I have a mobile app that requires authentication by phone number.
As this is my app if I had login and password I would use Resource owner password credentials flow.
Is it a good idea to use the same flow for the phone number scenario?
Consider using the authorization code flow for this scenario, it will give you much more flexibility for the login part.
Related
I am currently using Auth0 to allow users to log in to an application. I am building it using the embedded approach. I see in the Auth0 documentation that they support passwordless login for SMS and email but I am not sure if that is the correct approach to use for a one time code when a user forgets their password?
Has anyone developed a forgot password and reset through embedded with Auth0? What approach did you use? Is passwordless strictly for logging in?
Important - this is not the universal login approach.
Thanks.
There are multiple ways in Auth0 that user can be authenticated. Those are categorized under the Connections in Auth0. Passwordless is one way of doing so. In this approach there is no password involved in. Which means, there can’t be a use-case, where the user forget his password for your application. (What can happen is that user forget his password for his email account or user would no longer have access to mobile phone, where he receive the SMS from Auth0 for authentication.) So passwordless is not for reset user password. It is just for Authenticate the user.
If you provide an option to login with Username and Password you can use Database connection type in Auth0. In this approach, there is a use-case where, user forget his password for your app.
In that case your application should provide the forget password option. In Universal Login, it has built in support for this. However, as you don’t use Universal Login, you may have to implement that by yourself.There are couple of methods which are explained in Auth0 Documentation. One options would be to use change_password endpoint in Authentication APIs. This will send an reset password email to user. Then user can use the link given in that email to reset his password. There is another option, where you can generate a password reset ticket in Auth0 using the password reset ticket endpoint. Hope you can use one of them for your requirement.
I want to allow my users to register themselves by verifying otp that will be sent to email and phone number simultaneously and allow signup after verification. I am using azure adb2c user flows,
I am open for changing auth provider to Auth0 or firebase if they satisfy this use-case.
When it comes to Auth0, you would need to build out the functionality in your application code for a one time password to be sent out to the email and phone number simultaneously. I hope this helps bring some clarification. Thanks!
I am developing a Xamarin forms application. The app is for company owners in which they can see the employee timesheets.The app can be accessed by userid and password which will authenticate via API.Iam intend to save the user credentials in app and provide a logout facility when they want.
My questions are
1. How can I securely store user credentials in xamarin forms , in which nobody should get the credentials by decompiling the app.
2. How can I securely pass the credentials via API and authenticate (I heard about base auth, OAuth) it with server.
3.If someone gets my user credentials and URL to post, but he should not get the
data.How can it be implemented?
Show me some guidance and links. Thanks in advance !
This question has nothing to do with Xamarin.Forms, it is more about general architecture and security considerations.
You should not store user credentials but an authentication token that will be returned from the API in case of a successful user authentication. This token should have a limited lifetime - depends on the business needs.
HTTPS
Since you will not store sensitive data like user login and password on the phone, the risks of someone obtaining those will be slightly minimised. In any case you could invalidate the token if a malicious behavior will be detected and force the user to change the password.
For storing the authentication token securely on the device you could use Xamarin.Essentials
I'm developing angular6 web app with mobile view.
For authentication I'm using keycloak server. It provides me with Oauth2 with access and refresh tokens.
For obtaining tokens user have to login with login/password.
It's not very comfortable for user to enter password in mobile each time tokens are expired.
It would be cool if it possible to resume working in application by entering pin code. I think pin code can be set up by user after first login or generated by server and sent to user by email.
How is it possible to configure pin code authentication for web app?
Is it possible to configure pin-code authentication using keycloak?
Or is it possible with another auth server?
Can it be done without storing password somewhere on FE or BE?
You'll need to develop a custom Authentication SPI (service provider interface).
Keycloak has example code in GitHub that demonstrates how to support a secret question for example, which won't be miles away from what you'll need for your PIN code secret.
I'm implementing Facebook and Google SSO on my website using custom workflow (redirect urls, parsing on server side etc. - no javascript) and I got to the point I have access_token, token_type and expires_in and from Google also id_token and I am confused what to do next to authenticate the user.
I read a little about authorization vs authentication, and that Facebook and Google SSO is OAuth2 which provides authorization, but not authentication, from which I understand that this way my web application is authorized to do something on behalf of the user, but I cannot be sure the user is the one who I think he is? My main source is this: OAuth Authorization vs Authentication
So, my question is, what should I do to be able to can consider the user logged in.
Thank you
In your case google (and facebook) is authenticators. This services just tells your application that user who try to login to your system is the one who he wants to appear.
Assume you differentiate users by unique email.
Your application flow should be next:
The user try to login to application using google Application do all redirection google flow stuff and gives you tokens
Application need to store this tokens for future use
Application check if this user's email presented in database
If email is presented and google returns tokens (google authenticate your user successfully) you can login user in your app
If email isn't presented in database but google authenticate user successfully you can store this user (with email) to your database - sign it up - this is new user in your system
Same flow with Facebook. Surely you can extend this logic to be more your application specific.
SSO and OAuth are different. OAuth is authorization protocol.
You are dealing Google and Facebook oauth.
OAuth
In case of oauth, after successful authentication(google/facebook) you will get access token. You can use token for maintaining the user session.
With this token user is authorized, Now you should check whether the user is present in your database, if yes then authenticate the user and redirect to your application.
SSO
SSO is user authentication service. There are way to implementing SSO like kerberos SSO, ADFS SSO.
We should never use OAuth2 access token for authentication.
For details, please refer
https://oauth.net/articles/authentication/
The OpenIDConnect, built on top of OAuth2, can be used for authentication.
Google supports OpenIDConnect
https://developers.google.com/identity/protocols/OpenIDConnect
The basic idea is Google will issue the client app (your application) a ID Token after the user has login his Google account. You can then extract user information (e.g. email, unique user id) from this ID token and proceed your login flow.