I have a problem authenticating users in my banking application. I want super users to be created and authenticated using email. However, I want that normal users be registered and assigned account numbers. The normal users would then use the account numbers to login. How do you achieve authentication of these different kinds of users with different username fields in one django project.
I have tried overriding the USERNAME_FIELD to account numbers so that normal users would use that to login. It doesnt help to login normal users. For superusers, it prompts for account number when I run
python manage.py createsuperuser
Kindly assist in understanding how to handle this kind of custom authentication.
Django is ready to support your requirement. AUTHENTICATION_BACKENDS support multiple backend as list. For normal user you have to write custom backend and Add that in AUTHENTICATION_BACKENDS.
This link will help you.
Related
I'm creating a powerapp interface for a small corporation that using office365/sharepoint to log in to their network. Is it possible to use both the username or email and password to login and pass on to the next screen? so far this is what I’m working with "-----" don't know what to use.
If (User().Email = Txt_Inpt_Us, User().
and
If(User().Email exactin Txt_Inpt_Us.Text).------ = Txt_Inpt_Pas.Text, false, true)
I've tried various combinations and combing through powerapps help but am growing tired and wanted to get y'alls take.
PowerApps will be used by internal employees in a corporate using Azure AD user account, which is used for Single signon across Sharepoint, O365, etc. In some cases external guests can be shared with this PowerApp but still they have to be in some AAD and invited through your company AAD as guests.
That being said, Authentication for PowerApp is already taken care by Azure AD challenge. Not sure why you want to have a separate login screen to mimic the behavior.
In case you want some registration process to use and authorization on multiple role/persona, then you should maintain a separate database to handle the entitlements and authorization.
Don’t forget, this is going to be extra step for users, to get authenticated in addition to AAD always.
Suppose I have an application in which I have enabled (google) Oauth2 authentication but I want only a few business people can log in to my application with there specific email id and rest of the people can't. How Can we achieve this using Oauth2?
1.) Lots of people have a Google account and can authenticate with Google
2.) I want Only some of them should be authorized to use your app, which maybe deals with business assets
I suspect your requirement is:
Lots of people have a Google account and can authenticate with Google
Only some of them should be authorized to use your app, which maybe deals with corporate assets
In this case I would proceed something like this:
STEP 1: PREREQUISITE USER SETUP
Get a list of users and perform an Administrator Approval step to create them in your product database, perhaps with Name and Email fields.
STEP 2: INCLUDE THE EMAIL SCOPE DURING LOGINS
In the Google login redirect, use scope='openid email' so that you can identify the user via email after login. Allow users to successfully authenticate.
STEP 3: AFTER LOGIN PROCESS THE ACCESS TOKEN
You will then get then be able to get the user's email address from the access token (though you may have to send it to the Google User Info endpoint).
STEP 4: DENY ACCESS WHEN REQUIRED
If you can't find the email associated to the token in your product user data, present a Forbidden message to the user.
FURTHER INFO
See my User Data Write Up for further details on technical options. Note that I have not actually tested this with Google, but I have used the general approach with a few different systems.
We are trying to implement a "Login With Google" feature for an internal admin dashboard web app connected to our GSuite account. We want to limit login to this dashboard in two ways.
Only members of our GSuite domain can login to the dashboard
Only users in our domain belonging to a specific group within our domain can login to the dashboard
So far we have been able to accomplish number 1 above but not 2. Using a query param to the oauth2 API we can limit the domain. What we have in mind to accomplish number 2 is after the user within our domain is logged in, get their group information and validate that they are in the proper internal group or log them out. The issue with this is it seems only GSuite admin accounts are allowed to make API calls to the Directory API for this information. Is there no way to get the group information for a user with their own access token or using a service account? Ideally we don't want to have to provide a specific admin user within our GSuite account's personal credentials in our application to get this working. Is there a better way to proceed?
Thank you in advance for any help!
I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.
I have a requirement whereby I have to check the credentials of users created using SDK.
When you fetch the users the password is not returned, hence comparison cannot be done.
I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.
Thanks.
Google does not ever return the value of the password. That would be a monumental security risk.
See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.
If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis
At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.
Im building a simple app and need to add authentication. I was wondering if it was possible within omniauth to limit users that can sign in with twitter by their usernames.
My aim is to only allow a few pre-select people into the backend of this app.
I believe you already have some strategy to manage users signing in with twitter. If not, you might wanna check out this raislcast episode.
Once a user signs in with twitter, twitter will forward you a hash of that user object. You can access it via request.env["omniauth.auth"] and decide if you want to create a user object for a particular username.