Email is mandatory field in my .net application using web-api 2.0 and OWIN for facebook login. How can I ask permission for email again, if user first denied email on Facebook external login but allowed other permissions and successfully logged in.
I am in GetExternalLogin method of web-api2 template, which calls external login consent screen. I am getting other ExternalLoginData as other permissions allowed by user, but not email. The consent screen has set the External Cookie.
Now application showing user is authenticated and not challenging again for email. How can I call the consent screen to re-ask email permission.
After no response for multiple days, I myself got answer on facebook. We can do this by adding the auth_type=rerequest parameter to Login Dialog URL.
Link 1: Re-asking for Declined Permissions
Link 2: Re-asking for Declined Permissions using ASP.Net Identity OWIN
Related
I am trying to understand the API's that #Microsoft provides. Its just so messy. My goal is to use the Exchange API to edit settings.
So, I have an APP, Access tokens and subscriptions.
When trying to login to https://outlook.office365.com/ I get the following error:
Your subscription is no longer active. Please contact your admin to activate your subscription.
X-ClientId: 05A0A74F610C432EA1AD48C77829580B
request-id 3088673c-f523-4e26-824f-1d0f7cb0a219
X-OWA-Error Microsoft.Exchange.Data.Storage.TenantAccessBlockedException
X-OWA-Version 15.20.2451.30
X-FEServer HE1PR05CA0360
X-BEServer HE1P190MB0508
Date:18/11/2019 09:11:34
But as you can see, I have a subscription:
What I understand is that I have to login to outlook.office365.com before using the API.
Update
Ok, so I can now login to https://outlook.office365.com/mail/inbox. It took a while............. But;
1) I can request: https://outlook.office365.com/api/beta/users/********************************/. It will return the specified user.
2) I can NOT https://outlook.office365.com/api/beta/users/********************************/mailfolders. I tells me 'access denied'. While my app has all Exchange, Office365 permissions. But delegate and application permissions.
The "Grant admin consent for your tenant" feature seems to have been updated yesterday.
However, something is wrong with the new "Grant admin consent for your tenant" feature based on my test.
If you use it to grant admin consent, it will probably not take effect on the back end although admin consent has been successfully completed on Azure Portal.
Currently you could grant admin consent through a URL request.
https://login.microsoftonline.com/{your tenant}/oauth2/authorize?client_id={app id of your Azure AD app}&response_type=code&redirect_uri={redirect uri of your Azure AD app}&nonce=1234&resource=https://outlook.office365.com/&prompt=admin_consent
Please note that you need to create a new Azure AD App currently because if you have used admin consent on Azure Portal, granting admin consent through a URL request will not take effect.
Is there a way to suggest the signup email in a custom policy. I have users that need to signup only from invitational emails.
I saw in the docs (https://learn.microsoft.com/bs-latn-ba/azure/active-directory-b2c/direct-signin) that there is a way to suggest the login email in a custom policy Sign In by passing it as login_hint parameter in the request and adding DefaultValue="{OIDC:LoginHint} in the XML definition for "SelfAsserted-LocalAccountSignin-Email" TechnicalProfile. This works for Sign in but fails when I try to use the same trick in the "LocalAccountSignUpWithLogonEmail"
As #chris-padgett mentioned, you can create an invitation link.
The WingTip Games Application uses client_assertion to pass JSON to the User Journey but this approach has been deprecated: see B2C Documentation.
The recommended way is to pass JSON to the user journey, using id_token_hint.
You can find more information in this GitHub repo: SignUp with email invitation.
The application generates a sign-in invitation link(with a id_token_hint).
User clicks on the link, that takes the user to Azure AD B2C policy.
Azure AD B2C validates the input id_token_hint, asks the user to provide the password and user data (the email is read only).
User clicks continue, Azure AD B2C creates the account, issues an access token, and redirect the user back to the application.
For a code example for invitations, see the Wingtip Games application, which generates an invitation link that contains:
The e-mail address of the invited user
An invitation expiration, and
A HMAC-based signature
When the invitation link is opened, this application validates the HMAC-based signature and the invitation expiration and, if they are valid, then it redirects the invited user to an invitation policy.
This policy redirection contains a signed JWT with the email address of the invited user so that they must register with this email address.
I'm using oauth implicit flow to authorize google assistant user into the system.
The login flow goes like this:
If user is logging in for the first time, the assistant redirect it to my service where user provides its credentials and logs in. Upon successful login, my service generates a JWT token and sends it back to the google oauth endpoint.
Then user returns to the Google assistant with a message: "Your account has been linked to Google".
Now, the big problem is,
How can I logout the user once the token expires?
Or how can I revoke the token from Google Assistant so that it will again redirect the user to my service login page for authentication?
Try not to suggest Authorization code flow because existing architecture does not allow Authorization flow.
If you need more information then please comment below.
Found the solution.
You just have to send 401 Unauthorized Code from the your webhook. On receiving 401 Google automatically revokes the token and exits the application.
Then when user invokes the app again. User is asked to re-link his account with Google.
If you have further questions then comment below.
I am reading the docs in the Stormpath website. They have documentation about how to create account, application...
But I cannot find the overview the big picture of the Stormpath
especially how can my web application can integrate with it.
I need a picture that describe the flow of the authentication between my Web Server, browser, and stormpath API.
I have a web application and a login page.
My specific questions are:
When a user clicks the submit button of the login page, should I call the RestAPI to Stormpath to authenticate or I need to send username and password to my web server, and web server will send it to Stormpath to authenticate?
If when a user clicks the submit button and I need to call the RestAPI of Stormpath from JavaScript, after login successfully do I have a returned Access token? And what can I do with that token.
Please help me.
Heyo -- I work at Stormpath, so hopefully I can explain this for you a bit.
If you're building a website, and storing your users with Stormpath, here's how authentication works:
A user visits your website, and clicks the login page.
You show a login page and collect the user's email and password (or username).
The user clicks Login, and that form data is transferred to your web server (not Stormpath!).
On your server-side code, you would then use one of the Stormpath libraries to authenticate the user's account. You would take the form data the user submitted to your server, and then call the proper Stormpath method to authenticate the user.
Stormpath will log this user in, by creating an access and refresh token, and securely storing cookies for your user in the browser.
This is how the flow typically works.
I have an Web application that uses Google Drive. In order to make it easier for user to integrate his account (in this web application will be easier for client this way), I would like to have two links for authentication:
A link with the current user email that sends the user to the authorization page.
A link that automatically logout the current user from Google (if any) and send the user to authorization page (in this case the login page).
In order to accomplish that I need:
- the current Google user email
- logout current Google user
I really think this is not possible, but is it possible to me do this actions before have my application authorized by user?
You will only be able to pull a user's email address after they have authorized you to do so, so that isn't possible.
You can use OpenID to retrieve a user's email address or redirect them to the Google login page if they aren't logged in. They have to authorize your application, though, so you won't be able to direct them to different places until after they've signed in. There are details on the login flow at https://developers.google.com/accounts/docs/OpenID#Interaction.