My goal is to create a single click registration / sign on for my site using social media that's painfree yet secured using oauth and SocialAuthenticationFilter.
Ideally you'd be able to login to the same account with either twitter / Facebook etc (without first connecting them to a user account).
An example I'm working from is the Spring Social Showcase found on git, it's fantastic but it still requires an intermediary 'sign up' step.
I can't figure out a way of making a secure account using only the info from Facebook login using aouth and I'd prefer it if a user didn't have to sign up and connect as per the example.
So, is there a secure way of doing this or am I misunderstanding something?
Thanks
Using OAuth / OIDC is the right way to go.
In order to automatically match the logins from different social login providers, you have to rely on the email address as the primary user identifier.
Once relying on the email address, you may automatically register new users inside your internal DB.
However users may want to change their email address. This may complicate the processes significantly, depending on what options you want to support.
Related
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
service account - server to server interaction only works with workspace domains. No authorization popup required.
Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
Suppose I have an application in which I have enabled (google) Oauth2 authentication but I want only a few business people can log in to my application with there specific email id and rest of the people can't. How Can we achieve this using Oauth2?
1.) Lots of people have a Google account and can authenticate with Google
2.) I want Only some of them should be authorized to use your app, which maybe deals with business assets
I suspect your requirement is:
Lots of people have a Google account and can authenticate with Google
Only some of them should be authorized to use your app, which maybe deals with corporate assets
In this case I would proceed something like this:
STEP 1: PREREQUISITE USER SETUP
Get a list of users and perform an Administrator Approval step to create them in your product database, perhaps with Name and Email fields.
STEP 2: INCLUDE THE EMAIL SCOPE DURING LOGINS
In the Google login redirect, use scope='openid email' so that you can identify the user via email after login. Allow users to successfully authenticate.
STEP 3: AFTER LOGIN PROCESS THE ACCESS TOKEN
You will then get then be able to get the user's email address from the access token (though you may have to send it to the Google User Info endpoint).
STEP 4: DENY ACCESS WHEN REQUIRED
If you can't find the email associated to the token in your product user data, present a Forbidden message to the user.
FURTHER INFO
See my User Data Write Up for further details on technical options. Note that I have not actually tested this with Google, but I have used the general approach with a few different systems.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I'm building mobile applications using .NET. What I'm looking for is a way to manage user sessions and info using Azure Mobile Services. I've read a lot about the authentication in Azure Mobile Services, but this only authenticates a user via Facebook, Twitter, etc ... to access azure services.
I'm looking for user session management, i.e. register, login, logout. Be able to save and retrieve user info, i.e., save certain info against the user such as age for example. Also session management and caching, i.e. the user will remain logged on when the app is closed and re-opened. Also azure mobile services doesn't seem to provide a way to allow me to register users via email.
Basically, If anyone is familiar with Parse, I'm looking for having similar functionality in Azure. Can anyone help please ?
Thanks
Out of the box, Mobile Services provides easy authentication with social providers (Facebook, Twitter, etc) and Azure Active Directory. If you want to do registration via email, you'll have to create a custom auth system. This is going to be more complex than just flipping a switch and using Facebook auth, but totally doable and I can point you in the right direction. First, check out this post that will explain how you can create a registration / login system using custom API and the script backend. If you're using a .NET backend, you'll need to alter thing a bit (the samples are in JS) but it should be pretty easy to convert. The only piece that is really missing from that post is how to do email verification. To do this with Mobile Services, I would suggest the following.
Sign up for a SendGrid account (free in the Azure store)
From your script, after registering the user, generate a random alphanumeric string that is saved to their account / user record in the table.
Use the same string to create a URL which you can send to the user's email address (check out this tutorial for sending email via SendGrid and Mobile Services).
The link can either go to a different custom API or a web front end. When that endpoint is hit, it should update the user record to show that they have verified their email address.
I'm working on a site that requires the user have a unique username to use all services on the site. They cannot self-change this username for community fairness.
We would like to allow users the simplicity of registering/logging in using their facebook accounts, but this username requirement is obviously a hurdle.
The only idea I have come up with is after the connect process, send the user to a final step page where they enter a username. The only downside to this is that the user has the ability to navigate away before entering a username, meaning we need to add further layers of checks to several site functions to ensure a user has a username, and prompt for one if not.
Any ideas on how to streamline this during the connect process? Any site examples of similar implementations where auxillary info is required to use some or all site features?
Have you looked at Facebook's registration plugin?
The Registration plugin allows users to easily sign up for your
website with their Facebook account. The plugin is a simple iframe
that you can drop into your page. When logged into Facebook, users see
a form that is pre-filled with their Facebook information where
appropriate.
https://developers.facebook.com/docs/plugins/registration/
The plugin also allows you to add custom fields so you could simply add your username field.
There are a load of advanced features including validation, here's an example in the Facebook documentation that includes the username field and checks to see if it's available
https://developers.facebook.com/docs/plugins/registration/advanced/#async