Here is my scenario, if user sign in with google provider first in my web application following after sometimes the same user may try to login in using facebook provider, now if the user's facebook provider email id matches with the previous google provider mail id in firebase, it will throw error like "account-exists-with-different-credential" in this case firebase will give us the facebook provider email id and instructed us to get the "Asks the user his password." what password will I ask them, if user have to enter the Gmail password will user enter their Gmail password in third party's site
In your case, you will also get an email and credential object(facebook credential) in the auth/account-exists-with-different-credential error thrown (error.credential and error.email). You then can call
auth.fetchProvidersForEmail(error.email)
to get the list of existing providers that correspond to that email. In this case you will get an array ['google.com']. Using one of these providers, you sign in the user to that provider.
auth.signInWithPopup(new firebase.auth.GoogleAuthProvider());
You can also set login-hint: error.email as a custom OAuth parameter on the google provider.
After that user is signed in. You then link the previous facebook credential to that user:
currentUser.link(error.credential);
You will now have that facebook account linked to the existing google account. The next time the user tries to login via facebook, the error won't be thrown again.
Related
We have a web app (SPA Angular app talking to a .Net Core Web API) which uses Auth0 as the authentication server.
Now, I'm not sure if this would be an "invite flow" or "invite-only flow", or something else, but basically, a user will go to our web app, and create an account on our system. Our API then creates an Auth0 account for this user using the Auth0 Management API. This user is then considered the Administrator. She can then create as many users as she wants for her staff. For each user she creates, our API creates an Auth0 user using the Management API.
Since, as far as I'm aware, a user must be assigned a password at the moment of creation (i.e. you cannot create a user without a password), the administrator must pick a password for each user she creates.
Additionally, each time a user is created, Auth0 automatically sends out an email to that user asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password.
My problem is that, unless the administrator tells them what password she picked for them, there's no way of them knowing.
My question is: is there a way to defer picking a password until the user logs in for the first time? So, when the administrator creates the user, she doesn't pick a password. Then, upon the user's first login, they pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,
Thanks
I want to implement reset password functionality in Amazon Cognito. I am using login name to sign in cognito account. As cognito sends verification code via email or phone and i am not using these fields in user details. How i can implement reset password in case of login name?
You need either an email id or a phone number to reset user password. Both forgot password and admin reset password use the same flow which will throw an invalid parameter error if neither verified phone or email address is registered for the user.
I'm using Microsoft graph in my Android project to authenticate users.
I'm doing so via this method:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-android
after a successful login Microsoft remembers the user email, so next time when user is trying to login it will suggest to use a previously logged in account. If user chooses a previously used email, a password is not required.
Problem raises when we have a single device where multiple users need to login via Microsoft. In this case new user will see the email of previously logged users and can select their email and log into account without entering any password.
My question is how can I avoid this behavior and close the session after each login?
Thank you!
You can tell ADAL to request credentials again by switching PromptBehavior from Auto to Always:
// Perform authentication requests
mAuthContext.acquireToken(
getActivity(),
RESOURCE_ID,
CLIENT_ID,
REDIRECT_URI,
PromptBehavior.Always,
getAuthInteractiveCallback());
I use Google API PHP Client in my website.
Once User login with Google after click Google Login button on my site.
I collect data from Google Response that's contain Google Profile ID data.
CHECK, Register and Login logic
If Profile ID not exist in my user table: I will store this visitor Google ID + another data from Google Response to mysql user table.
If profile ID is exist: I set visitor with session, and this user will login directly without need to entered password.
Is it secure to do this logic system for login and register? Is possible to hacker by pass Google ID with this Google PHP API client that's already build with unique token, client id and client secret.
I use PDO driver with prepared query.
Since Google Php client process is working in backend with multiple layer security by google (token, client id, client secret) + my server security (ex: CSRF protection); I personally consider Google PHP client is secure. Otherwise Google Account is hacked by someone who's can login client Account. But point of question is "is it Google Login secure? (PHP CLIENT)", the answered is 'Yes, is trusted and secure'. Because if someone can hack email account, hacker also can reset most of social and media accounts registered with that email even without Login Google button, because most of site with public user use email as verifiaction.
I was looking at Khan Academy and I'm wondering how their authentication works (probably many other websites have it the same).
When you login with facebook account that has email "aaa#gmail.com", you completely logout, open another anonymous window, and login with google account that has the same "aaa#gmail.com" email, you log into the previously created account.
My questions are :
Do they make association to account based on email your social account has ?
I'm sure their solution is secure, but is this common and normally doable so there won't be any possible exploitations ?
I'm using a system of Oauth2 to grant access to my app, dvouch
First you have a registered user in your website, with an unique email.
So what basically happens is:
User visits your website (website doesn't know who the user is)
User clicks to login through one of the Oauth2 providers
Your website proceeds to start a "OAuth2" handshake, it redirects the user to the provider oauth endpoint, along with some information, like what scopes you're asking for (email, personal info, public info, etc), the url to send back the user after the authentication is done, your application tokens (that are registered in the providers app dashboard), and so on.
Let's say the provider you chose was facebook. Facebook receives your request for an OAuth2 authentication. It also receives the scopes you're asking for, which url you want the user to go to after being authenticated, and your application credentials
It checks that the credentials you're sending are valid, that the callback url you're asking the user to be sent after also matches what they have registered for your app (so that someone can't simply steal your app credentials and have users redirected somewhere else) and if everything is fine and dandy, it will then present the login window to the user. This login is happening on the provider's page. Not on your website.
The user logs in (inside facebook or google not your website). The provider sends them back to the call back url you specified in the beginning of the handshake.
You (your website) receives the user back with a bunch of information, such as the email of the user who just completed the Oauth2 flow.
At this point you use the email that came in the callback and identify the user through the email. Since all emails are unique, and since your user had to be registered with that email on the provider, you are safe to assume he's the owner of the email.
(technically things might happen a bit differently)
It's basically very secure as long as the website has the regular security measures. Of course if someone has access to your Facebook(wtv) account or email they can login as if they were you, but that would happen either way they offered Oauth or not.
Then as long as you verify you're logging in the correct provider's website (like facebook's or google and not something else) you'll be fine since no one else will be able to see your login. Since a "scope" of authorizations has to be passed as well you as a user can also see what the application is asking for (email, access to your inbox, wtv) and decide if you want to grant those scopes or not, if you decide not to grant access then facebook will not pass back that information, which in turn renders the process safe.
The only way it wouldn't be safe would be if you had malicious software installed in your computer to log your activity and in this case you would be screwed either way.