using Google or if those accounts should be converted to Google only accounts when they login.
For example,
I register with john#gmail.com as my account name with a password created on the register page. One day, I accidentally, or on purpose, click Sign in with Google. The system sees my email from the oauth login and finds my account already in the system.
Should it:
Log me into the account without checking password, since its already my Google account, and keep everything else the same.
Give me an error that my email is already in use on another account and abort the login process.
Convert the account to a Google only sign-in and remove the password to prevent me from logging in without using Google in the future.
Update the account with the Google sub id but keep the password option and allow them to reset their website password independently from Google should they wish to "unlink" their Google account in the future.
I believe step 4 would be the most logical, but as we have not implemented this before we want to follow the standard that most other developers would use - or maybe there's an even better way.
Many websites now support 2FA and many of them ask users to use an App for the OTP. From the tool I use, like 1password, it seems the OTP is updating all the time regardless to I have logged in the website or not. My question is, since the OTP is always there, why it is split into a standalone step to enter the code instead of asking users to enter it along with the username and password?
Our application is using gapi.auth.signin for authentication. The problem is that the account selection drop down list is not presented when user is logged into multiple accounts. Currently, to overcome this the app sets approvalprompt = force, cookiepolicy = url/single_host_origin. Obviously, this is not very efficient.
Is it possible to display multi-user selection drop down list when using gapi.auth.signin?
Shall gapi.auth.authorize be used instead? (Related question)
Thank you.
Google+ Sign-In uses a mechanism that detects when a user has already authorized a Google account. In order to prompt the user to sign in and not automatically sign the user in, you can call gapi.auth.signout from the JavaScript client as demonstrated here:
http://wheresgus.com/signindemo
However, on Sign in, the currently active Google account will be automatically signed in. Please comment on the Google+ issue tracker, this might be a bug.
I am very curious to know some of the points regarding registration and login related points as a developer points of view. Please see below the steps for any online account which is publicly open for all,
CREATE USER ACCOUNT : Insert the data entered by user along with a column activate which default value is 0
SEND A LINK TO ACTIVATE : a link has been sent to user email at the time of registration
ACTIVATE THE ACCOUNT : user clicks over the link and the link is verified and update the column 'activate' with value 1
Why to sent a link & verifying is necessary which I supposed that is not utmost required. I asked to clients why u want such verification and i get the answer almost same e.g. checking the authenticity of the user and it'd be helpful to stop the duplicity of the user.
but practically at the time of user login, i suppose it is useless to verify each time the activate column along with password for every user.
I would appreciate if u explain the points which is very important regarding my concern.
This is really a slippery slope, but there are reasons. Obviously spam users will try to create accounts as quickly as possible, for spam reasons. Email and captcha verification will handle this.
Another is the issue of clumsy or accident-prone users that will forget their passwords, which can be worked around by email reminders/resets. Sadly, users may try to add fake email addresses(or mistyped ones) and lose access to their accounts, requiring admin intervention. Simple verification can force users to get their account into a self-rescuable state before adding any data.
Is there a way to re-validate a card using the card security code? I'd like to offer users to login with Facebook or to remember their login otherwise and I want to add an additional step during checkout to verify that the user is in possession of the credit card. I think some websites ask for the CSC again during checkout.
I could also ask for the user's password again, but I don't think that can work if the user logged in with Facebook.
Any suggestions around this?
Alright, so it seems as if this kind of verification is not currently possible with Balanced. There is no API method to re-validate a card. Here are the solutions I came up with, just in case someone else has a similar problem:
Using a different piece of information to verify the user (card expiration date, etc). But that doesn't seem very common and would probably scare away some users.
Indeed forcing the user to enter the password again. No problem if the user uses a site-local login. In case the user is logged in using Facebook, there seems to be a way to force a re-authentication: https://developers.facebook.com/docs/howtos/login/server-side-re-auth/