I'm creating an application in Blazor WebAssembly with Microsoft.Authentication.WebAssembly.Msal for the authentication. I followed this link. I'm using the RemoteAuthenticatorView component to perform a login. But I want that the user has to confirm his password for a critical operation. Or maybe he has to re-login. How can I do that ?
Edit: Previously, I used Microsoft.Identity.Client in a desktop application. To do the confirmation, I used the AcquireTokenByUsernamePassword function. But it's not possible in a webapp.
If you using the Azure AD Signin user flow a textfield for password input isn't possible.
This because the form containing the field has to be Remote inside the Azure AD domain.
If you want, as you propose as alternative, a popup to confirm the identity of the user, the only possibility is to logout the user and redirect him to the login.
But in this case you (he) lost any session data and it's hard to use the returnUrl parameter to restore the same status, with i.e. a form with data.
I think should be better to send an email with a verification code, or, as Microsoft does on the Azure Portal, request a keyword to confirm the operation.
Generally speaking this keyword could be any of your choice, in the past I've used a secret word configured by the user himself inside his profile page.
Related
In the documents of Google One-Tap sign in, it says:
Returning users are signed in automatically, even when they switch devices or platforms, or after their session expires.
Question 1:
But it doesn't say anywhere how it does this? Is the user refresh token saved in the browser's cache? How can it then auto log in a user cross devices?
Question 2: The reason I ask is because I have a setup where I initialize the Google API client for JavaScript ("GAPI"). The GAPI library also automatically logs in a user whenever the client is "initialised" through gapi.client.init().
Now the problem is that after I have added the Google One-Tap code (Or should I say "YOLO code"? : ) my user gets logged in through One-Tap and also through GAPI. I can prevent this by not initializing the GAPI client, but I don't think that's wise, because I thought this whole library is built to manage my refresh tokens etc. Is my understanding correct that One-Tap does exactly the same and in case I only want to Authenticate users I do not need the GAPI client anymore?
Really, which library does a better job at managing my refresh tokens? And how do they differ? I'm clueless...
The way I implemented my login is the following:
Try to login in the user first using gapi.auth2. Maybe the user was previously signed into the site.
If can't login user automatically, then use googleyolo to try to find existing user accounts.
If no existing accounts, then present a signin button for user to signin.
I can give you some code snippet if you need.
To answer your questions.
#1, the credential is stored within the browser/device. If the user has never signed into google in a device, then yolo won't be able to sign in the user.
#2. googleyolo will also login the user, the difference is that it will give the account selector even if there's only one user to select (it will automatically login the user if there's only one). gapi simply sign in the user without showing anything.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy.
I got a request to change the log in to some kind of windows authentication. I'll explain.
Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers.
in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use.
I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work.
My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.
<script language="javascript">
var username = '<%HttpContext.Current.User.Identity.Name %>';
</script>
The only way you could get at the user's domain credentials via javascript would be by deploying some type of ActiveX component to expose that data to the browser. I wouldn't recommend that.
I would look at implementing a Login page for forms authentication that authenticates the user on the page load using HttpContext.Current.User.
The way forms works is that if an unauthenticated user attempts to access an access-controlled page and have not logged in (no cookie), they will be redirected to a login page that gives the facility to log in (this sets a cookie on the client-side). The user is then directed to the page they initially requested. You would simply be automating the login part.
If you have a mixture of pass-through and user who need to manually login you could check their client IP address to see if it matches one on your domain or not.
The solution I found for getting the username sent to the server was:
string winlogon = Request.ServerVariables["LOGON_USER"];
After enabled Windows Authentication Mode in IIS.
I have developed a mobile application using asp.net mvc3,html5,jquerymobile. I am authenticating the user using the ADFS authentication. Using IPAD or IPhone once the user is authenticated he is able to perform a download functionality in order to download an application. Now once the download functionality is completed when the user again tries to navigate back to the application he is prompted with the login window once again.
I need to stop the user from again entering the login credentials once again. So I thought of caching the user credentials will be good idea.
Can anyone help me to know how can we cache the user credential details in this case in order to prevent the user from entering the login credentials once again.
Thanks & Regards,
Santosh Kumar Patro
You could use persistent cookies. When authenticating simply pass true as second argument to the FormsAuthentication.SetAuthCookie method. This will emit a cookie that will be stored on the client for the given timeout period that you specify in the <forms> of your web.config.
I'm working on a site that requires the user have a unique username to use all services on the site. They cannot self-change this username for community fairness.
We would like to allow users the simplicity of registering/logging in using their facebook accounts, but this username requirement is obviously a hurdle.
The only idea I have come up with is after the connect process, send the user to a final step page where they enter a username. The only downside to this is that the user has the ability to navigate away before entering a username, meaning we need to add further layers of checks to several site functions to ensure a user has a username, and prompt for one if not.
Any ideas on how to streamline this during the connect process? Any site examples of similar implementations where auxillary info is required to use some or all site features?
Have you looked at Facebook's registration plugin?
The Registration plugin allows users to easily sign up for your
website with their Facebook account. The plugin is a simple iframe
that you can drop into your page. When logged into Facebook, users see
a form that is pre-filled with their Facebook information where
appropriate.
https://developers.facebook.com/docs/plugins/registration/
The plugin also allows you to add custom fields so you could simply add your username field.
There are a load of advanced features including validation, here's an example in the Facebook documentation that includes the username field and checks to see if it's available
https://developers.facebook.com/docs/plugins/registration/advanced/#async