I use spring-authoriation-server 0.2
I need to implement a login workflow which is based on a user-interaction on his mobile phone.
Which means instead of username/password custom page, I need to generate some information, and show as QR code. Then a user scans it, and can login.
Now, I have some problems to find the right place in the authorization server where I can integrate own workflow into the login page. I need to wait for the user, and then create the authorization code for the client. So any hints?
Related
I'm creating an application in Blazor WebAssembly with Microsoft.Authentication.WebAssembly.Msal for the authentication. I followed this link. I'm using the RemoteAuthenticatorView component to perform a login. But I want that the user has to confirm his password for a critical operation. Or maybe he has to re-login. How can I do that ?
Edit: Previously, I used Microsoft.Identity.Client in a desktop application. To do the confirmation, I used the AcquireTokenByUsernamePassword function. But it's not possible in a webapp.
If you using the Azure AD Signin user flow a textfield for password input isn't possible.
This because the form containing the field has to be Remote inside the Azure AD domain.
If you want, as you propose as alternative, a popup to confirm the identity of the user, the only possibility is to logout the user and redirect him to the login.
But in this case you (he) lost any session data and it's hard to use the returnUrl parameter to restore the same status, with i.e. a form with data.
I think should be better to send an email with a verification code, or, as Microsoft does on the Azure Portal, request a keyword to confirm the operation.
Generally speaking this keyword could be any of your choice, in the past I've used a secret word configured by the user himself inside his profile page.
We're using Spring Social LinkedIn in a single page javascript app to authenticate a user. We're able to successfully authenticate against LinkedIn, but we're having trouble getting that to integrate with our javascript app. It actually breaks down into two issues:
Issue 1:
We're using one API key for a set or related apps - and we use a single sign-in process. We need a way to identifiy which app the user came from and to send them back to the right app after logging in. The problem we're having is LinkedIn only allows one redirect URL and I don't believe it can carry any parameters (that would probably be the solution if it's possible to carry a parameter like the identifier of the app they're in). Do you know of a way to conditionally redirect the person after login?
Issue 2:
When the user is authenticated, we store the user info in our database, but after that we need the log the user into our app and provide the user with a token. Is there a way after the LinkedIn authentication completes to trigger another call to the server to request the token?
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
I am building a WP7 Twitter client. The normal OAuth 1.0 flow involves obtaining a request token by navigating a web browser to https://api.twitter.com/1/oauth/authenticate with my app's consumer key; this page will show a login prompt and ask the user to authorize my app to perform actions on their behalf. Upon completion, this page will redirect to a callback URL supplied by my app, with the request token supplied as a parameter.
For web apps this makes sense. I don't understand how this is supposed to work for a standalone mobile/desktop app, though. The Twitter API documentation seems to imply that this should be a feasible option. They do offer an alternative xAuth mechanism that allows an app to gather username/password itself and then supply that directly to obtain an access token. The API documentation points out that this is an inferior option (as it requires the user to trust the app, not just Twitter, with their password), but I don't see how I have any reasonable alternative?
(there is also a PIN-based option, but that's a pretty burdensome solution for the user)
I just want to make sure I'm not missing anything obvious.
"For web apps this makes sense. I don't understand how this is
supposed to work for a standalone mobile/desktop app, though."
Just embed a web browser control in your app, and navigate to the twitter authentication page. Then detect the redirection to the callback url (using the Navigating event) and retrieve the parameter. Many twitter apps do that, it's basically the same as asking the user for the login and password, except that instead of your own controls you're displaying twitter's page.
Nope, you're correct. The option for a mobile/desktop application is either a pin-based option or to use xAuth. Once you have an xAuth application has an access token it is indistinguishable from OAuth (it only changes the authorisation workflow). One thing it does change, and this is very specific to Twitter, is that if you do use xAuth then your application will not be allowed to read or write Direct Messages. See Twitter's The Application Permission Model page for more information.
I'm using DNN 5. When a user logs in, I want to load some data into the session. Where should I add my code? Should I intervene into the login.aspx's code behind?
The solutions seems to be writing a custom authentication provider.
One option would be to set the page the users sees upon login and add a custom module to that page. That would get you out of writing an authentication provider.