I'm currently implementing an omniauth solution for an app that will initially be in an invite only mode. I can restrict the UI so that a person cannot see the registration screen from which omniauth could be activated unless they have a valid invitation code. That being said, if a user knew the url structure, they could try to initiate the omniauth process directly and I'm trying to figure out how to handle that. I can't lock down the authentication url because an already registered user would need to go through them and they would not have their invitation code after the initial registration. Ideally I'd like to pass the invitation code along in the omniauth request so that it would come back to the app upon success, but in looking I found this thread which said that is not possible.
http://groups.google.com/group/omniauth/browse_thread/thread/4d99d608...
Is this still true or is it now possible to do what I'm looking for? Is setting the value in the session still the preferred way or is there a better way to handle this when using OmniAuth?
Thanks in advance
Chris
Instead of passing the custom info along with the omniauth request, you can first store the info to somewhere (like session). And in the oauth callback, you check the invitation code of current session, if it's available, register the user.
Related
I'm trying to apply Social Service 2.1.3 to my app (play framework). I have hard time with find method implementation. Right now (in save) method (after user login) i'm putting user Identity obj. to play cache (to avoid overusege of rest api that i'm useing). But it dose not work in the way I wont to.
When user logout from google account my app miss this event, user can still operate and manipulate with data. How can i get to information about current status of user login/logout. I thought about event listener or AuthenticatorStore but cant find any examples how to use it.
best regards
Andrew
SecureSocial can't detect if a user logs out from an external service such as Google or Facebook.
When a user logs into your app SecureSocial will ask the external service to perform authentication. If successful the module will create an Authenticator to track that authenticated session.
The event listener works for actions done against SecureSocial itself, not the external providers.
I'm using Ember-Simple-Auth on an Ember-CLI project, and I'm also using the provided ember-simple-auth-devise authenticator that comes with 3.1. I'm able to login and logout successful, but I can't figure out where's the best place to put the callback (or when the promise resolves) upon successfully logging in. I want to be able to use the data returned by my API on my app after logging in. Any suggestions and advice would be highly appreciated! If requested, I can also provide code samples (although I figured it wasn't necessary since what I have implemented thus far is nothing custom).
Thanks!
When the session is authenticated successfully, the sessionAuthenticationSucceeded action is triggered (see http://ember-simple-auth.simplabs.com/ember-simple-auth-api-docs.html#Ember-SimpleAuth-ApplicationRouteMixin-sessionAuthenticationSucceeded, there are also more actions for other events). So that's a good place to react to the session becoming authenticated.
As the authenticator will set all values the server responds with as properties on the session you could also define additional properties that depend on these - see example here (where the account property depends on the accountId property that's read from the server response): https://github.com/simplabs/ember-simple-auth/blob/master/examples/4-authenticated-account.html#L101
I'm new to Symfony and PHP (previously worked with C++, Java) and I can't find any solution on how to log user login and logout actions to a database. I want those specific informations:
user who took the action (via userId),
action description (login or logout),
current timestamp.
I'm looking for the simplest possible solution. I managed to successfully log information on user login by modifying function rendering user login form, but I failed miserably when it comes to logout. I know it is a terrible idea after all, but I couldn't come up with any better one. Any suggestions? Thanks in advance.
If you have a look here, it says you can define a success handler and a failure handler which you use to log stuff to your database. You can also find the handler parameters defined in the reference documentation.
Login
You would first create a service which get's the security.context and entityManager as parameters and uses both to determine which user logged in. This service is then added to the success_handler parameter and therefor called after the user logs in.
Logout
This one is more tricky I guess, as I would assume that the security.context has no information about the user anymore and you cannot use it to determine which user is logging out. You may want to look into what the handlers parameter actually is. It might be a handler which is called while processing the logout, so you could use it. Of course you might log some logouts which fail because without the success handler you cannot be sure the logout was successfull. On the other hand, maybe you can get the session id from somewhere (again, security.context maybe) and log this instead.
Has anyone successfully implemented the Google Identity Toolkit, an implementation of an Account Chooser. I followed the initial steps here, but I still have a few questions, as I don't quite know how to handle the entire data flow. I'm using Clojure / Compojure in the back-end:
http://havethunk.wordpress.com/2011/08/10/google-identity-toolkit-asp-net-mvc3/
http://code.google.com/apis/identitytoolkit/v1/acguide.html
A) don't quite understand how ID Provider authentication, fits into my data model
when implementing the callbackURL, what data should I expect, and
how's that session state managed by GITkit (and all Account Choosers)
B) Is there a way to set this up the 'callbackURL' for development.
the identity provider would need a URL that it can redirect back to
C) How can the GITkit / Account Chooser workflow let my users register an account that's native to my app?
Thanks in advance
The questions aren't entirely clear, but I've done an implementation of GITkit in ruby and can give you some pointers.
A) The callback URL is what handles the assertion from the identity providers. Rightnow GITKit only does OpenID, so the URL will contain an OpenID response either in the query parameters or as the POST body. You'll need to do a few things:
1) Call verifyAssertion in the gitkit API and pass the params/post body. This will return a JSON response that contains the user details (assuming assertion is valid). There are some other checks you should do as well
2) Decide what to do with the assertion. If it is an existing user, most likely you'll just establish a session and save the user ID. If it's a new user, you can either create a new account and start a session immediately, or defer that and redirect them to a signup page.
3) Render HTML/JS to notify the widget. There are different status codes and data you can return that changes the flow.
GITKit itself doesn't really manage session state, that's up to your app. Some of the reference implementations have code to help, but it's not part of the API. The widget does have some state that you can control with JS (add account, show as logged in, etc) and uses local storage in the browser.
The docs give some details and example code for how this should be implemented.
B) Of course. The URL is just configured in the javascript widget when you call setConfig() It can be set to localhost or any staging server for development. So long as your browser can reach it you're OK.
C) By "native", I assume you mean where they're signing up with just a username/password instead of using an IDP. If so, the user just has to enter their email address when logging in. If that email address matches a known IDP it'll attempt to authenticate with OpenID, otherwise if it's a new user it'll redirect to whatever signup page you configured in the widget. That signup page would just ask the user to create a password like you normally would. You should also return whether or not accounts are 'legacy' (password) accounts in the userStatus checks.
Hope that helps.
For anyone's future reference. I was able to resolve the issue. You can follow this thread of how's it's done in Clojure.
I got it working with Ring/Compojure, and another fellow showed me his solution in Webnoir.
HTH
I'm trying to add a "share via twitter" link to our website. I'm aware of the standard http://twitter.com/home?status=TWEET method, and it works good enough for my purposes when the user is logged in to twitter already.
If, however, the user is not logged in, twitter displays the login form first (which is only reasonable). After the login, the home screen is displayed without the tweet content.
Am I missing something obvious, or is this a know flaw in this method? If so, what is the easiest way (apart from using services like TweetMeme, which I noticed asks for login in advance) to make the share button work as expected?
If the user is not signed in when accessing http://twitter.com/home?status=TWEET it seems that the status is indeed forgotten. This would be a Twitter website issue and not something you're doing wrong.
Update: Use this URL instead: http://twitter.com/intent/tweet?text=TWEET
TweetMeme, on the other hand, uses its own Twitter "application" via the OAuth authentication, requiring users to log in before retweeting using TweetMeme, and is smart enough to include the tweet message in the OAuth callback URL so that it's not forgotten.
So really, you can:
Use TweetMeme, where the user would have to log in, but at least have the tweet be remembered once that's done;
Create your own Twitter application that uses the same tweeting functionality as TweetMeme; or
Use Twitter.com's less-than-desirable status updater and hope the user is logged in, or hope that they're smart enough to click the back button a couple times and click on your link again if needed.
Just use the following url and parameters
http://twitter.com/share?text=YOUR-TEXT&url=YOUR-URL
Then it works.