Does changing your Twitter password force re-auth on Firebase? - firebase-authentication

If I'm using Firebase Auth with Sign in with Twitter, does changing my Twitter password kick current logged in people out and force them to re-authenticate?

Firebase won't (it can't even) detect that the Twitter password has changed, to this operation has no effect on the user's status on Firebase authentication.

Related

Which OAuth flow to use for mobile app passwordless login

The "passwordless login" term may not be accurate, but I don't know how to describe it. What I mean by that is a login that you see on a lot of fintech/crypto apps. Basically, the app has 4-digit local PIN (that's never sent to the API) and with this PIN, the long-lived refresh_token is encrypted.
The PIN is only remembered in the user's brain. So, next time you open the app, you just type your 4-digit PIN for login (or biometry), and the app will use refresh_token from there.
Question: Which OAuth flow would be appropriate for this? It seems that for login they all want password or show a prompt for the username/password. Or, they redirect to webpage which is not an option for mobile app.
What I need is some kind of request, that's only used when signing up, where I only send email (without password) and I get a long-lived refresh_token for that user. From there I can just refresh that same token over and over.

Auth0 Guest user login and Rest API login

Lately I started looking into PoC with Auth0 for our use case where we want to allow users to login with Google and Facebook, also want Guest user to login and access our API and once guest user choose to login with Google and Facebook then we can link guest user so that their data will be served once logout.
Here's the things which I am to able to do till now with PoC:
Able to Login with Google and Facebook through client App.
Access authenticated API after getting bearer token from client App.
Things which still need to do, I tried to search but couldn't found good resource:
I want user to login as Guest user and latter if they want they can login with Google/FB and link their account.
Also, I am looking into Rest login API in Auth0 so that we can hit login API after getting access token from Google/FB and register user into Auth0 and get the token for API access.
It would be great if anyone help me on above two points. Thanks!

Okta re enter password after logging in for a particular action

I'm using okta to sign-in to my react based web application. There is an edit action within the app that requires the user to re-enter his password. I've checked the docs and couldn't find anything similar. The closest I got to was the 're-authenticate' user part. However, that's only based on time. I want to achieve similar functionality based on an event(say, button click). Can I do this using refresh tokens? (I'm not clear about the whole idea of refresh token). Is there a workaround or a specific okta API that allows me to do this?
I have contacted Okta support and they advised me to use the Okta MFA factors(OTP to email/phone, Google Auth etc.) and not to prompt the user to enter a password.
MFA Factors API: https://developer.okta.com/docs/reference/api/factors/

firebase unauth with google doesn't allow change of user

Is there a setting, either in Google projects or in Firebase databases for specifying that unauth should not cache user credentials? One I have logged into my app via the Firebase Google authentication, calling unauth() does not permit me to log in again with a different account. An attempt to login after that immediately logs in with the old credentials without asking for a new username and password. Closing and reopening the browser after the logout didn't help.
Firebase doesn't have access to your credentials when you use its Google authentication. Instead it uses OAuth to create a relationship between the Google account and your application.
When you call unauth Firebase expires the token that is part of the current session. But it does not remove the relationship between the Google account and your application. That's why you "automatically" get a new token when you call auth... next time.
It is up to each individual user to revoke the rights, which in the case of a Google account they can do at the Account Permissions page: https://security.google.com/settings/security/permissions

Google OAUTH2 - how to detect user is already logged in

I'm using Google OAUTH2 for my website. I can successfully login using the google authentication.
Here is what I want to do is:
1) user goes to website homepage and user signs in by clicking "sign in with google" and login is successful and user is taken to logged user dashboard page.
2) user comes back after half hour, user goes to home page and they should get automatically redirected to logged in user dashboard instead of homepage since they already have a valid session.
question - how can you detect if the user is already logged in? Should I be storing the access_token in the session to detect this? what's the recommended way to acheive this with Google OAUTH2?
Yes, you can store the access token in the session, but keep in mind that it could be expired. You should be able to get a new one with an immediate request.
You could also try and do session synchronization from JavaScript, if your site does not have its own session management:
https://developers.google.com/+/web/api/javascript#gapiauthchecksessionstatesessionparams_callback