I wonder if the new iOS App Extensions feature supports my case? If so, would I use Share or Action?
My case is similar to a Share but not really sharing, just making request of my service. Here's the use case:
From an item in a host app, the user taps the button for my extension, which the app developer has placed there
The host app opens my extension passing a couple of bits of relevant data from the item the user was on
Check if the user is authorized to use my API (has API auth token)
If authorized, present a very simple form (probably two select lists) with Submit and Cancel buttons. No content or text editing
Upon submit, post to my API and receive a response that the request was accepted or an error with validation details. Upon errors, ask the user to try again or cancel. Upon success, return to the host app
If not authorized, ask if they are already a member of my service
If already a member, present a login form and perform authorization over the API, storing the auth token that is returned, then proceeding to step #4
If not a member, present a signup form asking for email and some minimal setup choices, storing an auth token, then proceeding to step #4
Related
I'm creating an application in Blazor WebAssembly with Microsoft.Authentication.WebAssembly.Msal for the authentication. I followed this link. I'm using the RemoteAuthenticatorView component to perform a login. But I want that the user has to confirm his password for a critical operation. Or maybe he has to re-login. How can I do that ?
Edit: Previously, I used Microsoft.Identity.Client in a desktop application. To do the confirmation, I used the AcquireTokenByUsernamePassword function. But it's not possible in a webapp.
If you using the Azure AD Signin user flow a textfield for password input isn't possible.
This because the form containing the field has to be Remote inside the Azure AD domain.
If you want, as you propose as alternative, a popup to confirm the identity of the user, the only possibility is to logout the user and redirect him to the login.
But in this case you (he) lost any session data and it's hard to use the returnUrl parameter to restore the same status, with i.e. a form with data.
I think should be better to send an email with a verification code, or, as Microsoft does on the Azure Portal, request a keyword to confirm the operation.
Generally speaking this keyword could be any of your choice, in the past I've used a secret word configured by the user himself inside his profile page.
I have used this sample to integrate a bot in MS Teams
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/46.teams-auth
I needed to configure a third party OAuth provider and had all sorts of trouble doing so. Thanks to a smart gentleman on another thread, I am now able to authenticate my user with such provider.
Here's a quick example of the conversation flow. Don't mind the buttons in French, Oui is Yes and Non is No. On first boot of the application, when I click on the Sign In button, my provider's authentication windows opens and shows the auth form just fine.
However, when it comes time to logout the user and I type "logout" as indicated within this code sample
If I type anything else to log back in, I am instantly showed that I'm logged in, the authentication window opens and closes instantly and my token remains obtainable. How do I go about actually clearing that token? I don't feel like this is the intended behaviour, as shown by the docs here:
Do I have to clear it manually? If so, how should I approach this?
Thanks for any help you can provide on this
Note: I have tried to revert back to the default sample, with an AzureAD v2 connection and the result is the same. I login just fine with my Azure AD account, but the token persists even after a logout.
EDIT
Following the sugestions, here are additional screenshots
This is some info from the Context object passed down to the Interrupt
This is the content of the AuthenticationContext available in the Context object above
Note that I get my Success when I call the logout endpoint that was suggested
I have a newsletter powered by an laravel application. It lets subscribers select an area and set some filters to receive mail notifications on new housing for sale.
To solve this in an easy way for the user I did not want to use passwords and a long registration process with names etc. Instead, you just get an email, in that email there is an edit link with a secret token:
https://myapp.com/subscribers/42/edit?token=gwoi6n4ginagrpoargp4ar5gp14a
Would this be considered a safe approach?
When a user clicks the link, it is over HTTPS so it is encrypted, but it will still show in the current browsers history..
Will I get flamed for doing this and if so what are some ways to improve it?
with encrypted data in ssl communications yes it's safe. but in my opinion there is some offers:
1-remove token word from the address.
2- this link should not show the user edit page directly. instead sends arguments to a controller and controller redirects user to a new page with a clean link. just save token in the page for authorizing your user.
3- why not to produce longer (just a bit longer!) tokens?
4- for being safer each link should have an expire time. new link will be sent with each newsletter mail.
I am using Laravel 5.4 to make an in-house app that does not have any authentication (out of my control). A user submits information, and an email is sent to a manager with the info and they can either accept/reject it by clicking on a button. If they click on the accept button a new window opens up where they can do stuff like change the user submitted information.
A token is generated and sent in the email so when the manager presses the accept button the token is sent along in the URL. How can I verify that the token is valid (matches what is saved in the database) before allowing them to make any updates or changes? Is possible to block access to the route so they cant even open the webpage if the token is invalid?
I would also appreciate other ideas on how to best protect the app without using authentication
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.