We have a native app and an Alexa skill. You can't use the Alexa skill without the app and you need to have your app account first. Some users are creating accounts with the Alexa skill that aren't linked with their app accounts.
We can disable self-registration and the sign-up link goes away in the hosted UI, but it also prevents account creation from the application using Amplify.
I looked at the hosted UI customization CSS to see if I could style that link to hide it, but the CSS customizations don't seem to address that link specifically. I'd like to avoid reinventing the entire auth wheel just to get rid of that one link.
Is there any way to disable the "sign up" link in the Cognito hosted UI without disabling self-registration?
Thanks!
You have 2 options as far as I know.
Use custom lambda trigger on signup to reject calls made from your hosted UI
Use your own login page instead of hosted UI.
Unfortunately, there is no way to modify the contents of the UI. You can only change the CSS and add a logo.
The first method is easier but is a bad implementation because you are confusing your users with a button to register but then rejecting all their attempts. Second method is the best way to achieve what you want.
Another method is to use the adminCreateUser function, give it a temporary password and suppress email sending of the temporary password. Then do adminSetUserPassword to give the user the desired permanent password.
This technique seems to work properly when the "Enable signup" feature is disabled.
Related
I'm enjoying developing cross-browser web extensions, the main target being Chrome, so much that I started to think to develop one for my company. I find a chrome extension quite a cheap and efficient way to deploy internal apps. The main purpose is to host a couple of dynamic dashboards that fetch data from various APIs by using cross-domain ajax in background scripts. I finalized the app and I was also able to implement the authentication via chrome.identity and Azure AD.
However, I am struggling to find a safe way to customise the content.
I mean, when the extension is installed it requires to login to azure via the chrome.identity flow. Then I get a token that I use to query ms graph and get the user ID, name, email and basic info.
Until I get this information I want the browser action (popup) to be unavailable to the user as well as any other extension pages. After a successful login I would like to show the content on the pop up and to let the user access the pages, but here I want to customize the experience.
I know how to use the user id retrieved from the api call to customize the extension, but I think it is not safe because all the code is in the client.
If I code something like
if (user === logged) show something
it will be damn easy for a malicious user to look at the code and bypass it, or even to impersonate another user. And chrome extension cannot be obfuscated.
Any help?
Thanks
We have two administrative SPAs that can make easy use of the FusionAuth templated login / verify screens. This is useful as the screens automatically reflect our social logins as those are configured,
The third SPA is carefully designed and places the login fields on a dynamic splash page. I'm considering an attempt to html embed the FusionAuth login panel on our splash page but would need to strip away the nav bar and background container. I think this would be a global change to the FusionAuth UI web layout, forcing the use of embeds in all our apps.
We have FusionAuth running on a subdomain so an embed might not cause much CORS difficulty. Are there any other reasons that embedding the login panel directly from the FusionAuth server into our pages might not be a workable solution?
You can modify the FusionAuth login UI without impacting the administration UI. If you go to Settings -> System -> UI, you will see that the Login UI templates can all be modified.
If you have different login UI elements for different Applications, you can use the variable client_id in the templates to control the layout. This is the OAuth client_id that for the FusionAuth Application. These templates are FreeMarker, so a conditional statement might look like this:
[#if client_id == 'ee31103f-2fc1-4bb5-ba95-ac543693503e']
Embeddable HTML/CSS goes here
[#else]
Standard HTML/CSS goes here
[/#if]
That being said, the OAuth login UI of FusionAuth might not be easily embeddable in your third SPA depending on if you are using an iframe or AJAX. It is still probably a better idea to skin the login UI to match your UI instead and leverage the OAuth login workflow if possible.
The other solution is to use your own login page and then call the FusionAuth APIs to authenticate the user.
We have been exploring adding an embeddable login system. If you want to open a feature request for this, you can add it on our Github Issue tracker here: https://github.com/FusionAuth/fusionauth-issues
I have a strange request for a project - we have a text file containing a list of login credentials for Dropbox for around 10 users. I have to validate their credentials automatically and notify the users if login fails with their credentials.
I've looked at the dropbox API, but that uses OAuth, which requires the user to manually fill in credentials, but that doesn't do the trick for me.
Is there a way for me to check if a bunch of logins? I've looked at the DropboxUpload repository on github, but it works fine for single user logins, but fails to achieve what I want when it comes to checking the same thing for multiple users.
Any help/leads on how I should go about proceeding with this would be greatly appreciated!
Many thanks,
John
You can use dropbox webpage to check user credentials doing normal login/logout but in an automated way.
To create a "bot" which will login and logout and check if credentials are correct you can use Selenium.
Selenium is a framework for testing web page ui but it can also be used to create automated checker/tester/bot for what you need.
It is also possible to setup selenium in a such way that it will use renderless browser engine so no browser will be visible during test/check. This also speeds up the process of testing.
I hope this will help you if you'll not find any better way and can be used as a final solution since it is not the best way to check credentials
I have a web application that uses google & facebook oauth2 to authorize the users.
But, the application can also be hosted in other sites in a frame.
The problem is that in that case google blocks the login phase (since it's in a frame), is there a way to overcome it?
I don't think so. If possible stay away from embedding other site with frames.
You could contrive something where your client makes an ajax call to your server. If your server send the login redirect, your client can use the 302 location to open a popup window. You will of course need to make sure the user isn't blocking popups.
I am making a mobile application where users can connect their twitter accounts to the app. I am just kinda curious what's the best way to do it.
Right now, I would love to be able to make my own custom page (without having to use a UIWebView).
Is this possible? If how, so?
Thanks.
As I understand, you don't want the user to be redirected to Twitter's OAuth authorization web page. You can use xAuth instead, but you have to send Twitter an email why you want this, and they won't allow xAuth for your app until it is in a very late development state (when your app is almost complete). You can find the manual for xAuth in the Twitter development documentation.
Basically, what xAuth does is it allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. This way, you can provide the user with custom fields (e.g. UITextField objects) to fill their username and password in. Just make sure you don't save them anywhere, only the access token. Good luck. :)
A quick web search reveals MGTwitterEngine