We have a Blazor WebAssembly app running on .NET Core 3.1 and using Azure B2C Authentication Flows.
Login flows work just find.
We now need to implement the Password Reset Flow.
The defaults were not working so we followed this guide for a workaround.
https://iheartms.azurewebsites.net/2020/04/10/blazor-aad-b2c-additional-user-flows/?fbclid=IwAR0LQn1zeXPY5JIpezJkMtdzmQSkP38PkFzGeFeUM72-pSD1-rvTsR0BWOE
It worked for the most part, we are able to reset the password, however, when the flow navigates back to the Blazor App with the token, the passwordreset-callback page is displayed but not redirecting to the main page,
we even tried to override all of the methods in the page component to check if any is executing, but none is.
We need a way to fix this, so the users can login after resetting the password.
The password reset flow was just updated in AzureADB2c, please refer to the updated docs here https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow#self-service-password-reset-recommended
They have removed the need to trap and handle an error code on the client - as it is all handled by AzureADB2C.
Related
We are currently looking into creating a mobile app with react native (expo). The whole authentication stuff works now after a bit of tinkering. But whats a problem for us is that apparently you are not able to get refresh tokens which are valid for longer than 24h when you use the code flow with PKCE.
As far as I've gathered from online resources it's recommended to use PKCE for mobile apps for security reasons. But having the user login do a complete login after 24h is kind of a show stopper for us.
What other options are there to use refresh tokens which are valid for more than 24h in a secure way for mobile apps?
Refresh tokens issued to SPAs application (PKCE flow) cannot be managed using B2C Sessions Management and are valid for 24 hours only.
After 24 hours, the app must acquire a new authorization code to get the new access and refresh token.
The only workaround option available is to use "Keep me signed in". In order to set the KMSI checkbox checked by default, you need to use JavaScript as there is no option available for this purpose in B2C user flow or custom policy.
It's documented very confusingly. But it turns out if you have registered your redirect URI as a Mobile/Native app, then B2C will just use whatever refresh token lifetime you have specified even with PKCE.
So if you use the redirect URI of an SPA (and you configured it as such). It will issue 24h refresh tokens no matter what you do.
I have a React Native app that uses Okta's hosted login page to authenticate.
When a user successfully authenticates for the first time through the PKCE flow, on every other login afterwards, they get automatically logged in as the same user.
I've used additionalParameters: { prompt: 'login' }, but it only asks for you to re enter your password and if you click signout, it brings you to a Citrix page that doesn't change anything about the flow - they still get logged back in as the same user after the fact.
I've tried using both the revoke and logout endpoints which actually changes the cookies a bit, but doesn't affect the flow same goes with restarting the app.
The only way is to clear hardware settings in xcode.
This may not even be an Okta specific issue, perhaps a general OIDC issue.
How does the hosted login page store and know you've previously logged in and how can that be fixed?
I have a project in ASP.NET Core 2.0. I want users to be logged in automatically with Windows authentication if possible, and fall back to a login screen if not. If I enable only Windows auth and not anonymous auth, the Windows auth hits my middleware just fine and everything is good. If both Windows and anonymous are enabled, however, my middleware is getting an empty ClaimsIdentity instead of the WindowsIdentity even if they're logged in via Windows.
From another answer, I found to use the below code to force a Windows auth check:
await HttpContext.ChallengeAsync(IISDefaults.AuthenticationScheme);
With this I was able to use cookies to force a challenge if it hadn't already been attempted, and to show my login page if it had. The problem now is that browsers throw a built-in login message on that Windows challenge if the user isn't logged in.
Is it possible to accomplish this goal in any better way than what I'm doing now? Users having to click cancel out of that forced popup to get to my login screen is annoying, but if there's no better way then that's what it'll have to be.
I have a simple question that I can't solve with the resources about moodle and LTI.
I want my users to login into their App with moodle credentials (as often done with e.g. "login via facebook") - is my app the consumer or the provider?
I first thought the app is the provider but some points make me question that:
No, I do not want to start the app from within moodle.
No, I also do not want to embedd my app content in moodle.
I just want the users registered in moodle login to an app with their moodle username and password
All content I found on LTI provider assumed the opposite of point 1 and 2.
However, I also found that moodle can be a provider itself. It has been shown to be embedded in an external application. But in my understanding, the consumer is responsible for authenticating the login (which is opposite to point 3).
Am I missing something, that makes it so hard to see the soution here?
I found Atomic Jolt's try_oauth repo will do exact what you want. It also has an excellent code along video which explains the workflow really well.
You navigate to the app and it opens up a Canvas authentication page and grabs the users credentials.
https://github.com/atomicjolt/try_oauth
Hope that help.s
There is a plugin for moodle which makes it a oauth2 provider. You could use that to allow authentication in your app with moodle credentials.
https://github.com/projectestac/moodle-local_oauth
I am developing an hybrid mobile application using ibm mobilefirst platform.
I am using the custom authentication module example to implement the login module. The problem here is when the user closes the application the app gets logged out.
Is there anyway that I can implement so that the user will not be logged out unless they opt to click on logout button. In simple I am trying to achieve something similar to Facebook remember me option.
You could do something like this (very rough idea):
As part of your authentication flow, if the user has passed the authentication - store in either localStorange or JSONStore a "token" that will basically state that the user has previously logged in. Also save in the server's database using userPrefs something to validate the token.
Whenever the app launches, it will attempt to connect to the server. The environment will be protected with a securityTest so that the server will present a challenge - if a token exist it will attempt to verify it, if there is no token, a login form will display instead.
Assuming this is a first-time launch, if the login passed successfully then store a token in the device and store in the database its "public key"
The next time the app is launched the challenge will be presented again but this time, since we have a token - it will attempt to verify it. If verified - don't present the login screen, skip the rest of the authentication flow and display the secure content
Something like that...
Perhaps to create a 'better' user experience, on app launch also extend the splash screen duration while you're checking for the token, This can be done using this API method.
On logout, clear the token from the device and server.