I have 2 React apps in 1 tenant, using #auth0/auth0-react. App A uses user/password to login, App B uses Google-OAuth-2. Both apps use the same auth0 audience & auth0 domain (and different clientIDs)
My workflow is:
open 1st tab and log into App A with one profile
open 2nd tab and log into App B with another profile
open 3rd tab with App A again
The problem here is that I have to do the login process in App A again in the 3rd tab. In the 1st tab, I’m still logged in, but I’ll have to redo the login process if I refresh.
How can I decouple both login processes, so that I can only log once in each app without having them interfering with each other?
Related
I have an interesting case where user onboarding is designed the following way:
Users download the mobile app
Once they click "Sign up" they are be redirected first to a website to check if they are actually eligible to sign up (it's basically some kind of survey)
Once they are eligible, they are redirected to Auth0 to log in (the previous step will create a new account if they pass the eligibility checks).
Now, after successful login, the user is redirected back to the app.
That's the theory. Now, before we try to implement it, here are the questions:
a) Is the last point possible in this scenario?
b) If so, is this just a matter of setting a custom URL scheme as the redirection callback so the app will be open on the user's device?
c) Will it be easy then consume the id token and access token by the app so we can call the API?
d) Can https://pub.dev/packages/flutter_appauth be configured to work with this scenario where we have an additional website in the middle of the process?
I have a React Native app that uses Okta's hosted login page to authenticate.
When a user successfully authenticates for the first time through the PKCE flow, on every other login afterwards, they get automatically logged in as the same user.
I've used additionalParameters: { prompt: 'login' }, but it only asks for you to re enter your password and if you click signout, it brings you to a Citrix page that doesn't change anything about the flow - they still get logged back in as the same user after the fact.
I've tried using both the revoke and logout endpoints which actually changes the cookies a bit, but doesn't affect the flow same goes with restarting the app.
The only way is to clear hardware settings in xcode.
This may not even be an Okta specific issue, perhaps a general OIDC issue.
How does the hosted login page store and know you've previously logged in and how can that be fixed?
We are implementing Google Oauth2.0 Single Sign On with our applications. We have Web application, windows desktop app, Adroid app, iPhone app.
From our applications(windows app/mobile app) when user tries to login we use below flow:
1) We get URL(https://accounts.google.com/o/oauth2/auth?client_id=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&response_type=code&scope=openid%20profile%20email&redirect_uri=urn:ietf:wg:oauth:2.0:oob&login_hint=myemail#gmail.com) from our API which redirect user to Google login screen
2) After authentication:
a) On first login it display consent screen with scopes(View your email address/View your basic info/Know who you are on Google) mentioned in above URL.
b) On subsequent login it display consent screen with scope (Have offline access).
3) Then Google return us a code in page title which we use for our authentication and then we allow user to access our application.
When we are using Same flow in Web application it won't ask Offline access scope screen for subsequent logins but in Desktop app/Mobile app for all the subsequent login it ask "Have offline access" scope screen.
How can I avoid scope (Have offline access) screen for subsequent login?
Please suggest.
FYI
1) I have tried approval_prompt, access_type but no change in nature.
2) We are not storing any refresh token after first authentication.
I have a requirement in my application for iOS and Android, developed using IBM Worklight, to remember the user ID if the user selected this option.
I can achieve this by using localStorage, but the issue is that I have two login pages:
One is placed within the application, and the
Second is hosted on a remote server
Depending on the conditions the application will meet, either the remote login page will be displayed or the local login page will be displayed.
If I use localStorage on local page it is not accessible for server side login page. So I want to use some storage/file on the mobile to store my user id which is accessible for both local and server login page. Is this is possible using worklight/phonegap storage?
More explanation:
Remote login page is hosted on some www.xxx.com domain. My requirement is on launch of application the local login page is shown to the user, there user can enter user id and password and selects remember me option and submits form. Then user logs in and navigated to some xxx.com/yyy server page. From there when user clicks on log out it navigates to remote login page which is hosted on www.xxx.com server. As user already checked remember me option in local page the remote login page has to pre populate the user id text box. And same scenario should happen when user enters credentials in remote login page and selects remember me check box. So when user kills the application from background and relaunches the application user will get local login page where I need to pre populate the user id last time he entered.
Short answer: in my opinion, no.
Longer answer: I will explain what I think using your scenario:
Remote login page is hosted on some www.xxx.com domain. My requirement
is on launch of application the local login page is shown to the user,
there user can enter user id and password and selects remember me
option and submits form.
So far so good. You can store it in either Web Storage or JSONStore or use Cordova File API. Catch: all of these are available ONLY for the specific application.
Then user logs in and navigated to some xxx.com/yyy server page. From
there when user clicks on log out it navigates to remote login page
which is hosted on www.xxx.com server. As user already checked
remember me option in local page the remote login page has to pre
populate the user id text box.
Still plausible. Lets say the user selected 'Remember Me', so you can adjust the URL pointing to the remote login page and send with it as parameters the username and password. Assuming that there will a mechanism to handle those on the remote page.
This does not come for free, though.
This is not meant to work out-of-the-box. It's worth noting that whether Web Storage (localStorage...) is used or any other type of storage- the application and the Cordova InAppBrowser do not share the same localStorage, and the same is true if you open a new WebView.
And same scenario should happen when user enters credentials in remote
login page and selects remember me check box. So when user kills the
application from background and relaunches the application user will
get local login page where I need to pre populate the user id last
time he entered.
This is also a problem IMO, because any application is sandboxed - be it the browser app or the Worklight app, each of them is sandboxed. so you can't just go to website X, and create some localStorage for it and expect that data to be available for another WebView belonging to another app. That's the whole point of sandboxing, in order to protect the app.
And in this case, where the remote "page" will save the data, only Web Storage is available anyway, as JSONStore requires the Worklight API, which is not available when you load external websites.
Notes:
Since you want to save both username and password, you'd probably want to encrypt them in some way, so JSONStore and WL.EncryptedCache are your options, rather than plain Web Storage.
In the older apps marketplace, a domain admin could switch off app visibility from the apps admin panel and the authentication/authorization to a 3rd party app still kept working.
After the OAuth2 migration, I see that switching off app visiblity to "Off", stops the 3rd party app to refresh the access tokens (for offline access) and returns access denied. Is this an issue or is it supposed to work this way ? We are using Service account to access.
I do not want the installed 3rd party app icon to appear in Gmail universal navaigation for all the domain users and still the autorization ( and offline acccess) to keep working.
I noticed this change as well. We have had to create multiple marketplace listings to get around this.
1 Listing for users that want the contextual gadget
1 Listing for those users that want the universal navigation
1 Listing for those users that want no universal navigation
You can turn off the universal navigation in the Marketplace Setup console by unchecking "Enable Universal Navigation extension"