I need to ask user for a password each time he using Google OAuth.
There was an option I have used "max_auth_age", but it stops working.
Is there any replacement for this option. If not - could you please suggest where can I submit something like "feature request" to Google to restore this feature.
Thanks.
UPD
I have read possible duplicate topic and tried to use max_age instead max_auth_age. It did not help.
p.s I know that the main idea of OAuth2 not to use any passwords prompts, but its customer requirement. He is afraid that person, who not allowed to use system can have access on shared computer if someone forgot to logout from Gmail.
Aside from BCM and ehsan s' concerns, it is possible to revoke access to your application AND ask for a password on subsequent login attempts.
Following is a NodeJS example with googleapis, but is simple enough to work for all applications:
const google = require('googleapis').google;
const oauth2Client = new google.auth.OAuth2(
'client_id',
'client_secret',
'redirect_uri'
);
// Sign-in code (omitted) here
async function signOut() {
return await oauth2Client.request({
url: 'https://accounts.google.com/Logout',
method: 'GET'
});
}
Unlike oauth2Client.revokeCredentials, requesting https://accounts.google.com/Logout will make google ask for password on subsequent sign-in attempts.
Bare in mind that this request will sign the user out of all google services on the client.
This wont affect other clients on the device however - i.e. sign-out of NodeJS app will not cause the user to be logged out of gmail in Chrome browser running on the same machine and under the same user.
Hope this helps :)
Related
I have setup two factor authentication with the aws-amplify javascript library. With users who sign up with a simple email and password, it works great. I do something like
const user = await Auth.signIn(username, password);
if (user.challengeName === 'SMS_MFA') ...
However, when a user signs in with an external provider (let's say Google for example) and they enable MFA, the challengeName returned is not SMS_MFA. It comes back as USER_SRP_AUTH.
I'm wondering if I'm not doing something right, or if you just can't setup MFA for external provider logins for some reason? I've looked everywhere for the answer to this question and can't seem to find anything. Thanks!
I am wondering the same thing but my circumstances are somewhat different.
I have discovered that users which come from the external provider (these users are in the confirmation status External Provider) can not login using the CUSTOM_AUTHENTICATION. I have setup a custom authentication flow using OTP codes sent via SMS which does not trigger for users which come from the external provider.
Edit: Most likely, MFA and CUSTOM_AUTHENTICATION are disabled for users which come from the external provider.
I have seen here that the possible solution may be Account Linking, but I am yet to confirm this.
I am failing to correctly login through the UI with the testing framework TestCafe. Our company uses FusionAuth for authentication which lives on a separate Domain from the application I am looking to test. At the moment im just trying to develop a Proof of Concept with logging in through the UI.
Currently, the cookie that I often see get set when logging in normal through my browser does not get set when going through testcafe. Thus when you return to the application it does not to know that you are authenticated.
It seems that the passing of cookies / local storage from the IDP login page back to the Application in test does not happen.
Ive tried useing Role's with preserveUrl set to true.
const testUser = Role('{domainURL}/login', async t => {
const username = 'username'; //Not real values
const password = 'passwword';
await t
.typeText('#loginId', username)
.typeText('#password', password)
.click('.submit');
}, { preserveUrl: true });
test
.disablePageCaching('Login to Test Users Account', async t => {
await t.useRole(testUser);
});
Ive also tried just using selectors and putting in the Credientials manually in the UI. Neither have worked so far for me.
I was curious if:
I am approaching this wrong?
What is the best approach for Black box End-2-End Testing with testcafe when dealing with login?
I know this is probably not the best place, but i wasn't sure how else to contact testcafe support.
In general, TestCafe Roles is the recommended approach for dealing with logging. There can be some FusionAuth specifics that do not work correctly with TestCafe. If you want our TestCafe team to research this issue, you can create an issue in our github repository using the following link: https://github.com/DevExpress/testcafe/issues/new?assignees=&labels=&template=bug-report.md
Please note that we will need an example that demonstrates the issue. If you cannot share your project/login/password publicly, you can send it to support#devexpress.com.
This was turned into a github Issue ticket that can be found here. Going to close this Question for now.
client type: Spa
grant type: implicit or code(pkce)
As a user, I want to be able to get silently authenticated if I have already logged with my identity provider. If not stay on the client side just like a guest user. And if I want to login to the client I should be able to get authenticated manually through the login page.
This has both manual sign-in and automatic sign-in scenarios. How would you handle such cases in Open ID Connect?
By adding the prompt=none in client settings will silently get a new token if user has a valid session. But if not I want the user to be able to manually authenticate through the login page upon his/her wish.
If I set prompt=none this will never have any user interaction such as authentication.
tags: Silent authentication oidc, automatic login, SSO
It is quite a deep subject, and the flow typically works like this:
CLASSIC OIDC SOLUTION
User is redirected for each SPA
If signed in already at the IDP there is no login prompt
OAuth state is stored in local storage (though it is recommended to only store actual tokens in memory)
When an access token expires (or before) do an iframe token renewal with prompt=none
When a new browser tab is opened do an iframe token renewal to get tokens for that tab - to avoid a full redirect
When the user logs out remove OAuth state from local storage
The most widely used library is OIDC Client which will do a lot of the hard work for you. See also my blog post + code sample for how this looks visually.
PROBLEM AREAS
It is worth being aware also that iframe silent renewal does not work by default in the Safari browser in 2020. Some notes on this here.
Alternatively, you can use signinSilent(). I have used it on my login page ngOnInit (since AuthGuard will anyway redirect the user to login, I thought it will be the perfect place in my scenario).
// login.ts
ngOnInit(): void {
this.authService.signinSilent().then(_ => {}).catch(_ => {});
}
// authService
public signinSilent() {
return this.userManager.signinSilent();
}
signinSilent method will return the user object if user already has a valid session with idp. else it will throw an error, probably login_required.
I am trying to use Mongo Realm (v10.0.0-beta.9) ; I use a JWT authentication (token being generated by AWS Cognito). It works pretty well since a user has been created (in Mongo Realms Users menu) and I was able to insert a data in my realm. But...
1. Empty user object
One strange thing nevertheless: the user I get from the authentication is empty
const credentials = Realm.Credentials.custom(jwt)
// Authenticate the user
const user: Realm.User = await app.logIn(credentials)
console.log("logged in with Jwt, user:", user) // display "logged in with Jwt, user: {}"
Is it normal? Examples speak about a identity field: console.log(`Logged in as ${newUser.identity}`);
2. React Native hot reload
A bothering thing: I can't reconnect to a realm when reloading the app (pressing r in the console where I npm started). I don't get any error, I just get... nothing. No log appears in Realm console.
The only solution I get is to kill the app, then restart it.
Did I miss a trick to handle that reconnection with RN hot relad?
I've had some troubles converting any Realm objects to printable strings; I always get {} just like you do. I think it could be related to this (unresolved) task on their GitHub.
On a similar note, there are some bugs in Realm's authentication system. I'm trying to get email/password, Facebook, and Google authentication going in my application but all of them currently seem to be broken on Realm's side.
Here are some related issues on their GitHub that you can follow for a solution.
Facebook
Google
Email/pass (fixed, but not released in the latest beta)
I don't have any information about JWT specifically but given these other authentication issues there's a good chance the issue isn't on your side. I recommend opening an Issue on their repository.
I'm unable to authenticate / sign-in via AzureAD when running testCafe.
const testrole = Role(
'https://login.microsoftonline.com/',
async t => {
await t
.typeText(Selector('input').withAttribute('type', 'email'), *******)
.click(Selector('#idSIButton9'))
.typeText(Selector('input').withAttribute('type', 'password'), ********)
.click(Selector('#idSIButton9'));
},
{ preserveUrl: true }
);
The above steps work fine, however after entering the password I get a message saying:
"Unable to sign in to Outlook account, Error: AADSTS900561: The endpoint only accepts POST requests. Received a GET request."
From my initial search, it seems like something to do with 3rd party cookies on the browser. However, I'm unable to find a solution at this time.
Any idea how I get around this issue?
The Azure AD product team has always reminded me that it is a bad idea to try to automate sign in like that.
They will probably detect that you are a bot and start blocking your requests, even if you succeed.
Instead, to acquire access tokens you need to use either the client credentials flow (for app-only tokens) or the resource owner password credentials flow (for delegated user tokens).
Client credentials flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
ROPC flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
You have to take good care to secure the credentials used for testing.
And use a test tenant if possible.