Some users of my application do not have an email. I want them to register under a tenant. I couldn't find a way to make email field as non-mandatory while registration. The basic requirement of a stormpath account is an email and password.
Stormpath currently always requires a user's email AND password to create an account. In the future, we plan to remove this limitation.
For now, the only way to get around this is to fill in a dummy email address. Sorry!
Related
Suppose I have an application in which I have enabled (google) Oauth2 authentication but I want only a few business people can log in to my application with there specific email id and rest of the people can't. How Can we achieve this using Oauth2?
1.) Lots of people have a Google account and can authenticate with Google
2.) I want Only some of them should be authorized to use your app, which maybe deals with business assets
I suspect your requirement is:
Lots of people have a Google account and can authenticate with Google
Only some of them should be authorized to use your app, which maybe deals with corporate assets
In this case I would proceed something like this:
STEP 1: PREREQUISITE USER SETUP
Get a list of users and perform an Administrator Approval step to create them in your product database, perhaps with Name and Email fields.
STEP 2: INCLUDE THE EMAIL SCOPE DURING LOGINS
In the Google login redirect, use scope='openid email' so that you can identify the user via email after login. Allow users to successfully authenticate.
STEP 3: AFTER LOGIN PROCESS THE ACCESS TOKEN
You will then get then be able to get the user's email address from the access token (though you may have to send it to the Google User Info endpoint).
STEP 4: DENY ACCESS WHEN REQUIRED
If you can't find the email associated to the token in your product user data, present a Forbidden message to the user.
FURTHER INFO
See my User Data Write Up for further details on technical options. Note that I have not actually tested this with Google, but I have used the general approach with a few different systems.
Is there a way to suggest the signup email in a custom policy. I have users that need to signup only from invitational emails.
I saw in the docs (https://learn.microsoft.com/bs-latn-ba/azure/active-directory-b2c/direct-signin) that there is a way to suggest the login email in a custom policy Sign In by passing it as login_hint parameter in the request and adding DefaultValue="{OIDC:LoginHint} in the XML definition for "SelfAsserted-LocalAccountSignin-Email" TechnicalProfile. This works for Sign in but fails when I try to use the same trick in the "LocalAccountSignUpWithLogonEmail"
As #chris-padgett mentioned, you can create an invitation link.
The WingTip Games Application uses client_assertion to pass JSON to the User Journey but this approach has been deprecated: see B2C Documentation.
The recommended way is to pass JSON to the user journey, using id_token_hint.
You can find more information in this GitHub repo: SignUp with email invitation.
The application generates a sign-in invitation link(with a id_token_hint).
User clicks on the link, that takes the user to Azure AD B2C policy.
Azure AD B2C validates the input id_token_hint, asks the user to provide the password and user data (the email is read only).
User clicks continue, Azure AD B2C creates the account, issues an access token, and redirect the user back to the application.
For a code example for invitations, see the Wingtip Games application, which generates an invitation link that contains:
The e-mail address of the invited user
An invitation expiration, and
A HMAC-based signature
When the invitation link is opened, this application validates the HMAC-based signature and the invitation expiration and, if they are valid, then it redirects the invited user to an invitation policy.
This policy redirection contains a signed JWT with the email address of the invited user so that they must register with this email address.
I am trying to realise a system with AWS Cognito where a user registers an account for one email and later on registers some IoT Device with this account. It should then be possible to login with deviceId and password for the account. So basically i would like to have several login names for the same account.
I was hoping to make this behaviour work with Cognito triggers and the help of a serverside API , but unfortunately there is none.
I would be really grateful for any ideas or pointers. I am new to Cognito so i might be missing something.
Yes, it is possible.
While configuring your userpool, in the attributes section, for How do you want your end users to sign in? select Username.
After this, you can create multiple usernames all pointing to the same email address.
Some users of our application are admins. We want give them a capability to create new users. We think about the following flow:
Admin goes to "Users" page and clicks a "create a new user" button and fill new user's name and email address.
That new user retrieves an email with acknowledge that a user was created in our application.
The user clicks a link from email body and proceeds to "Set password" page and specify his password.
Is it possible to achieve such flow with angular + express? Is there any other possible flows which can be achieved?
You can create an invite-based flow, but you'll have to do some custom work with our libraries.
You'll need to work with the Stormpath Client and Stormpath Application directly, these are provided by the Stormpath Node SDK. Inside of your Express middleware, retrieve the client with:
var stormpathClient = req.app.get('stormpathClient')
and the application with:
var stormpathApplication = req.app.get('stormpathApplication`)
On the application, use stormpathApplication.createAccount() to create the user. When you pass the new account data, set the password to something that is very long, random, and un-guessable. If your Stormpath directory has email verification enabled, the user will get an invite email. That email should link them into your Angular application, to a custom view which will read the email verification token from the URL and post it to a custom middleware on your server. This middleware will need to use stormpathClient.verifyAccountEmail() to verify the token.
Then you can collect a new password for the user, and save it by setting req.user.password='new password', then calling req.user.save().
Hope this helps! I work at Stormpath and I am a maintainer of these libraries :)
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?