I have an Web application that uses Google Drive. In order to make it easier for user to integrate his account (in this web application will be easier for client this way), I would like to have two links for authentication:
A link with the current user email that sends the user to the authorization page.
A link that automatically logout the current user from Google (if any) and send the user to authorization page (in this case the login page).
In order to accomplish that I need:
- the current Google user email
- logout current Google user
I really think this is not possible, but is it possible to me do this actions before have my application authorized by user?
You will only be able to pull a user's email address after they have authorized you to do so, so that isn't possible.
You can use OpenID to retrieve a user's email address or redirect them to the Google login page if they aren't logged in. They have to authorize your application, though, so you won't be able to direct them to different places until after they've signed in. There are details on the login flow at https://developers.google.com/accounts/docs/OpenID#Interaction.
Related
In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.
In my web app, I'm integrating a "Sign In With Google" button with Google Api Client (JS), in order to then integrate with some other Google services.
So far I've already implemented the login logic: the user is able to click the button and proceed to the application, the flow is this:
the user accepts to connect the app to its google account
then I send the response token to my backend (PHP) to check the token and store in the DB the Google UserID (sud)
If the user had already an account with my app, I update the profile to add the google sign in option.
If the user did not have an account I ask him to register client side.
from now on the user can access my app both with my app's login credentials, and with "Google Sign In".
I send back to the client the access authorization to my app.
My problem is, how to sign in the user automatically the next time? At least two scenarios my happen:
the user opens my app from the computer of a friend in which another google account is already logged in. The user chooses to login in my app with my app's credentials (not "Google Sign In"), so once he/she is logged in, by refreshing the token I would get the wrong Google account. Displaying the authorization window again wouldn't be ideal and would surely offset the user seeing someone else's account.
the user opens my app in incognito (private) mode on a friends' computer, and he/she chooses to login using his/her email and password, not the google sign in. Again, I wouldn't know how to re-sign in the user with the google api client.
Since I know in my backend what Google user is "my user", is there a way to pass such information to the google client api, so that it logs in the right user?
I am looking forward to integrate logging in users using Facebook's authentication. I have my app protected by OpenAM and the users are already registered there. I have my own login page and would not like to move this to OpenAM and retain it in my app. As of now, I am using REST calls to authenticate users in OpenAM. Now, I want to integrate login using Facebook. My idea of implementation is as following:
User logs in using original credentials and is authenticated in
OpenAM.
User is asked to associate his/her Facebook account with the
OpenAM account.
User authenticates his/her Facebook account
(https://www.facebook.com/dialog/oauth?app_id={app-id-as-created-in-fb-developers-console}&redirect_uri={my-rest-service}).
This will return the code and that can be used to recheck against
Facebook to ensure that the user was authenticated against my app
and this is not a hacker intervention
(http://graph.facebook.com/debug_token?%20input_token={code-returned-from-facebook}&access_token={my-app's-access-token}.
The response will contain the app ID that can be verified against my
App's ID. On success, I shall call OpenAM to associate the user in
OpenAM with his/her Facebook credentials (Not sure what all to use
here.)
Next, whenever the user wants to login, he/she can use Facebook
login where in the redirect URL would be my REST service and the
code returned from Facebook can be rechecked from Facebook and then
OpenAM will be called to authenticate.
My queries:
I am not sure if this approach is feasible.
How do I pair an existing user in OpenAM with the Facebook account?
How do I authenticate the user in OpenAM after Facebook login, with
the userID?
Is the Facebook userID (numeric,returned from Facebook graph in JSON
response), unique and permanent?
I would also want to give the users an option to de-associate the
existing Facebook account and associate a new one-how do I do this?
Apologies for asking too many questions, but I am new to OpenAM and OAuth and keen on following the approach I have mentioned above.
Thank you.
As an aside, it will probably be much easier in the future if you delegate all of the login to OpenAM, and let it deal with local login and social. This will make it really easy to add more social providers.
If you want to keep your current architecture, you can create a new authentication chain in OpenAM that just has social (facebook) login. You should be able to redirect the user to that chain. Once the social login process is complete, you can have OpenAM redirect back to your application page.
To link local and social login you are going to have to offer some kind of account claiming in your application. After they do a social login you could ask them to link their local account by providing the username and password. You can call OpenAM's REST API to validate the credentials.
This kind of linking can be confusing for users - so sometimes it is better to treat them as separate accounts, or have a migration process for the user to migrate to social only.
I am reading the docs in the Stormpath website. They have documentation about how to create account, application...
But I cannot find the overview the big picture of the Stormpath
especially how can my web application can integrate with it.
I need a picture that describe the flow of the authentication between my Web Server, browser, and stormpath API.
I have a web application and a login page.
My specific questions are:
When a user clicks the submit button of the login page, should I call the RestAPI to Stormpath to authenticate or I need to send username and password to my web server, and web server will send it to Stormpath to authenticate?
If when a user clicks the submit button and I need to call the RestAPI of Stormpath from JavaScript, after login successfully do I have a returned Access token? And what can I do with that token.
Please help me.
Heyo -- I work at Stormpath, so hopefully I can explain this for you a bit.
If you're building a website, and storing your users with Stormpath, here's how authentication works:
A user visits your website, and clicks the login page.
You show a login page and collect the user's email and password (or username).
The user clicks Login, and that form data is transferred to your web server (not Stormpath!).
On your server-side code, you would then use one of the Stormpath libraries to authenticate the user's account. You would take the form data the user submitted to your server, and then call the proper Stormpath method to authenticate the user.
Stormpath will log this user in, by creating an access and refresh token, and securely storing cookies for your user in the browser.
This is how the flow typically works.
Is it possible for me to create an application that can send our requests to access to users' Google Calendar so that I can see the events in there and be able to add, edit, and delete events?
I do not want the users to log into my website to enable this access. Rather, I want to be able to send this request, perhaps via email.
Alternatively, perhaps they could log in the web app and authorize access themselves somehow.
One option would be to e-mail the user a link to the OAuth 2.0 consent screen. The users would still need to open the link in a browser, sign in to their Google account (if not already signed in), and click the "Authorize" button to grant your application access to their Google calendar events.
First, you will need to register your application as a Web App in Google's Developer Console (just like for any other application) and obtain a client_id. Be sure to fill in the name of your application and a link to your website in the "OAuth consent screen" section, because these values will be shown to your users when they click the authorization link.
Then, follow these steps:
Send the user an authorization link in an HTML e-mail message. The link should be constructed according to the guidelines in "Redirecting to Google's OAuth 2.0 server", and pay attention to the following aspects:
Ensure that the redirect_uri parameter in the authorization link points to your application.
Since you already know the e-mail address of the user, consider including the login_hint=<email address> parameter to bypass the account selection screen.
Important: provide a value in the state parameter so that you can link this authorization request with the user.
The link should be placed in an <a> tag somewhere in the body of the e-mail: Allow access to my Google calendar
When the user clicks on this link, their browser will open and show the standard Google consent screen:
Once the user has made a choice, their browser will be redirected to the redirect_uri which you have provided.
Make sure that the redirect_uri will work even if the user isn't signed in to your application. Capture the state and authorization_code values which Google appends to the redirect_uri, and then return a confirmation page (e.g. "Thank you for giving us access to your Google calendar" would be a good idea).
Using the state and authorization_code values, follow the rest of the standard OAuth 2.0 flow and retrieve a refresh_token which will allow you to access the user's Google calendar from your application.
Keep in mind that the calendar owner (the user who is clicking the link in the e-mail and granting your application consent to access the calendar) may not even be a user of your application. This is why it is important to provide as much information as possible on the consent screen and in the confirmation page.
Since your confirmation page will be loaded even if the user does not grant your application consent, you could take the opportunity to give the user a full description of why you are asking for access to their calendar and provide a link that will take them back to the consent screen. This should increase your success rate.
Every request your application sends to the Google Calendar API must
include an authorization token. The token also identifies your
application to Google.
Your application must use OAuth 2.0 to authorize requests. No other
authorization protocols are supported. If your application uses
Google+ Sign-In, some aspects of authorization are handled for you.
The details of the authorization process, or "flow," for OAuth 2.0
vary somewhat depending on what kind of application you're writing.
For more details on the workflow to gain access click here. Once your app has access, it will be able to view and edit a user's calendar events, depending on the approved permissions.