To make the experience for our users more convenient we implemented a feature with allowed a user to automatically get logged in when he clicks on a link he received via email.
In the past he had to click on the link and then had to enter his password. By providing a special security token in the link, we can now automatically login the user without the need for entering his password.
A few days after we went live with this feature, internal pages (which can only be accessed via password or via the special email link) appeared in the google search results. We are using Gmail as a Email provider for sending emails from our system.
The only explanation I have for this behaviour is, that google is crawling the links in the emails. Which is not very nice from them if those are "private" links.
Is there a safe way to still allow users to login without password via a special link they receive in their email, without google being able to crawl the internal pages?
Related
I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".
When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").
Is this normal behaviour?
Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for #gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.
If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).
Also see:
Github issue Facebook provider overwritten by Google provider
Mailing list Firebase Social Authentication Issue with fb and gmail flow
Authentication using Facebook at first and then Google causes an error in Firebase for Android
This is how I'm solving it:
https://firebase.google.com/docs/auth/android/account-linking
Just link the "accounts".
Update 2023:
You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex#gmail.com if there already is an account that signs in using the email address ex#gmail.com and a password.
If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.
You can find this under settings within Firebase Authentication.
There are some caveats to using this feature, please read about it here
I have searched long and far for this on Google Identity documentation but my question seems to be out of it's scope (https://developers.google.com/identity/protocols/OAuth2).
This is what I have:
I have an app that is using Google's PHP Client library to authenticate a user via oAuth2. My application stores the retrieved token & refresh token from a user. I am able to use this token and refresh token to pull in information from various Google API's (Drive, Calendar, Mail, etc). I am also storing a cookie in browser to keep the user logged in to the application when the user closes the browser. I have created a simple way for users to login to the application via a QR code that matches up their stored token and refresh token. After the first login they are able to simply use a badge to login to the application.
This is what I want but don't know how to do
When a user logs into the application with their QR badge everything work perfectly (I am still able to pull in anything via the PHP Client Library/Google API's), however when a user goes to Gmail, Drive, or other Google service, Google is asking them to login (it's because they are not technically authenticated with accounts.google.com (only my application)). Is there a way to programmatically authenticate a user to accounts.google.com via a stored token/refresh token?
I was searching for a proper way to implement authentication of users with Google accounts into an app I'm developing. One thing led to another and I found this:
https://github.com/thephpleague/oauth2-google
They have a few implementations depending on how you may wish to implement OAuth2 (via separate repositories). I believe this directly answers your question, albeit 3.4 years later. Hopefully it will help someone else who is looking for this info.
i have a few site developed with zend framework 1 and zend framework 2,i wanna users register in main site and in other sites i want to have a login button ,if user click on login:
1- if user logged in in main site ago , user login without enter any information.
2- if user not logged in in main site a popup open and ask his username/password of main site ,then login to site.
i don't understand is that possible with OpenId or OAuth.
in OpenId user must generate a OpenId Id for example:
http://www.example.com/USERNAME
but i prefer user don't enter any additional information.
for example in the Stackoverflow you can use Google or Yahoo account.
if you wanna use yahoo account it asked your OpenId,but i don't know what system Google use that it not asked for any id and just user enter his email and password if is not logged in to his Google account,
I prefer Google System that user do not enter any Url to login.
sincerely
Clicking the Google button on the Stackoverflow login screen secretly fills the URL
https://www.google.com/accounts/o8/id
as OpenID URL. This is an XRDS file which tells the OpenID library where the auth server can be found.
The OpenID spec defines this in section 7.3.1:
If the end user entered an OP Identifier, there is no Claimed Identifier. For the purposes of making OpenID Authentication requests, the value "http://specs.openid.net/auth/2.0/identifier_select" MUST be used as both the Claimed Identifier and the OP-Local Identifier when an OP Identifier is entered.
Couple of questions:
I implemented the authentication process with OneDrive. My desktop application is designed for end-users. Every time the application is launched the little browser window pops up asking the user to confirm access...and if more than 1 hour passed user needs to provide username and password. Is there any way that end-user with SOME SORT of saved credentials (or user Code +user Secret, or API code + API secret) will be able to invoke the application and not be prompted by browser form (that currently requires login - if access token expired - or confirmation)?
The goal of my application is file sharing - that is, one end user may send URL (to the file that he uploaded to OneDrive) to another user and the latter should be able to download the file by clicking on the link (without any prompts, exactly like in manual process of sharing link to the file in OneDrive). Is it possible? If yes, how to achieve that? That is, how do I get that URL? Redandent to say that I am looking for a programmatic way to obtain a URL that will achieve the above described)
The OneDrive authentication process uses Microsoft account, which supports OAuth 2.0. You should be able to point the user to:
https://login.live.com/oauth20_authorize.srf?client_id=CLIENT_ID&scope=SCOPE&response_type=code&redirect_uri=REDIRECT_URI
Once the user authenticated and authorizes your app, the user will be taken to REDIRECT_URI/?code=CODE, where your app can exchange that code for an access token at:
https://login.live.com/oauth20_token.srf?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI.
There are more details at http://onedrive.github.io/auth/msa_oauth.htm.
While implementing the Facebook Connect to a web application , its possible to show Facebook Sign up page in a pop up and once logging in and Granting permissions are complete, its possible to Authenticate Again in PHP and to get the necessary details of the user, - id, email etc.
I believe, thats secure because, the User Insertion is not based on the Ajax Request Parameters.
Is it possible to do the same with Google Plus Login also ?
Means - Logging in to Google - Using Javascript SDK, asking permissions, Authenticating all done in a Pop Up Window. and then, Creating a new user with the Help of google-api-php-client ??
Yes, what you're trying to do is outlined with https://developers.google.com/+/web/signin/server-side-flow which includes some PHP code samples to help you do this. In general, the steps at authentication time are:
User clicks the "Sign in with Google" button which may pop-up a new window at Google prompting them to log in and authorize your webapp.
After they do so, a one-time code is sent to a JavaScript callback you specify.
Your Javascript method sends this code to your PHP server.
Your PHP server uses the client library to contact Google's server and exchange this one-time code for an access token and refresh token, which you keep and use to perform actions on the user's behalf.