After Parse.com have introduced new revocable session that gets destroyed when a user logs out, is it possible to build a reliable login process using "magic links", ie. a user receives an email including a link, and gets logged in in a web browser after clicking that link?
Previously, sessions in Parse were long lived and implementing a magic link login process was a matter of providing the user with his/her session token and having the client call Parse.User.become(<sessionToken>).
This approach will fail with new revocable session if a user is not already signed in to the Parse server when generating and clicking a magic link, since there will not be any session to give the user that he/she can use in the call to Parse.User.become().
Any clarification if this is possible to accomplish this with the new more secure type of revocable sessions in Parse, or suggestions on how to achieve this, are welcome.
Related
I have used this sample to integrate a bot in MS Teams
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/46.teams-auth
I needed to configure a third party OAuth provider and had all sorts of trouble doing so. Thanks to a smart gentleman on another thread, I am now able to authenticate my user with such provider.
Here's a quick example of the conversation flow. Don't mind the buttons in French, Oui is Yes and Non is No. On first boot of the application, when I click on the Sign In button, my provider's authentication windows opens and shows the auth form just fine.
However, when it comes time to logout the user and I type "logout" as indicated within this code sample
If I type anything else to log back in, I am instantly showed that I'm logged in, the authentication window opens and closes instantly and my token remains obtainable. How do I go about actually clearing that token? I don't feel like this is the intended behaviour, as shown by the docs here:
Do I have to clear it manually? If so, how should I approach this?
Thanks for any help you can provide on this
Note: I have tried to revert back to the default sample, with an AzureAD v2 connection and the result is the same. I login just fine with my Azure AD account, but the token persists even after a logout.
EDIT
Following the sugestions, here are additional screenshots
This is some info from the Context object passed down to the Interrupt
This is the content of the AuthenticationContext available in the Context object above
Note that I get my Success when I call the logout endpoint that was suggested
In the documents of Google One-Tap sign in, it says:
Returning users are signed in automatically, even when they switch devices or platforms, or after their session expires.
Question 1:
But it doesn't say anywhere how it does this? Is the user refresh token saved in the browser's cache? How can it then auto log in a user cross devices?
Question 2: The reason I ask is because I have a setup where I initialize the Google API client for JavaScript ("GAPI"). The GAPI library also automatically logs in a user whenever the client is "initialised" through gapi.client.init().
Now the problem is that after I have added the Google One-Tap code (Or should I say "YOLO code"? : ) my user gets logged in through One-Tap and also through GAPI. I can prevent this by not initializing the GAPI client, but I don't think that's wise, because I thought this whole library is built to manage my refresh tokens etc. Is my understanding correct that One-Tap does exactly the same and in case I only want to Authenticate users I do not need the GAPI client anymore?
Really, which library does a better job at managing my refresh tokens? And how do they differ? I'm clueless...
The way I implemented my login is the following:
Try to login in the user first using gapi.auth2. Maybe the user was previously signed into the site.
If can't login user automatically, then use googleyolo to try to find existing user accounts.
If no existing accounts, then present a signin button for user to signin.
I can give you some code snippet if you need.
To answer your questions.
#1, the credential is stored within the browser/device. If the user has never signed into google in a device, then yolo won't be able to sign in the user.
#2. googleyolo will also login the user, the difference is that it will give the account selector even if there's only one user to select (it will automatically login the user if there's only one). gapi simply sign in the user without showing anything.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
We are using WSFederationAuthenticationModule in an ASP.NET MVC 5 application to authenticate users via Windows Azure ACS. We have tried multiple things to save some user specific data in the session after the authentication has succeeded but everytime we write to the session object we got the exception 'Session state is not available in this context'. Our favorite was the event System.IdentityModel.Services.FederatedAuthentication.WSFederationAuthenticationModule.SignedIn but of course at this time the session does not exist. Where is the recommended place to write initial data of an currently authenticated user into the session?
Have you considered using the ClaimsAuthenticationManager for this? The beauty of this is that you can access the current claims for the authenticated user (before your application code is executed), run whatever query you need to run, and then stuff new claims into the claimset of the principal. I've used this technique before for similar situations as you described.
If you really need to get access to the session data, then I think you want to look at the SessionSecurityTokenHandler class.
In my grails application using shiro, I'm using cookies to store the session data including authorization.
When a user tries to log in without accepting cookies, the login works, but then (as expected) the session is lost again and the user is logged out.
I don't want to change this behavior in general, I just want to display a notification to the user that his Browser needs to accept cookies.
So is there a way to tell that this user has been the one who TRIED to log in after the session data is lost, so that I can display a respective message?
I think running a test whether cookies are accepted on every page is a bit too much, therefore I'm heading towards the solution at login only.
You could use the grails session to store the current state of the user. Then, on login, check the grails session and determine whether to show your message or not.