In the ADFS management app I've opened the "Edit Federation Service Properties" screen and changed the "Web SSO lifetime" to 5 minutes.
Now I want to add logic to the FormsSignIn.aspx page to detect the scenario where the user's credentials are stale (they entered them longer than 5 minutes ago) and display a message saying something like:
Your credentials have expired. Please re-enter your credentials.
How would I go about detecting this scenario? Googling didn't turn anything up.
Related
I'm trying to follow the instructions here which tell me to create credentials via the instructions here, which as step 6 tells me 'Click the user type for your app. If you're running a Quickstart, select Internal.'
On the page in question, 'Internal' is greyed out, and tells me I can't select it because I'm not a Google Workspace user. Going to Google Workspace, it tells me I need a domain name for 'my business'. Since I don't have a business, or any domain that would have anything to do with this project (I just want to push some personal data from the command line to a sheet), I don't seem to be able to proceed. Is the Google Sheets API just not available for such use?
If you don't have a Workspace account but you don't want to publish your app publicly (and go through the associated review by Google), you can set the app to External and test the app instead of publishing it.
In order to do that, just add yourself as Test user when setting the OAuth consent screen, and leave the Publishing status on Testing, don't change it to In production:
Testing
Projects configured with a publishing status of Testing are limited to up to 100 test users listed in the OAuth consent screen. A test user consumes a project's test user quota once added to the project.
Google will display a warning message before allowing a specified test user to authorize scopes requested by your project's OAuth clients. The warning message confirms the user has test access to your project but should consider the risks associated with granting access to their data to an unverified app.
Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.
Reference:
Publishing status: Testing
Unfortunately, that means that the authorization lasts only for 7 days. Which means that I have to keep creating new projects every 7 days, which is untenable. Here is the excerpt from the "Setting up your OAuth consent screen" page on the Google support site.
Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.
I implemented a Linkedin connection in one of my apps. It works great but I need to enter my Linkedin credentials even if I'm already connected on Linkedin's website.
Note my picture in the upper right corner.
When I authenticate on Linkedin's website, I have something like 10 minutes during which I don't need to authenticate, just accept my application's permissions requirements.
I would like to get this behavior as long as I'm connected to Linkedin's website. For instance, I would like that a user that comes on my application, if he's already logged on Linkedin, only needs to accept my permissions requirements.
well this is totally up to your server. if you reboot the service/app then yes you have to log in. but once a user is loggedin you can use the refresh token to keep him logged in as long is possible (unless he logs out himself).
if this does accure while the app isnt getting any restart. you should definitly look at the refresh token.
I have developed an automation software for verifying Google oAuth using Gmail account sign(configured my own 4 gmail accounts). It is actually working fine from my machine.
While automation runs from a remote machine(ran from jenkins with 3 hrs of interval) we are obtaining a pop up for 'verify its you'. :(.
Also I verified each configured account, I can see remote ip is listed on my "Devices & Activity" page as an Unknown Device and it keeps getting refused (in all configured gmail account).
At some point I clicked on this device as being okay, but it continues to get blocked
The message listed under it is We recently prevented a sign-in attempt to this device. You indicated this attempt as yours. For your security, we'll continue to show this device in the list for two weeks. You can also review this event in your Notification & alerts page.
How can I stop this from happening? If I go to the Notification and Alerts page, there is still no option to stop this.You can see in the message that I clearly indicated the attempt as mine, but Google continues to stop it.
I have tried following method , but didn't worked.
Less secure apps option in the gmail account
tried this url, https://accounts.google.com/DisplayUnlockCaptcha
also tried resetting password for each configured account
Please help
I want to know what are the best practices, when using Worklight:
To Logout
To Maintain the user logged in, after application relaunch.
To login a user directly after an account creation
I am using Worklight 6 authentication, with a custom login module, for an Hybrid App (HTML5)
If there is a sample doing all these feature, it will be great, otherwise, any code snippets and advices should help me.
Thanks
Can't exactly say that these are 'best practices', but this is what I would do in these situations:
To Logout
Don't have much to say here. Clear anything and everything that the user could use to access resources on the server, including cookies. As you probably know, the login modules come with a logout function call where you can perform these operations.
To Maintain the user logged in, after application relaunch
After the first login, use some local storage mechanism, such as JSONStore, in order to save the credentials. JSONStore can encrypt all data saved locally as well. When the user starts the app, instead of prompting for login credentials, check the local storage to see if the credentials already exist and then send them to the server to log in.
To login a user directly after an account creation
I'd use a similar approach as above. When the user sends their account information to the server, save it to local storage. If the account creation was successful, then the server can send a success response to the client which can then automatically send the credentials back to the server to log them in. If the server sends a failure response, then the credentials should be deleted from the local store and the user will be prompted to try to register again.
I am trying to integrate a two factor authentication solution with a mail server that is hosted on Apache Tomcat. Right now the app is using form based authentication and the user enters his user name and password and is authenticated against openLDAP as back end.
What we want is the following -
1). User enters his Un and PWD
2). The request is "intercepted" and put on "hold"
3). A one time pwd (OTP) is generated and sent as SMS to the user.
4). The user sees a new page with a box to enter that OTP.
5). The user enters his/her OTP sent as SMS
6). The OTP is verified and if true the "held" request in step "2" is forwarded for further authentication
The trouble is that I have no access to source code of the mail server app.
I can achieve something very similar in IIS(Microsoft) using an ISAPI filter, but need to know how to achieve this in Apache?
I am looking on the lines of Valve/Filter and SAML, but have no clue how and where to progress.
I contacted the logintc guys for their 2-factor credential and resolved my 2-factor using their apps. Check them out.
https://cloud.logintc.com
The LoginTC platform services are free for under 1,000 users. So that's great.
I followed the instructions from this URL: https://cloud.logintc.com/help/developers
Basically, I created an admin account for my domain in the logintc cloud control panel. Then I used the Server-Side Authentication instructions to enable my Apache website with the logintc button, and added the code snippet in my authentication page.
My users download the logintc app from Appstore, Android or Blackberry marketplaces, I issue them a Confirmation Code and they create their credential token in the app with a PIN (same as ATM cards)
The whole thing takes less than 1 hour to configure. My users get an out-of-band notification to unlock their credential with the PIN, and bingo, they achieve 2FA.
You must check them out
I would suggest using OpenAM former OpenSSO from Sun
It has a filter/agent that can be deployed on apache And it has very good support for multi-factor authentication including SMS authentication module.