Using Back&, I'm working on creating the "Custom Verified Email Page" & the "Custom Reset Password Page" to work with my app so that users can verify emails at signup and request password resets via email.
Does anyone have an example of what these pages should be doing? I know the URL receives a token for the transaction but what are we suppose to be doing with it?
Thank you.
You don't have to do anything with it (look under security -> security acctions -> newUserVarification. Backand handles all of it for you. Make sure you specify a Custom Registration Page URL and the Custom Verified Email Page URL. If you don't have the registration url, the link in the email to confirm you as a new user will always send you to a blank page that reads, "SignUp redirect url was not supplied in configuration".
Related
I have auth0 setup to send a Verification Email (using Link) and a redirect URL - http://localhost:3000/app/registration
When I create a user it’s working and they get the email, and it redirects with this URL:
http://localhost:3000/app/registration?supportSignUp=true&supportForgotPassword=true&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true&code=success#
The problem is: according to this link, it should include the email address of the registered user; however, it is not. Is there a reason for this? If I could simply pass the email, I could make an API call and complete the registration process through the auth0 API.
My intention is to send the user to a special registration page on my single page application site where they can finish the registration process and set their password. Any help with this would be appreciated - thanks!
I am using Keycloak and I want to enable Forgot password flow. I have enabled Forgot password in login and configured SMTP to send email.
What I get out of the box from keycloak is the following
-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> User is logged in then The user is redirected to account page.
What I want to acheive is the following
-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> Display a message saying "Your password has been updated." and do not login the user. stay on that page.
The reason for this is, for my use-case, the user shouldn't access the account page on Keycloak.
In the authentication flow of reset credentials, I can only configure up to reset credentials.
Is there any way I can disable this action of logging in the user automatically after password reset, then redirecting to account page?
I have looked into several questions, but I cannot find an answer on how this can be achieved.
PS: I am using Keycloak docker image with a custom theme. If this can be configured using custom theme options, I have the chance to do it.
Thank you in advance.
Go to your keaycloak admin console, Authentication and desable "Update Profile"
Hopo it helps :)
We faced similar issue during keycloak usage and solved it via implementing custom Action Token and Action token handler (docs). Also check out original keycloak reset credentials action token sources:
ActionToken
ActionTokenHandler
Try to play around AbstractActionTokenHander.startFreshAuthenticationSession() there several attributes that define Keycloak behaviour during reset flow like:
authSession.setRedirectUri(token.getNote(OIDCLoginProtocol.REDIRECT_URI_PARAM));
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
If you're using your own client for the login page, the specified redirect, or the client default (Base URL) will direct where the user is sent after the password reset.
We did see that when using an admin-directed password reset, this behavior would occur (user sent to Keycloak account page). So, we simply adjusted the Base URL value for the account client so that it points to the home page of our primarily application.
Then, after the account client is used to reset the password, the default redirect is to our home page.
I have set a web browser control in winform and navigate to the following url-
https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxxxx&redirect_uri=https://www.facebook.com/connect/login_success.html&display=popup&scope=publish_stream,user_status&response_type=token
It show the login dialog box. After enter username and password facebook redirect to following
url-
https://www.facebook.com/login.php?skip_api_login=1&api_key=xxxxxxxx&signed_next=1&next=https://www.facebook.com/dialog/oauth?redirect_uri=https%253A%252F%252Fwww.facebook.com%252Fconnect%252Flogin_success.html&display=popup&scope=publish_stream%252Cuser_status&response_type=token&client_id=xxxxxxxxxx&ret=login&cancel_uri=https://www.facebook.com/connect/login_success.html?error=access_denied&error_code=200&error_description=Permissions+error&error_reason=user_denied%23_=_&display=popup
and display a message with two button called "okay" & "cancel"
xyourappxxxx would like to access your public profile, friend list and status updates.
if i click on "Okay" button this will redirect to following page with the msg of--
page---https://www.facebook.com/dialog/oauth/read
message---Success SECURITY WARNING: Please treat the URL above as you
would your password and do not share it with anyone.
application type: Native/desktop
App secret in client: no
Client OAuth Login: enbl
Embedded browser OAuth Login: enbl
Sandbox mod: ON
Problem is after authorization facebook not redirect to my redirect_uri and not getting any access token.
I am using vb.net 2008 express
thanks
I might be mis-understanding your question/issue, apologies if so..
in your first line.. you have the redirect_uri set to just go back to facebook, whereas it's supposed to be the URI of the page on your site that you want facebook to send the user to after they authenticate and approve your app, no?
in other words shouldnt your first line be:
https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxxxx&redirect_uri=**https://WWW.YOURDOMAIN.COM/YOURPAGE.ASPX**&display=popup&scope=publish_stream,user_status&response_type=token
after the user clicks "okay" on the popup, it will then redirect them to YOURPAGE.ASPX on your site, passing the access_token
As you can see, some Facebook games have custom page for "Didn't allow" user action. It shows when applicataion try to install and user click "Didn't allow"
f.e. - Cityville by Zynga - http://gyazo.com/6e398bfa6b803a23cfc36a32a6956e48.
How can I make the same page for my app?
If the user did not "allow" your application, he/she will be redirected (via HTTP 302) to the URL specified in the redirect_uri parameter that you specified in the authentication parameters with the following data :
http://YOUR_URL?error_reason=user_denied&
error=access_denied&error_description=The+user+denied+your+request.
All you have to do is handle this data and display the message that you want to the user.
This information (and a whole lot more) can be found in the facebook authentication documentation
Background
We are integrating third party email solution into our site. When a user goes to the Mail page it must be automatically authenticated at the Mail site.
For now, the Mail link points to our page which automatically submits a form with the user's login and password. After clicking submit the user is redirected to the Mail site with authentication cookie.
The problem with this approach is that we do not want the user to see his Mail password, because we generate it automatically for him and there are some sane reasons not to show it.
Question
Is there any way to receive mail authentication cookies without sending the login information to the client and performing form.submit operation from the client's browser? Is there a better way to do what I'm trying to do?
Edit
Of course "I am trying to do it programatically". Looks like that there are no sane solution except pass these login/password to the client. Looks like we must accept that user can see his mail password and somehow make sure he cannot use this information to change password to some other value we will not know.
Edit: I didn't read the post correctly, I thought he was trying to login to a remote mail application, not one hosted on his own server. Ignore this answer.
When you login to the remote third party mail website, they will create a cookie (since HTTP is stateless, it's the only way it knows the user is authenticated unless they store some kind of session ID in the url). When you send the user to that site, the site needs to know how to authenticate the user. Even if you logged in from your application and grabbed the cookie, you can set a cookie on the users browser for another website. The only way for this to work is if there is some kind of development API on the third parties website you can hook into, or they allow you to use session id's in the URL.
Possible solution but has a security risk
If they allow you to set a session_id in the URL (for instance, PHPSESSID in PHP) then you could grab the session ID and append it to the URL when sending it to the user. I don't really like this idea since if the user clicks on a link in an e-mail, the new page will be able to check the referrer and see their session ID in the URL. This can become a huge security risk.
Lookup topics related to your mail vendor and "Pass-through Authentication." You did not mention what vendor/software you are using for your web mail solution, so I can't help you very much there. Other than forwarding the user's information (in a post request) to the login handler.
Generate unique IDs before sending an email and put them as hidden instead of username/password into form. Make them disposable (usable only once or usable once before successful entering the site)