I am planning to allow users to login to a website I am developing using their social network logins. Probably using one of the multi-provider services such as Janrain, OneAll, LoginRadius. What I want to know is, if a user of my site is already logged into their social network site when they visit my site, how do I go about automatically signing them in? The example I have come across that does this is goodreads.com.
I've developing in ASP.NET MVC3 but I would welcome any explanations/examples on how I go about this in any technology or even just the theory.
I'm working at OneAll and I'm glad to answer your question.
After a user has logged in with Social Login, you create a new account in your database, you log the user in and you set a cookie.
When the same user comes back in a couple of days, you detect that he has a cookie and you use the cookie information to automatically log him him and you refresh the cookie.
Related
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
I have a website already running made with CakePHP, which has its own login system using the Auth component.
Now I'm going to create another website using moodle, hosted in the same server. Is there any way to share the user session between those 2 websites?
For example, if a user logs into the moodle website and clicks a link to a page of the other website, he is not asked to log in again, since the system recognises that he is already logged in.
I guess that one thing to do would be to tell moodle (somehow) to use same table of users in the database that the CakePHP website is already using. And then tell the CakePHP website to accept the sessions created in that other website. Something like this right?
But I don't know how to do those things or if they even possible, any advice on how to approach this would be very helpful.
Single sign-on (SSO) is not currently a trivial thing to do in Moodle.
Some other approaches you may consider are:
Use external authentication in Moodle and configure it to use Cake's database. Does not provide SSO but tells Moodle to use Cake's user accounts.
Configure both Moodle and Cake to use a common authentication system like LDAP, POP3 or CAS. Depending of your choice it is possible that you may achieve SSO.
More information about Moodle authentication plug-ins in this page:
http://docs.moodle.org/dev/Authentication_plugins
I've got a test MVC site set up, and configured to log users in to it using Facebook's authentication systems. Once users log out of my system, how do I ensure that the right thing happens wrt to the users being logged in to Facebook (ie, they revert to whatever state od logged in they were before visiting my site)?
I'm relying on the FB api wrappers that are available to download through NuGet.
Several of the examples I see include a facebook logout method that can be called through the API, to let FB know that user(s) have logged out of my site, which, I assume, is supposed to "do the right thing". However, the method seems to have been removed from the library (and from the API?).
Is there some other method I should be calling, in order for the "right thing" to happen? Or, alternatively, some sort of workaround that people use?
It sees a bit disingenuous to ask people to access my site with their FB logins, only to have them surreptitiously remain logged in to FB after they've logged out of my site.
Used workaround below (hand crafting a logout URL). Be careful of your url encoding
According to Facebook's developer TOS (item #6), you are required to log the user out of Facebook when the user logs out of your site (and used Facebook to login).
Consider the following use case:
A user accesses your site via a public computer (library) and opt to login (using facebook login) to access restricted features not available to users who are not logged in. The user conducts their business, then logs out. If you do not log them out of Facebook, their account is now available on the public computer, so if a new user uses the public computer after the initial user leaves, the new user could access the initial user's Facebook information.
Not sure about NuGet, but using Facebooks PHP SDK, you simply need to call Facebook's logout function which should generate a url with a next param, and access_token. So when the user clicks the logout link, they will be redirected to Facebook, logged out, then redirected back to your site to complete the logout process.
Example logout link:
https://www.facebook.com/logout.php?next=http%3a%2f%2fextapi.yourhost.com%2flogout&rd=http%3a%2f%2fyourhost.com%2flogout&access_token=AAACRZBIZAGE18BAEyQ8AcmRKGGtmeYlw4MFYjuDHfTlZBSZA3pZAJ5xnKABELBmkOroaxlDsoPgFVHPvvkfZAFRQarCRL0Fhy7UrZCAZAfRFtvwBo4lY4s4X
Explained:
next: This is the link the user will be redirected to after they are logged out of Facebook (this will be the domain you have registered with Facebook)
rd: This is an arbitrary url param so when the user is redirected back to my site, I can redirect them back to another landing page (other than logout page).
access_token: Is the access_token generated by Facebook when you logged the user in
After adding Twitter #Anywhere to a site, a user can log in just fine, but after 2 hours, their sessions have expired. Can't seem to find anything on the wire that references twitter anywhere session durations.
There's no way to override the cookie expiration via the API as this post to the Twitter Anywhere Development Google Group details.
In the thread, Matt Harris, one of Twitter's developer advocates summarizes:
#anywhere doesn't share the
twitter.com login but instead is a
user authorised connection - much
like OAuth apps. But, unlike OAuth
apps, #anywhere is purely web-based so
doesn't provide access beyond the
current session.
If you want to
provide a logged in system you would
need to use your own session
management code. To use Twitter as the
identity provider you might want to
consider "Sign in with Twitter"
instead though.