I want to allow my users to register themselves by verifying otp that will be sent to email and phone number simultaneously and allow signup after verification. I am using azure adb2c user flows,
I am open for changing auth provider to Auth0 or firebase if they satisfy this use-case.
When it comes to Auth0, you would need to build out the functionality in your application code for a one time password to be sent out to the email and phone number simultaneously. I hope this helps bring some clarification. Thanks!
Related
I have a mobile app that requires authentication by phone number.
As this is my app if I had login and password I would use Resource owner password credentials flow.
Is it a good idea to use the same flow for the phone number scenario?
Consider using the authorization code flow for this scenario, it will give you much more flexibility for the login part.
I know that smtp.gmail.com will no longer support less secure apps in 2021. In order to migrate to using oauth access tokens, I am trying to understand the flow.
I do not want to access users gmail account information, I simply want to send them an email that contains password recovery link for my application. Everything I've been reading talks about getting access_token and displaying consent screen to the user before sending emails. This indicates to me that all these tutorials assume you want to send emails on behalf of the user.
I just want to use a single gmail account to send password recovery emails. How can this be achieved?
I am currently using Auth0 to allow users to log in to an application. I am building it using the embedded approach. I see in the Auth0 documentation that they support passwordless login for SMS and email but I am not sure if that is the correct approach to use for a one time code when a user forgets their password?
Has anyone developed a forgot password and reset through embedded with Auth0? What approach did you use? Is passwordless strictly for logging in?
Important - this is not the universal login approach.
Thanks.
There are multiple ways in Auth0 that user can be authenticated. Those are categorized under the Connections in Auth0. Passwordless is one way of doing so. In this approach there is no password involved in. Which means, there can’t be a use-case, where the user forget his password for your application. (What can happen is that user forget his password for his email account or user would no longer have access to mobile phone, where he receive the SMS from Auth0 for authentication.) So passwordless is not for reset user password. It is just for Authenticate the user.
If you provide an option to login with Username and Password you can use Database connection type in Auth0. In this approach, there is a use-case where, user forget his password for your app.
In that case your application should provide the forget password option. In Universal Login, it has built in support for this. However, as you don’t use Universal Login, you may have to implement that by yourself.There are couple of methods which are explained in Auth0 Documentation. One options would be to use change_password endpoint in Authentication APIs. This will send an reset password email to user. Then user can use the link given in that email to reset his password. There is another option, where you can generate a password reset ticket in Auth0 using the password reset ticket endpoint. Hope you can use one of them for your requirement.
Imagine an invitation based service which allows only certain email addresses to register and then login.
As developer, I would like to provide a user a simple one-input form at the very beginning of the authentication process. User provides only email address, if email is on a whitelist, user is provided with register or login form.
My question is how can I store the email whitelist and validate if email is ok to login/register before accessing login/register form in auth0?
See https://auth0.com/docs/design/creating-invite-only-applications which gives instructions for invite only flows.
Many SaaS apps allow self-service provisioning, where users can
register themselves and begin using the app. Other types of apps,
however, do not allow such signups. Instead, the customer (typically
an organization of some type) pay upfront for a number of users, and
only the end user with the appropriate credentials may sign up and
access the app. In such cases, you can use an invite-only workflow for
authorization purposes.
I am looking for an "auth as a service" provider for my website that can let my users sign up using google/facebook and/or their own username/password. Trouble is, I am not able to find out if Google Identity Toolkit will automatically merge accounts if a user is using same email address for their facebook and google accounts. Also, does Google Identity Toolkit support forgot password functionality for user/pass auth?
Yes, Identity Toolkit will automatically merge accounts based on the email address. In some cases, Identity Toolkit will need to ask the user for their prior credentials before doing the merge. As an example, if the user previously signed in with email/password, then later signs in with Facebook, they will be asked to enter their password one last time.
Identity Toolkit will also help you send password-reset emails. Here's the documentation for enabling this feature, and is implemented in this sample.