I'm using auth0 one-time password option to set up MFA in my application:
https://auth0.com/docs/mfa/guides/configure-otp
This allow users to set up the MFA with google authenticator or similar applications that read the QR code.
I'm also an user of this kind of MFA in multiple services, as for example, Slak, GitHub or Auth0 itself. I've seen that when having a lot of applications it can be a bit messy, but Slak or Github have their picture set up in the authenticator application.
Is there anyway I can setup the icon of my application using this option on Auth0? I guess the image is also in the QR code that is scanned. If auth0 doesn't give you that option, but it exists, is there any other option to generate the MFA QR for my users including my app icon?
I've seen in their code that https://freeotp.github.io/ uses a parameter image when generating the otpauth uri, even they refer to https://github.com/google/google-authenticator/wiki/Key-Uri-Format where there is no documentation about this parameter. It seems to work. The open standars HOTP and TOTP neither has any information about the image, so I guess is not part of the standar.
No idea yet about how could I implement it with auth0, so bounty still open for that.
Related
With Firebase's Admin SDK, I want to allow a user to login (verify the user with my Firebase instance) without any JavaScript on the front end. Just an old fashioned POST, with the form data in the request body.
Then in node (server side) verify the email and password on the back-end, retrieve a token, update the user's session, pass back a cookie, etc. I've been digging around various examples and the Firebase Admin SDK docs but have not found an answer.
I can do it if I run the non-admin-SDK Firebase module, in node, but this seems like an odd approach to me, especially as I need the Admin SDK for some other things.
I could see why they want to force a "triangle" approach like say payment auths use.
Authorize with Firebase on the front end and pass a token to the back-end.
Not allowing the password to possibly be sent or stored on the node server unencrypted.
But I want to pass as little JS to the client as possible and I want my site (MPA) to be progressive (not need JS). It seems odd they would not address this in their docs. Other than in some explanation of how to write one's own validation or integrate with another.
If anyone can describe how this can be done or what the recommended approach is, I would be very happy.
Firebase's Admin SDKs are designed to be stateless, so don't have a concept of a current user. The recommended approach is what Firebase Authentication does, sign in on the client and pass an ID token with every request/connection to establish the identity of the user.
If you don't want to use Firebase's SDKs in your client-side application, you can call the REST API. I'm not sure if you can construct the right call with a FORM post though.
Also check:
Sign in with Firebase-Admin using node.js, the main answer is the recommend approach.
How to authenticate an user in firebase-admin in nodejs? shows how to sign in a user in Node.js with the regular/non-Admin SDK. This is probably closest to what you want to accomplish.
I am in control of three twitter accounts: One is my main account, the other two are supposed to automatically post content via a bot. I created the bot logic and added it to Twitter's development tools and I can easily use it to post to my main account.
Now I need to add the access tokens for my two secondary accounts. My question is - what's the easiest way to do this.
As far as I can see, Twitter only enables one way to do this: 3-legged OAuth flow. It is not too complex, but it seems to me to require setting up a mock website with callback url, which seems like too much considering I only need to generate two api tokens. Am I missing something?
There are some alternative ways to generate access token and access token secret for OAuth 1.0A via command line tools which allow you to use the “PIN-based” OAuth flow.
One example would be Twitter’s own twurl tool for API testing, which requires you to also have Ruby installed. This will let you authenticate a user account (it still pops open a window onto twitter.com to have you do the authentication) and stores them into the ~/.twurlrc file in your home directory. There is also tw-oob-oauth-cli which is a standalone app for doing the same thing.
You're not missing something. The reason this is required is to force users have a browser they trust open and see that they are on https://twitter.com/, so they can trust that it's a safe place to put in their password.
I'm using okta to sign-in to my react based web application. There is an edit action within the app that requires the user to re-enter his password. I've checked the docs and couldn't find anything similar. The closest I got to was the 're-authenticate' user part. However, that's only based on time. I want to achieve similar functionality based on an event(say, button click). Can I do this using refresh tokens? (I'm not clear about the whole idea of refresh token). Is there a workaround or a specific okta API that allows me to do this?
I have contacted Okta support and they advised me to use the Okta MFA factors(OTP to email/phone, Google Auth etc.) and not to prompt the user to enter a password.
MFA Factors API: https://developer.okta.com/docs/reference/api/factors/
I am making a mobile application where users can connect their twitter accounts to the app. I am just kinda curious what's the best way to do it.
Right now, I would love to be able to make my own custom page (without having to use a UIWebView).
Is this possible? If how, so?
Thanks.
As I understand, you don't want the user to be redirected to Twitter's OAuth authorization web page. You can use xAuth instead, but you have to send Twitter an email why you want this, and they won't allow xAuth for your app until it is in a very late development state (when your app is almost complete). You can find the manual for xAuth in the Twitter development documentation.
Basically, what xAuth does is it allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. This way, you can provide the user with custom fields (e.g. UITextField objects) to fill their username and password in. Just make sure you don't save them anywhere, only the access token. Good luck. :)
A quick web search reveals MGTwitterEngine
GMail can used as a SMTP server. I've written the code that does it. But as we all know GMail may occasionally authenticate using captcha (image verification as they call it). The same thing may be the cause to reject SMTP authentication.
As I've seen google shows image verification when you try to log-in for the first time from some machine. All consecutive log-ins from the same machine (to the same account) use regular login. I'm a bit afraid this captcha may also come up again for some other reasons that I can't control.
So. Is it possible to still authenticate when special measures are needed? And how?
I should also mention that logging in from the machine via web browser also enables programmatic SMTP authentication.
Try:
http://www.google.com/accounts/DisplayUnlockCaptcha
Or for Google Apps for your domain:
https://www.google.com/a/yourdomain.com/UnlockCaptcha
I can bet it's an IP based solution, so if your app if deployed somewhere else, It doesn't help.
Google doesn't seem to be particularly clear about what prompts them to block a user's account until he has successfully entered a captcha phrase. However, it's likely that this is a mechanism which is triggered when Google sees what it considers to be unusual or suspicious activity associated with your account. As a result, I would expect it to be unlikely that they will supply an option to opt out of a mechanism which is protecting both them and you, although others are welcome to find evidence to the contrary.
Various discussions of when and how this happens throw up some suggestions which you might like to try to see if they help, such as choosing a stronger password or simply changing your password. Good luck!
IMHO The right way to do this, without implementing the user consent workflow or "hacking your account's security settings", is obtaining a refresh token with the Google OAuth2.0 Playground for Offline Access. After that, you can authenticate using the OAuth 2.0 API.
I got it working after reading Nodemailer/Gmail - What exactly is a refresh token and how do I get one?