Suppose that a user is signed in with Facebook or Google using Firebase auth. What does it mean to change user password since there is no password to change in the first place?
I appreciate any help.
Thanks
A Firebase Authentication account can have an associated password, no matter what provider the user initially signed in with.
Calling Firebase's updatePassword API sets that password. If the user was signed in with another provider, the password on that provider will not be changed by calling Firebase's updatePassword API.
Related
I am developping a vue application protected by keycloak using keycloak-js.
I have a requirement that each user have an account page in my app to change their password.
.
However it seems that keycloak has no endpoint to check old password.
How can i achieve this ?
I am wondering if this is the appropriate way to do with keycloak or not ...
I already tried the update password action that send an email with magic link to the user so they can change their password. However it is not compliant with owasp recommendation that advise to force user to type their old password each time.
An alternative approach is for you to create a Keycloak client with Direct Access Grants enabled (i.e., Resource Owner Password Credentials Grant in OAuth2 terminology).
Then you can use the token endpoint and exchange the username and password for an access token. If the password is correct you get a token, otherwise it fails. Consequently, you can use this to infer if the user has inserted the old password.
In this GitHub repo you can see an example of how the call to the aforementioned endpoint would look like.
I am currently using Auth0 to allow users to log in to an application. I am building it using the embedded approach. I see in the Auth0 documentation that they support passwordless login for SMS and email but I am not sure if that is the correct approach to use for a one time code when a user forgets their password?
Has anyone developed a forgot password and reset through embedded with Auth0? What approach did you use? Is passwordless strictly for logging in?
Important - this is not the universal login approach.
Thanks.
There are multiple ways in Auth0 that user can be authenticated. Those are categorized under the Connections in Auth0. Passwordless is one way of doing so. In this approach there is no password involved in. Which means, there can’t be a use-case, where the user forget his password for your application. (What can happen is that user forget his password for his email account or user would no longer have access to mobile phone, where he receive the SMS from Auth0 for authentication.) So passwordless is not for reset user password. It is just for Authenticate the user.
If you provide an option to login with Username and Password you can use Database connection type in Auth0. In this approach, there is a use-case where, user forget his password for your app.
In that case your application should provide the forget password option. In Universal Login, it has built in support for this. However, as you don’t use Universal Login, you may have to implement that by yourself.There are couple of methods which are explained in Auth0 Documentation. One options would be to use change_password endpoint in Authentication APIs. This will send an reset password email to user. Then user can use the link given in that email to reset his password. There is another option, where you can generate a password reset ticket in Auth0 using the password reset ticket endpoint. Hope you can use one of them for your requirement.
I am developing a Xamarin forms application. The app is for company owners in which they can see the employee timesheets.The app can be accessed by userid and password which will authenticate via API.Iam intend to save the user credentials in app and provide a logout facility when they want.
My questions are
1. How can I securely store user credentials in xamarin forms , in which nobody should get the credentials by decompiling the app.
2. How can I securely pass the credentials via API and authenticate (I heard about base auth, OAuth) it with server.
3.If someone gets my user credentials and URL to post, but he should not get the
data.How can it be implemented?
Show me some guidance and links. Thanks in advance !
This question has nothing to do with Xamarin.Forms, it is more about general architecture and security considerations.
You should not store user credentials but an authentication token that will be returned from the API in case of a successful user authentication. This token should have a limited lifetime - depends on the business needs.
HTTPS
Since you will not store sensitive data like user login and password on the phone, the risks of someone obtaining those will be slightly minimised. In any case you could invalidate the token if a malicious behavior will be detected and force the user to change the password.
For storing the authentication token securely on the device you could use Xamarin.Essentials
I have a web application built using React that has an existing User/Session system. Right now, username and password are passed to server to authenticate and create session.
Enter Facebook Login (web). I want to allow for both username/password and also Facebook Login. So, now Facebook Dialog box appears and users can connect. I now receive the Facebook User Id and access token (short-life) on the client side (not the server side). How, now do I authenticate this user on my existing system and create a session?
If I use just the user id, this reveals a security issue (anyone can authenticate with a known user id and get a hijacked session). The short-lived access token is just that, short-lived. So that can't be used as an effective "password". So, what is the best way to securely authenticate someone on my existing login system if they've authenticated themselves via Facebook.
Thanks so much.
Found another user with the same issue here. It was resolved by the following:
The Facebook login request returns user id + short lived access token (client side).
Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).
You can trust the user_id field returned from the Facebook API to check against your existing user database.
With SSO enabled, each user's password is managed by the company AD server. Applications usually do not have password information. To make a DocuSign API call, username, password and IngratorKey are required. How do I make API call from the applications without the password?
If your account is SSO enabled and you want to use the API. You will want to exempt one of your user's from SSO, to generate a password. API calls authenticate from this user and use Send on Behalf of for the other user's on the account that do not have passwords.