When we sign into gmail in one tab and orkut in another(remember both can only be of the same account. Logging into one automatically logs into another). if we log out from gmail and then go to the tab in which orkut is already open, after remaning in the page for a few seconds the page automatically logs out. How is this done? i assume this is through page refresh but would like to know of any better way since i dont want to transfer so much data again and again.
Google's Single Sign On server knows that your account has been logged out, so next time any Google service validates your credentials, it returns that you've logged out so the app can act accordingly.
And about how to do it without having to refresh the whole page, it's very likely a XHR (AJAX request) which actually makes the page log out. It's probably not an explicit 'check for credentials' request, but any regular request that those apps have programmed by default (check for email on GMail, check for new friends or whatever on Orkut) that triggers the credentials check.
Related
There is a web application that I use regularly, and it uses Google OAuth for login. What I mean by that is that I get the following screen when I visit the application after a considerable amount of time.
Now, I want to develop an application, that directly makes a call to an API that this application makes a call to. But it turns out, the credentials that I send in the POST request work as long as I am logged into this application, but not after that. So, is there a way that I can log into this application programmatically, say every 2 hours?
I guess you are looking for "offline access". When you send the request, you are sending an access token that expires after an hour.
With offline access, the first time you log in, you will get a refresh token (you need to store it in your database) that allows you to generate new access tokens (without you being present) when old tokens have expired.
I suggest you to take a look on this link.
Hope this helps.
After Parse.com have introduced new revocable session that gets destroyed when a user logs out, is it possible to build a reliable login process using "magic links", ie. a user receives an email including a link, and gets logged in in a web browser after clicking that link?
Previously, sessions in Parse were long lived and implementing a magic link login process was a matter of providing the user with his/her session token and having the client call Parse.User.become(<sessionToken>).
This approach will fail with new revocable session if a user is not already signed in to the Parse server when generating and clicking a magic link, since there will not be any session to give the user that he/she can use in the call to Parse.User.become().
Any clarification if this is possible to accomplish this with the new more secure type of revocable sessions in Parse, or suggestions on how to achieve this, are welcome.
When I force a user to re-authorize my application a second time, using approval_prompt=force, how can I get Google to show the user the entire list of permissions my app is requesting?
Details:
I have a web application that requests a set of Google API permissions, including access_type=offline. The first time I approve it, it shows the correct consent page, listing all the permissions, which looks like:
Later, I send the user back to authorize with Google, with the same parameters. The second time, it only shows "Have offline access":
Why does it not show the users all the permissions? Is there a way to force it to ask the user for all the permissions a second time? Why does it now show "Have offline access" the first time?
Our users find it confusing that our app is not asking for any actual permissions, so I'd rather just show the first approval screen again.
The full parameters for the request I am making are as follows. URL:
https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=1039955146864.apps.googleusercontent.com&redirect_uri=http://localhost:8081/sync/google/callback&response_type=code&scope=openid%20email%20https://www.googleapis.com/auth/admin.directory.group.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.user.readonly&state=480704597031619284232891277399900450622
Parameters broken out:
access_type:offline
approval_prompt:force
client_id:1039955146864.apps.googleusercontent.com
redirect_uri:http://localhost:8081/sync/google/callback
response_type:code
scope:openid email https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.user.readonly
state:480704597031619284232891277399900450622
We launched incremental auth and this is the working as designed.
http://googleplusplatform.blogspot.com/2013/12/google-sign-in-improvements11.html
The idea is if a user has already granted the permissions to an app, there is no need to show the same permissions and ask the user to approve.
If you write your application properly then this situation should not arise. If you request an offline code (refresh token) and store it on your backend, you shouldn't be asking for it again unless if you need to get some new scopes/permissions. You should use the refresh token that you have stored in the future. If you only need the access token when the user is on your site, you can use other flows to request an access token without user seeing an approval page.
You have to revoke the access token and log out. Then if you go to sign in process, It will show the permission.
public static void RevokeAcess(String accessOrRefreshToken) throws ClientProtocolException, IOException
{
HttpClient client = new DefaultHttpClient();
HttpPost post = new HttpPost("https://accounts.google.com/o/oauth2/revoke?token="+accessOrRefreshToken);
client.execute(post);
}
This network process should be called in non ui thread or asyntask
I am using DotNetOpenAuth to log in users with FB and Google.
When a user visits the website, is there a way to detect that he/she has already logged in to FB or Google and log them automatically?
Thank you
Yes, if your user has already explicitly logged into your web site using Google or Facebook before. For privacy reasons neither provider will allow you to implicitly log their users in without each user explicitly signing into your web site at least once (and clicking "remember me" at their login page while doing so).
Once the user has approved that, it becomes possible but still isn't very simple. The approach involves creating a hidden iframe on your page (perhaps when the user session is first created, you add the iframe to whatever page the user is viewing, or just your popular landing page). This iframe is pointed at a URL on your site that does nothing but initiate the no-user-interaction login flow. For Google, this means your server makes an OpenIdRelyingParty.CreateRequest call with the Google OP Identifier, and you set IAuthenticationRequest.Mode = AuthenticationRequestMode.Immediate on the returned object before calling IAuthenticationRequest.RedirectToProvider. The Immediate bit tells the Provider to not expect to interact with the user (since your iframe is invisible) and to either give an immediate yes or no response. Then in the redirect back to your site (still in the hidden iframe) you'll see the user is logged into Google (or not) and get their Claimed Identifier and log them into your site.
For Facebook which uses an old draft of OAuth 2, the process may be similar, but use the OAuth 2 classes. I haven't done this one though, so I can't really give an overview.
I am writing my first FireFox extension and I have some questions. Maybe someone can help.
I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.
So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.
Thank you.
By design, this is wrong.
If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.
--
Let's revisit the premise,
a. why does logging in from another PC need to fail?
b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.
From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:
cancel logging in
forcibly log out the other user and proceed to logging in
Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.
You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.
Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.
In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.
When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.
You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.
BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.
Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.