Using SMS authentication, the userCredential information returned by Google is:
UserCredential(additionalUserInfo: AdditionalUserInfo(isNewUser: false, profile: null, providerId: phone, username: null), credential: null, user: User(displayName: null, email: null, emailVerified: false, isAnonymous: false, metadata: UserMetadata(creationTime: 2021-12-30 12:22:29.000, lastSignInTime: 2022-01-18 09:01:18.000), phoneNumber: , photoURL: null, providerData, [UserInfo(displayName: null, email: null, phoneNumber: , photoURL: null, providerId: phone, uid: )],
What will I need to do to get some userinfo from Google (assuming that user has a Google account with that phone number)?
When a user signs in to Firebase with the phone number provider, Firebase does not make any connection to any potential Google account with that same phone number.
If you need that information, consider signing in to Google itself with the phone number, and then using the resulting credentials from Google to sign into Firebase.
Related
Requirement:
Below code is having 2 functions. 1st verify the username and password of user and if it is true it trigger OTP in SMS(Default behavior of AWS as 2 factor authentication is enabled). But we do not want OTP in SMS. We want OTP in Email with custom template, so implemented 2nd function with AuthFlow: 'CUSTOM_AUTH'(and 2nd method works as expected).
We do not want OTP to be triggered in SMS(But also can not disable 2 factor auth because it is used in other use cases). Also, only need solution using aws-sdk. There are ways using amplify and other library but it is not useful in case of App client secret is there.
//verify username,password and send code in sms
response0 = await cognitoIdentityServiceProvider.adminInitiateAuth({
AuthFlow: 'ADMIN_NO_SRP_AUTH',
ClientId: tenant.cognitoClientId,
UserPoolId: tenant.cognitoUserPool,
AuthParameters: {
SECRET_HASH: crypto.createHmac('SHA256', tenant.cognitoClientSecret).update(username + tenant.cognitoClientId).digest('base64'),
USERNAME: username,
PASSWORD: password
}
}).promise();
// send code to email using custom auth flow
response1 = await cognitoIdentityServiceProvider.adminInitiateAuth({
AuthFlow: 'CUSTOM_AUTH',
ClientId: tenant.cognitoClientId,
UserPoolId: tenant.cognitoUserPool,
AuthParameters: {
SECRET_HASH: crypto.createHmac('SHA256', tenant.cognitoClientSecret).update(username + tenant.cognitoClientId).digest('base64'),
USERNAME: username,
PASSWORD: tenantId + secrets.PASSWORD_SECRET
}
}).promise();
Need solution where we can check username password using AuthFlow: 'CUSTOM_AUTH'(Can change lambda triggers) or any other way where OTP should not be triggered and able to check username and password correctly.
It’s not easy to understand this API … phone number field …
The documentation says it's optional
phone_number string (optional)
The user’s phone number (following the E.164 recommendation), only valid for users from SMS connections.
my tries:
#1 request
{
"email": "adriana.will#yahoo.com",
"phone_number": "",
...
"connection": "Username-Password-Authentication",
...
}
Response
Payload validation error: 'String does not match pattern ^\\+[0-9]{1,15}$: ' on property phone_number (The user's phone number (following the E.164 recommendation), only valid for users from SMS connections).
#2 request (without phone_number)
{
"email": "adriana.will#yahoo.com",
"connection": "Username-Password-Authentication",
...
}
Response
Payload validation error: 'Expected type string but found type null' on property phone_number (The user's phone number (following the E.164 recommendation), only valid for users from SMS connections)
#3 request
{
"email": "adriana.will#yahoo.com",
"phone_number": "+113407178302",
...
"connection": "Username-Password-Authentication",
...
}
Response
phone_number is not allowed
Anyone please ? What should I put ?
this does the magic
{
"email":"test#test.com",
"connection":"Username-Password-Authentication",
"password":"password"
}
I have a sign-up page that uses email and password.
I store the email and (salted, hashed) password in the database.
I'm now adding Google OAuth to my sign-up page.
For the main advantage being that user now shouldn't have to pick a password.
When the user authenticates and I receive the user's Google profile, what exactly do use now as their "password"? The profile object looks like this:
{
Ca: '123456789...',
wc: {
token_type: 'Bearer',
access_token: 'abc.123.ABCabc..........',
scope: 'email profile ...',
login_hint: '...',
expires_in: 3599,
id_token: '......',
session_state: { ... },
first_issued_at: ...,
expires_at: ...,
...
},
googleId: ...,
tokenObj: { ... },
profileObj: { googleId: ..., name: ..., },
}
I was inclined to use "access_token" or "id_token" as password but then there's "expires_at" field that suggests they might change over time and be of no use in future login attempts.
Would they? If so, what else should I choose as the user's password that won't change and allow to me authenticate them every time they login via Google OAuth?
I'm using Cognito user pools to authenticate my web application. I've got it all working right now but now I need to enable MFA for it. This is how I do it right now (all the code provided are server-side code):
Signing up the user:
const cognito = new AWS.CognitoIdentityServiceProvider();
cognito.signUp({
ClientId,
Username: email,
Password,
}).promise();
An email is sent to the user's address (mentioned as username in the previous function call) with a code inside.
The user reads the code and provides the code to the next function call:
cognito.confirmSignUp({
ClientId,
ConfirmationCode,
Username: email,
ForceAliasCreation: false,
}).promise();
The user logs in:
const tokens = await cognito.adminInitiateAuth({
AuthFlow: 'ADMIN_NO_SRP_AUTH',
ClientId,
UserPoolId,
AuthParameters: {
'USERNAME': email,
'PASSWORD': password,
},
}).promise();
I'm pretty happy with this process. But now I need to add the TOTP MFA functionality to this. Can someone tell me how these steps will be changed if I want to do so? BTW, I know that TOTP MFA needs to be enabled for the user pool while creating it. I'm just asking about how it affects my sign-up/log-in process.
Alright, I found a way to do this myself. I must say, I couldn't find any documentation on this so, use it at your own risk!
Of course, this process assumes you have a user pool with MFA enabled (I used the TOTP MFA).
Signing up the user:
const cognito = new AWS.CognitoIdentityServiceProvider();
cognito.signUp({
ClientId,
Username: email,
Password,
}).promise();
An email is sent to the user's address (mentioned as username in the previous function call) with a code inside.
The user reads the code and provides the code to the next function call:
cognito.confirmSignUp({
ClientId,
ConfirmationCode: code,
Username: email,
ForceAliasCreation: false,
}).promise();
The first log in:
await cognito.adminInitiateAuth({
AuthFlow: 'ADMIN_NO_SRP_AUTH',
ClientId,
UserPoolId,
AuthParameters: {
'USERNAME': email,
'PASSWORD': password,
},
}).promise();
At this point, the return value will be different (compared to what you'll get if the MFA is not enforced). The return value will be something like:
{
"ChallengeName": "MFA_SETUP",
"Session": "...",
"ChallengeParameters": {
"MFAS_CAN_SETUP": "[\"SOFTWARE_TOKEN_MFA\"]",
"USER_ID_FOR_SRP": "..."
}
}
The returned object is saying that the user needs to follow the MFA_SETUP challenge before they can log in (this happens once per user registration).
Enable the TOTP MFA for the user:
cognito.associateSoftwareToken({
Session,
}).promise();
The previous call is needed because there are two options and by issuing the given call, you are telling Cognito that you want your user to enable TOTP MFA (instead of SMS MFA). The Session input is the one return by the previous function call. Now, this time it will return this value:
{
"SecretCode": "...",
"Session": "..."
}
The user must take the given SecretCode and enter it into an app like "Google Authenticator". Once added, the app will start showing a 6 digit number which is refreshed every minute.
Verify the authenticator app:
cognito.verifySoftwareToken({
UserCode: '123456',
Session,
}).promise()
The Session input will be the string returned in step 5 and UserCode is the 6 digits shown on the authenticator app at the moment. If this is done successfully, you'll get this return value:
{
"Status": "SUCCESS",
"Session": "..."
}
I didn't find any use for the session returned by this object. Now, the sign-up process is completed and the user can log in.
The actual log in (which happens every time the users want to authenticate themselves):
await cognito.adminInitiateAuth({
AuthFlow: 'ADMIN_NO_SRP_AUTH',
ClientId,
UserPoolId,
AuthParameters: {
'USERNAME': email,
'PASSWORD': password,
},
}).promise();
Of course, this was identical to step 4. But its returned value is different:
{
"ChallengeName": "SOFTWARE_TOKEN_MFA",
"Session": "...",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "..."
}
}
This is telling you that in order to complete the login process, you need to follow the SOFTWARE_TOKEN_MFA challenge process.
Complete the login process by providing the MFA:
cognito.adminRespondToAuthChallenge({
ChallengeName: "SOFTWARE_TOKEN_MFA",
ClientId,
UserPoolId,
ChallengeResponses: {
"USERNAME": config.username,
"SOFTWARE_TOKEN_MFA_CODE": mfa,
},
Session,
}).promise()
The Session input is the one returned by step 8 and mfa is the 6 digits that need be read from the authenticator app. Once you call the function, it will return the tokens:
{
"ChallengeParameters": {},
"AuthenticationResult": {
"AccessToken": "...",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "...",
"IdToken": "..."
}
}
I am trying to create a managed device in Intune but I am getting different errors.
This is the documentation I am using https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/intune_devices_manageddevice_create.
I am testing the functionality using Graph Explorer so I do not need the authorization token and the account I am logged into is the global administrator and has the appropriate delegated permission enabled 'DeviceManagementManagedDevices.ReadWrite.All'.
When I try the first request /users/{usersId}/managedDevices I get a 403
An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000.
If I try /deviceManagement/managedDevices I get 400
No OData route exists that match template
I am signed up for a free trail for Intune and Azure AD if this makes any difference.
What could I be missing?
The request body I based off the example in the documentation for create managedDevice. I also tried removing the odata type but it makes no difference.
An example I have tried
{
"id": "5h5b3fab-0169-45de-9aad-3d928ebbe1a0",
"userId": null,
"deviceName": "newIntuneDev",
"deviceActionResults": [],
"enrolledDateTime": "2018-02-19T11:04:24.242385Z",
"lastSyncDateTime": "2018-01-03T14:01:45.1553437Z",
"operatingSystem": "Android",
"complianceState": "compliant",
"jailBroken": "false",
"managementAgent": "mdm",
"osVersion": "7.0",
"easActivated": true,
"easDeviceId": "DFC17B28459230B3",
"easActivationDateTime": "2018-01-19T11:05:11.4483412Z",
"azureADRegistered": true,
"deviceEnrollmentType": "userEnrollment",
"activationLockBypassCode": null,
"emailAddress": null,
"azureADDeviceId": "89f65205-72af-4830-a9b1-ebcd3160476f",
"deviceRegistrationState": "registered",
"deviceCategoryDisplayName": null,
"isSupervised": false,
"exchangeLastSuccessfulSyncDateTime": "0001-01-01T00:00:00Z",
"exchangeAccessState": "none",
"exchangeAccessStateReason": "none",
"remoteAssistanceSessionUrl": "",
"remoteAssistanceSessionErrorDetails": "",
"isEncrypted": false,
"userPrincipalName": null,
"model": "SM-G930F",
"manufacturer": "samsung",
"imei": "539467078998547",
"complianceGracePeriodExpirationDateTime": "9999-12-31T23:59:59.9999999Z",
"serialNumber": "T58H52RP9KN",
"phoneNumber": null,
"androidSecurityPatchLevel": "2018-01-01",
"userDisplayName": null,
"configurationManagerClientEnabledFeatures": {
"inventory": false,
"modernApps": false,
"resourceAccess": false,
"deviceConfiguration": false,
"compliancePolicy": false,
"windowsUpdateForBusiness": false
},
"wiFiMacAddress": "4C6641183631",
"deviceHealthAttestationState": null,
"subscriberCarrier": "",
"meid": "659467078998547",
"totalStorageSpaceInBytes": 0,
"freeStorageSpaceInBytes": 0,
"managedDeviceName": "newDevice",
"partnerReportedThreatState": "unknown"
}
This (https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/intune_devices_manageddevice_create) is a documentation error. API does not support creation of managedDevice. You would need to MDM enroll a device into Intune to see data populated under ~/managedDevices API.
Signup for a free Intune trial subscription
Set MDM authority - https://learn.microsoft.com/en-us/intune/mdm-authority-set
Enroll a device -
https://www.microsoft.com/itshowcase/Article/Video/634/Enroll-your-mobile-device-in-Microsoft-Intune-for-corporate-access
Once successfully enrolled, device should show up under ~/managedDevices
Thanks,
Alemeshet Alemu - MSFT