We're using our staff users on GSuite to authenticate with our management system which we are restricting to our hosted domain.
We'd like to be able to grab our staff's phone number from their company Google account so we don't have to build separate CRUD to allow us to manage their phone number.
Users are authenticated with the 'email' & 'profile' scopes.
Is it possible to retrieve the user's phone number in addition to their name, email, image?
See all the Google scopes.
There is a scope for Phone#
https://www.googleapis.com/auth/user.phonenumbers.read View your phone numbers
Related
I'm working on setting up a product that can be used by multiple companies. These companies would authenticate via a Federated Identity (Google and Microsoft). Once logged in, they will be presented with a dashboard that has data tied to their account.
My current thinking is:
User enters their company email
An API is triggered that will lookup the identity provider given the company email's domain (EX: "#someCompany.com")
API will respond with a redirect URL to SSO.
Should I be making a User Pool for every company that registers with my product? Or should I be creating Groups within a single User Pool for each company?
So I read a lot about social login on the web.
The problematic flow is:
1) User sign up with regular email
2) User sign in with Social (Facebook, Google, etc.)
What should I do?
If the social email is different from its original email, that's ok, for me it's a different account.
But, if the email is the same, I'm acting like it's the same user.
The problem is the following scenario:
1) User signup with regular email
2) An attacker signup to Social with the user email (without email verification)
3) The attacker can log in to my system as the User.
So the question here is, are there main socials (facebook, google, ...) that allow social login to other site, without verify the user's email?
What do you think? Thanks!
Most sites actually just map social snowflake values to user ids. For example the flows would go like this:
Here is the flow if the user signs up with email
User signs up with regular email
User can now link their social to regular account to login with social (email doesnt have to match)
Profit
Here is the flow if the user signs up with a social
User signs up with social
Use social to autofill normal account fields
Ask for any additional fields needed (leave password null if you like to require social login)
Link social snowflake value to existing account.
If you need any clarification ask but I tried my best to explain :)
Current providers that are considered 'safe' for the problematic flow you are mentioning would be Google and Microsoft (including Azure AD) to my current knowledge.
I've noticed that my android phone, the iphone, outlook.com, and yahoo mail all can import my friends' email addresses (and sometimes phone numbers) from facebook. However, I don't see anywhere in the documentation of the API to suggest that you can get email.
Do these services have special agreements with Facebook or am I just not finding the specific api for "contact" importing? I've not had any luck using "email" field with friends api.
Any ideas?
These services have some special agreements with Facebook and thus are able to retrieve the Email Ids of the Friends of the User. Most of them don't allow further exporting of data obtained from there directly.
And as per Email Permissions documentation here it clearly states that for App Developers
Note: There is no way for apps to obtain email addresses for a user's friends.
As per the phone number, there is no access to it no matter what permission. You may though ask the user to fill those for you.
I've integrated social logins (Facebook, Twitter, etc.) with a Rails app using Devise and OAuth. The requests and callbacks all work great and users are able to authenticate the app and login efficiently.
My problem is this:
With Devise, my site has the user's email address as the username. So, whenever a user logs in through a social site for the first time, a 'connection' record is stored for their account to show which social sites they've logged in with. If they don't already have an account on my site, one is created with the email address from the callback array. The connection is then stored along with the returned tokens and secrets for later use (FB posts, tweets, etc.).
Unfortunately, Twitter doesn't provide the email address. To circumvent this, I'm asking first-time users that login with Twitter to simply provide an email address so an account can be created. However, I can't figure out what to do if they already have an account on my site. I can't check if they already do since I'm not given an email address to match up. This could ultimately cause a user to have multiple accounts.
So, I'm a bit at a loss, and if anyone has any suggestions, it would be extremely helpful.
Thanks! :)
You'll need to store some oauth provider info like {provider, twitter identifier} too to your database and then check twitter oauths based on that instead of the email ID.
The simplest thing to do would be to add a slightly different flow for if the login was via twitter. Ask a first time Twitter login user for the email ID. In your users table, add a column called tw_id and add the users twitter identifier. Next time, if the login is via Twitter, you check the tw_id instead of the provider email and proceed with the normal app flow.
i want to know if its possible to get the email of the people who are using open id to authenticate to my site [of course with the user knowing that i am getting their email]?
this email will be the user id of the user and i want the user to be able to loggin using any provider and then i will set this email as the user identity.
i need this information in order to design the structure of my site.
i am looking into the following open id providers.
Gmail
Yahoo
Facebook Connect
Hotmail
thanks
Use open social API's...
OpenSocial defines a common API for social applications across multiple websites. With standard JavaScript and HTML, developers can create apps that access a social network's friends and update feeds.
Refer to this link for more:-
http://code.google.com/apis/opensocial/
Who says the OpenID provider has the user's e-mail to give to you? I can get an OpenID identity that's accessed only by my fingerprint.