Facebook app requesting the basic authorisation (public profile).
If a user isn't logged into Facebook, it will ask them to first login. All good.
If a user is logged in, it will bypass the login step and ask for authorisation. Also good.
But in this second case, I'd like to be able to have a "Change User" or "Not you?" possibility in case the user needs to be changed.
Otherwise I'll have to somehow instruct my not-to-savvy users to click on the wrong user's name to go to that Facebook account, log out and restart my authorisation procedure again.
I considered having my own a dialog at the start showing the currently logged-in user giving the ability to change it, but I can't see the logged-in user's name unless I already have authorisation, nor can I log that user out with prior authorisation either, it seems.
Related
Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue
I have an expo (react-native) app and use the expo-local-authentication library to authenticate users to the app.
My current flow looks like this:
At first login, when the user logs into the app or signs up, I store the username and password in expo-secure-store.
Once the user session expires, and the user clicks the button that says "Login with Biometrics", I look into the secure store and see if there is a previously stored credential (username and password), then I authenticate the user with those credentials, and get the authentication token. The authentication token is then used to call other endpoints.
One user reported the following issue with this:
User A logs into the app for the first time. Their username and password (usernameOfA, passwordOfA) gets stored in the secure store.
The next time User A logs into the app with biometrics, we use their stored credential to log in, which works as expected.
Let's say, User B logs into the app from the same device as User A. Now, the username and password (usernameOfB, passwordOfB) gets stored in the secure store and replaces the credential of User A.
User B does their thing and logs out of the app. But here our secure store still has the credential of User B.
When User A comes back and logs in to the app with their biometrics, because credential of User B is still stored in our secure store, the account of User B gets logged in, instead of User A.
PS.
We could remove the username and password of user from the secure store when the user logs out of the app, but we want users to be able to login again with biometrics even after they logout of the app.
Also, we logout user everytime they close the app, so if we remove the credential on every logout we wouldn't be able to login user with biometrics the next time.
I seem to have not understood the flow of implementing biometrics. What other information should I include to distinguish the correct user is logging in to the app? Or is there a different way to authenticate users with biometrics? I am looking to understand more about the flow and would appreciate any recommendations or resources. Thank you.
Originally, I believe the OAuth consent screen would allow the user to uncheck certain scopes they didn't want the requesting app to have access to (ie. the user could decide not to give the app permission to use phone_number). Google would then send user on their way to the App with whatever access scopes the user consented to. If the app absolutely required that permission then it would be the responsibility of the app to inform the user of this.
Now (I'm not sure when this changed) it seems the user is no longer given the option to deselect a requested scope. They can only allow it or be stuck on the consent screen.
Is this appropriate behavior according to the OAuth spec? To me it shouldn't be the responsibility of the resource owner to halt consent entirely due to the user denying a certain requested scope. This seems to be a Google bug, correct?
To be clear, I am working to make my app only request the scopes it absolutely requires. But I don't think that this change should be absolutely necessary.
I'm using Google OAUTH2 for my website. I can successfully login using the google authentication.
Here is what I want to do is:
1) user goes to website homepage and user signs in by clicking "sign in with google" and login is successful and user is taken to logged user dashboard page.
2) user comes back after half hour, user goes to home page and they should get automatically redirected to logged in user dashboard instead of homepage since they already have a valid session.
question - how can you detect if the user is already logged in? Should I be storing the access_token in the session to detect this? what's the recommended way to acheive this with Google OAUTH2?
Yes, you can store the access token in the session, but keep in mind that it could be expired. You should be able to get a new one with an immediate request.
You could also try and do session synchronization from JavaScript, if your site does not have its own session management:
https://developers.google.com/+/web/api/javascript#gapiauthchecksessionstatesessionparams_callback
I implementet Google+ Sign-In API in the root page of my app. It automatically signs in user if user is signed in to google, then API automatically signs him in to my app. The problem is that when user logs out of my app, he is redirected to root page which logs him back in, since he still is logged in to google.
You can see the whole code here: https://developers.google.com/+/web/signin/
wierd, they have "See also, signing the user out of your app."
link, but it's broken :(
Any ideas?
This is similar to this question:
Preventing automatic sign-in when using Google+ Sign-In
You could use a cookie that is set when the user is logged in on your site. If the user is logged in, indicated by the presence of the cookie, allow the user to automatically get redirected into your site. If the user is not logged in, require that the user click the sign-in button before you hide the button and redirect them to the signed-in experience. To log the user out, delete the cookie.