Im building a simple app and need to add authentication. I was wondering if it was possible within omniauth to limit users that can sign in with twitter by their usernames.
My aim is to only allow a few pre-select people into the backend of this app.
I believe you already have some strategy to manage users signing in with twitter. If not, you might wanna check out this raislcast episode.
Once a user signs in with twitter, twitter will forward you a hash of that user object. You can access it via request.env["omniauth.auth"] and decide if you want to create a user object for a particular username.
Related
For my web app I am trying to allow the user to add multiple payment methods. I am using the user token in order to gain access to the income feature. However, there appears to be no way to allow multiple payment methods because the user token only corresponds to the data most recently entered through Plaid Link and trying to create a second user token fails because you cannot have repeat client user ids. How exactly do you get around this?
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
My goal is to create a single click registration / sign on for my site using social media that's painfree yet secured using oauth and SocialAuthenticationFilter.
Ideally you'd be able to login to the same account with either twitter / Facebook etc (without first connecting them to a user account).
An example I'm working from is the Spring Social Showcase found on git, it's fantastic but it still requires an intermediary 'sign up' step.
I can't figure out a way of making a secure account using only the info from Facebook login using aouth and I'd prefer it if a user didn't have to sign up and connect as per the example.
So, is there a secure way of doing this or am I misunderstanding something?
Thanks
Using OAuth / OIDC is the right way to go.
In order to automatically match the logins from different social login providers, you have to rely on the email address as the primary user identifier.
Once relying on the email address, you may automatically register new users inside your internal DB.
However users may want to change their email address. This may complicate the processes significantly, depending on what options you want to support.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I'm currently building a web app (my first), and wanted to include OAuth capability so that users can log in via twitter and facebook. I'm building it in Sinatra, and have looked at the OmniAuth gem, which seems to be just right for the job. The issue I having is redesigning the User model.
Currently I have the usual first name, last name, username, email and password, with the username being unique so that I can use it for the ID, and like twitter, I can type in www.myapp.com/username to find the info on that user. I decided that for the initial version I'm just going to use twitter as the login, then later facebook, and lastly the usual sign up. My problem is that it's more than likely that people will have the same usernames in facebook as they do in twitter. So, for example, if I sign in using twitter, and take the 'newuser' ID, it will be an issue when someone with the same username from facebook tries to join.
The OmniAuth gem works by providing a hash of the user info. I'm going to use Mongo, so I can include a twitter and facebook field in the user modle and keep the hashes in there, I'm just a bit stumped as to how to go about creating unique ID's when it's more than likely that both services are going to have people with the same username, or that once the regular login is implemented, someone could sign up and take a username that is already in use on twitter or facebook, preventing those people from signing up with their twitter/facebook accounts.
I'd be really interested to hear how others have approached this.
I'm using a table only for auth keys, it means :user_id, :provider, :key columns, and a seperated User table, :email, :nickname, ...
If the user logged in with his Twitter account, log out, and log in with Google Acc. for instance, then you will have two different accounts, and there's no solution to associate any with an existing account. I suggest you to allow the logged in user to link his currently use user account to another auth provider (you should seperate the user from authentication, and after the first login he should be able to link more auth key to his user account). He logs in to his primary user account (using twitter, for example) and links his user account to his Google account clicking to google icon on auth page.