We are implementing Google Oauth2.0 Single Sign On with our applications. We have Web application, windows desktop app, Adroid app, iPhone app.
From our applications(windows app/mobile app) when user tries to login we use below flow:
1) We get URL(https://accounts.google.com/o/oauth2/auth?client_id=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&response_type=code&scope=openid%20profile%20email&redirect_uri=urn:ietf:wg:oauth:2.0:oob&login_hint=myemail#gmail.com) from our API which redirect user to Google login screen
2) After authentication:
a) On first login it display consent screen with scopes(View your email address/View your basic info/Know who you are on Google) mentioned in above URL.
b) On subsequent login it display consent screen with scope (Have offline access).
3) Then Google return us a code in page title which we use for our authentication and then we allow user to access our application.
When we are using Same flow in Web application it won't ask Offline access scope screen for subsequent logins but in Desktop app/Mobile app for all the subsequent login it ask "Have offline access" scope screen.
How can I avoid scope (Have offline access) screen for subsequent login?
Please suggest.
FYI
1) I have tried approval_prompt, access_type but no change in nature.
2) We are not storing any refresh token after first authentication.
Related
Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue
I'm using `
https://api.instagram.com/oauth/authorize?client_id={{ instagramAppId }}&redirect_uri={{ redirectUrl }}&scope=user_media,user_profile&response_type=code
` url to verify user via instagram api.
Is it possible to get access token from instagram mobile app? The web view with insta login needs credentials to login, even though user is logged in mobile app.
Thanks!
Webviews keep their own cookie jars, so you have to log in separately. You can't use the mobile app's tokens. You can open the login page in a browser instead of a web view. Then, if the user is already logged in to Instagram in this given browser, you will instantly get a response from the authorization endpoint. Still, the user needs to be logged in in the concrete browser, being logged in in the app won't help.
I have a React Native app that uses Okta's hosted login page to authenticate.
When a user successfully authenticates for the first time through the PKCE flow, on every other login afterwards, they get automatically logged in as the same user.
I've used additionalParameters: { prompt: 'login' }, but it only asks for you to re enter your password and if you click signout, it brings you to a Citrix page that doesn't change anything about the flow - they still get logged back in as the same user after the fact.
I've tried using both the revoke and logout endpoints which actually changes the cookies a bit, but doesn't affect the flow same goes with restarting the app.
The only way is to clear hardware settings in xcode.
This may not even be an Okta specific issue, perhaps a general OIDC issue.
How does the hosted login page store and know you've previously logged in and how can that be fixed?
I have a console application that uses Google's OAuth for devices workflow to authenticate users using their Google accounts (see: https://developers.google.com/identity/protocols/OAuth2ForDevices).
During the authentication process, the user is required to visit https://www.google.com/device and copy-paste a code printed by my app.
Is it possible to include the code as part of the auth url such that the code will already be filled in, and the user only has to click on to authenticate (I'm thinking on opening a browser window programatically)?
Looking for an option like https://www.google.com/device?code=ABCD-EFGH
I have to write an API for mobile device to implement Login with Facebook using Devise. I have done the web implementation and the as per my research the Facebook Login flow works as follows:
Step 1:
The user comes on the website and clicks Login with Facebook. It hits the facebook verifying the permissions for the app.
Step 2:
If the user accepts, facebook hits the web application with a temporary code.
Step 3:
The web server using the temporary params code hits facebook again to get the user's access token.
Step 4:
Facebook hits the web server with the user's access_token which is saved by the web application in the database. If the user with the access_token already exists then a new session is created else a new user record is created.
This is the complete flow of login of Facebook for a web application.
Now when writing mobile api for a Mobile device the question comes is:
Will the mobile device hit the web application with the facebook's temporary code as mentioned in Step 2 and the Web server will hit facebook using the temporary code to get the user's permanent access_token?
OR
Will the mobile devise hit the web server with the permanent user's access_token from facebook which is then identified for its existence in the database by the web application?
Please Help.
Many Thanks!!
Did you saw Devise + Facebook OmniAuth integration?
I used this integration and it uses the step 2, it's very easy and you don't have to care about this issues, it's already done.