I have a custom registration BrowserView where you have to extend some userdata (z3c.form with some fields including password). after successful saving these data i want the user to be logged in automaticaly and redirected to an other page in the site.
Thanks in advance for hints
So here's my working solution (thanks to mikko who pointed in the right direction):
authenticate your registration credentials in PAS
member = portal.acl_users.authenticate(username, password, portal.REQUEST)
for redirects it's neccessary to set the authentication cookie. You can do this with "updateCredentials" (see pas/plugins/cookie_handler)
if member:
portal.acl_users.updateCredentials(portal.REQUEST, portal.REQUEST.RESPONSE, username, password)
redirect to the next page
portal.REQUEST.RESPONSE.redirect(url)
If you want to extend the userdata for new members, and add new fields to the registration form, it's probably best to extend the utility that provides the default userdata schema and to do it in such a way that you seamlessly hook into the existing registration machinery.
There is an example product collective.examples.userdata which you can use0 and extend for this purpose. It also has good documentation that explains to you all the necessary steps.
http://plone.org/products/collective.examples.userdata
Related
I have my own Users page in my application where user Admin can create a new user.
I do not want to let the user sign up by himself, but have the admin of the system add this user.
What do you think the flow for that should be ?
I thought about:
create a new user with username and temp password in the users page.
The user gets an email and presses a link to confirm the email.
The user goes to the login screen of my application and inserts the username and temp password.
the login page changes to Change password so the user will insert the password and confirm the password for him.
when pressing login the user logins to the system.
I cannot find a best practice for adding a new user from a built-in users page in the app.
Do you think my flow is reasonable?
Do you have any code that I can use for that?
This is pretty close to the flow which Cognito has for admin-created users by default when using the Amplify UI Authenticator component. The only difference is that the temporary password is sent to the user via email, so the admin never needs to see it.
To achieve this, you need to use the AdminCreateUser action. The way you do this will vary depending on the library you're using to communicate with Cognito. If it's Python, you can use boto3. If it's JS, you can use the AWS JS SDK. (Sample code in this GitHub comment.)
It's not required to use Amplify UI, you could write all the pages yourself. But it works well with very little effort and looks quite professional. So it should be the first thing you try. Here's another answer providing sample code for React.
Is there a way to disable or enable sign ups for a specific application which is independent of the “Disable Sign Ups”-toggle in the dashboard for login with passwordless email (Authentication/Passwordless/Email)?
Only partly.
It's possible via Pre-User-Registration Hook and/or or Rule with some caveats.
Pre-User-Registration Hooks :
https://auth0.com/docs/customize/hooks/extensibility-points/pre-user-registration
Something like this:
module.exports = function (user, context, cb) {
return cb(new PreUserRegistrationError('Denied user registration in Pre-User Registration Hook', 'You are not allowed to register.'));
}
};
Here you can just fail the registration at all times.
Problem with Hooks is that that the Pre-User-Registration Hook does not trigger for social connections / federation, only Database Connections and Passwordless.
Alternatively via Rule:
https://auth0.com/docs/customize/rules
This will always work, but the downside is that the user gets created in Auth0, they will just not be able to further proceed.
In the Rule you basically check the number of logins, if it's 0, you know that it's a new user, and block the login that follows right after user creation (signup) as well as any other time.
Example rule:
https://auth0.com/rules/disable-social-signup
Related earlier answer of mine regarding this, in the Auth0 forum:
https://community.auth0.com/t/disable-signup-from-auth0-ui-and-enable-social-login/29227/2
I just figured out I can create another 'Tenant' (from the dashboard) with a different setting for Sign Up from the dashboard :-)
You could implement a custom Universal Login SPA for sign-up/in that only allows users to sign-in. Pre-registration hook to safeguard against people bypassing the UX.
I'm new to Cuba-platform version 6.10.3. I have a problem where I am stuck.
I have a User entity where I create a new user which has parameters identical to those of the sec$User system entity. Now, I would like to pass the values entered in the User entity (name, password, lastname, email) and also the access group created specifically for the users (customers). Then register the attributes directly in the sec$User system entity and then log into the app with the credentials of the users created with their respective permissions.
I hope someone can help me. Thanks a lot to everyone.
In order to create a new sec$User entity, invoke the Metadata#create() method of the com.haulmont.cuba.core.global.Metadata bean.
Fill necessary fields.
To save new user to the database, use DataManager bean: com.haulmont.cuba.core.global.DataManager#commit(user)
If you need to login to the application automatically without having user password, you can use the "trusted login" feature.
When in web client, user com.haulmont.cuba.web.Connection bean to login.
When in web service (e.g. portal module) - use the com.haulmont.cuba.security.auth.AuthenticationService service.
And call its login method with TrustedClientCredentials:
#Inject
com.haulmont.cuba.web.auth.WebAuthConfig webAuthConfig;
// ...
authenticationService.login(new TrustedClientCredentials("username", webAuthConfig.getTrustedClientPassword(), Locale.ENGLISH);
See also
https://doc.cuba-platform.com/manual-6.10/login.html#login_additional_eatures
https://doc.cuba-platform.com/manual-6.10/web_login.html
Note that web client is working under the anonymous user until other user logs in. So you will need to add additional permissions to the user (write access to the User entity).
Thanks for the support, very helpful !
Hi StackOverflow Community!
I am working at BOX API . Everything is fine,but I want to change the Authentication behavior.
Authentication process first go to box website for ACCOUNT HOLDER Authentication. Is it possible to auto Authenticate using username/password and users view ACCOUNT HOLDER files directly?
I am looking forward.
Similar question asked here with a solution involving renewing bearer and access tokens. Only restriction is that the renewal needs to occur at least once every 14 days. I hope this is a workable solution for you.
It looks like this isn't possible. The Box API uses OAuth 2.0 authentication, which explicitly requires you to redirect the user to the Box website so that they can "allow" access to their account. See http://developers.box.com/oauth/
Which SDK are you using iOS, Windows, Ruby, other? It is possible to auto-login basically it would involve having the user configure their username and password somewhere. Then if you take those stored values and using javascript calls you can input the username and password into the appropriate fields and then submit the form. Depending on the api you'll be presented with a different login screen.
Disclaimer Box changes their login screen frequently and seems really buggy so I wouldn't recommend this route but if you want to do it any way the javascript will look something like:
var username = "user1";
var password = "superSecretPassword";
document.getElementById('login').value = 'username';
document.getElementById('password').value = 'password';
document.forms[0].submit();
Has anyone successfully implemented the Google Identity Toolkit, an implementation of an Account Chooser. I followed the initial steps here, but I still have a few questions, as I don't quite know how to handle the entire data flow. I'm using Clojure / Compojure in the back-end:
http://havethunk.wordpress.com/2011/08/10/google-identity-toolkit-asp-net-mvc3/
http://code.google.com/apis/identitytoolkit/v1/acguide.html
A) don't quite understand how ID Provider authentication, fits into my data model
when implementing the callbackURL, what data should I expect, and
how's that session state managed by GITkit (and all Account Choosers)
B) Is there a way to set this up the 'callbackURL' for development.
the identity provider would need a URL that it can redirect back to
C) How can the GITkit / Account Chooser workflow let my users register an account that's native to my app?
Thanks in advance
The questions aren't entirely clear, but I've done an implementation of GITkit in ruby and can give you some pointers.
A) The callback URL is what handles the assertion from the identity providers. Rightnow GITKit only does OpenID, so the URL will contain an OpenID response either in the query parameters or as the POST body. You'll need to do a few things:
1) Call verifyAssertion in the gitkit API and pass the params/post body. This will return a JSON response that contains the user details (assuming assertion is valid). There are some other checks you should do as well
2) Decide what to do with the assertion. If it is an existing user, most likely you'll just establish a session and save the user ID. If it's a new user, you can either create a new account and start a session immediately, or defer that and redirect them to a signup page.
3) Render HTML/JS to notify the widget. There are different status codes and data you can return that changes the flow.
GITKit itself doesn't really manage session state, that's up to your app. Some of the reference implementations have code to help, but it's not part of the API. The widget does have some state that you can control with JS (add account, show as logged in, etc) and uses local storage in the browser.
The docs give some details and example code for how this should be implemented.
B) Of course. The URL is just configured in the javascript widget when you call setConfig() It can be set to localhost or any staging server for development. So long as your browser can reach it you're OK.
C) By "native", I assume you mean where they're signing up with just a username/password instead of using an IDP. If so, the user just has to enter their email address when logging in. If that email address matches a known IDP it'll attempt to authenticate with OpenID, otherwise if it's a new user it'll redirect to whatever signup page you configured in the widget. That signup page would just ask the user to create a password like you normally would. You should also return whether or not accounts are 'legacy' (password) accounts in the userStatus checks.
Hope that helps.
For anyone's future reference. I was able to resolve the issue. You can follow this thread of how's it's done in Clojure.
I got it working with Ring/Compojure, and another fellow showed me his solution in Webnoir.
HTH