Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
I've read https://stackoverflow.com/questions/41354/is-the-stackoverflow-login-situation-bearable and must agree to a certain point that openid (for me) makes it more difficult to log in. Not a show stoper but I'm used to opening the front page of the site, there's a small login form, firefox' password manager already filled in the correct values, submit, done. One click.
Here - and it's currently the only site with openid I use - the password/form manager doesn't even fill in my "login id". I often close all browser windows and all cookies are erased - and I would like to keep it this way.
Are there any firefox plugins you would recommend that make the login process easier? Maybe something that checks my status at myOpenId and performs the login if necessary.
Edit:
Unfortunately RichQ is right and I can't use Seatbelt. And Sxipper ...not quite what I had in mind ;) Anyway, both solutions would take away some of the "pain", so upvotes for both of you.
I've also tried the ssl certificate. But that only adds more steps. Hopefully I did something wrong and some of those steps can be eliminated:
Click "login" at stackoverflow
Click on the "select provider" Button.
Click on MyOpenId
Enter Username
Click "Login" (Sxipper could reduce the previous 4 steps to a single mouseclick)
MyOpenId login page is loaded
Click "Sign in with an SSL certificate"
Choose Certificate (grrr)
Click "Login" (GRRR)
Back to stackoverflow, finally.
What I really would like is:
Click "login" at stackoverflow
My (only) LoginId is filled in
Click "Login"
If necessary the certificate is chosen automagically, ssl login performed
Back to stackoverflow without any further user interaction.
That would be more or less what I'm used to - and I'm a creature of habit :)
VeriSign (ick)'s SeatBelt plugin: https://pip.verisignlabs.com/seatbelt.do
Ideally, the plugin would allow a higher-level of authentication. I know something like this was planned for the OLPC.
You could try Sxipper. It provides intelligent automatic form-fill, including auto-login.
From the Sxipper FAQ:
How does Sxipper support OpenID?
Sxipper remembers your OpenIDs and presents an overlay. You choose the one you want to use and login with one click. Sxipper also helps protect you against phishing.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm looking for help in choosing the right, most modern and safest way to authenticate. I'm using Spring as backend along with Angular on frontend. I'll add that I want to use OAuth2. I've really searched quite a few sites and haven't found a straight answer. I'm really confused...
I started with this implementation, but than I stopped after reading this recommendations. So far I know that I should use Authorization Code Grant with PKCE.
How is it done in applications that are already in production?
The most sensible (as I think) option so far is implementing auth with Keycloak. Is embedded version reliable?
If you want to secure your API with OAuth there are many products out there which you can use (both open-source and paid solutions, if you search for "identity server" you should be able to find a few solutions). Keycloak is a viable option, but there are others.
When it comes to choosing a flow, I would also go with the Authorization Code Grant with PKCE. This currently is the recommended way, especially if you'll be performing OAuth flows directly from your Angular app.
That's another decision you would have to make - whether you want your frontend client contact the Authorization Server directly (then you have to handle tokens in the frontend app), or you want to call your backend and have the backend talk to the Authorization Server (then you would probably have a session cookie, and associate the session with any access tokens).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed last year.
The community reviewed whether to reopen this question 7 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I have to create and add a privacy policy to my Android app. My app accesses background geolocation data, so whatever policy I add has to include info about how location data is used. Two questions:
Is there a standard approach to creating a privacy policy? For example, is there a template that people usually use, that I would be able to add an extra geolocation clause to?
Where in the Google Play console do you add the privacy policy? I went to Store Presence -> Main Store Listing and didn't see any place to add a privacy policy.
As far as I know, there is no specific standard for the privacy policy. You can have a look at the policies of other reputed apps to get an idea on how to write it. There is no hard and fast rule of the writing style either (remember, this is neither legislature nor a court of law). I think the policy should be written in simple and clear English that everybody can understand. Many of the free privacy policy generators use legal wording, which I want to avoid unless absolutely necessary. It is good to mention the following clearly in the privacy policy:
The data your app stores, and which of these is "personally identifiable information".
The data your app transmits to your servers.
How the above data is used.
Whether it is possible to request deletion of this data.
The permissions that your app use, especially if you use any sensitive permissions like READ_EXTERNAL_STORAGE.
Why the app requires those permissions.
How you want to be contacted in case someone wishes to ask for clarification/deletion of data/report security vulnerability.
In the Play Console, first click on the app. There is a left pane with many options like Dashboard, Inbox, Releases, etc. Scroll down on that pane to the bottom, and there you will find "App content". Click on that, and you will find a place to add a link to your privacy policy.
Note that the privacy policy has to be uploaded somewhere else, and you can only put the link to it in Google Play. My apps, for example, are all open-source, so I have uploaded the privacy policy to GitHub and linked to it. Another good option, if your app is closed-source, and you don't have a website, is to create a single GitHub repo for all the privacy policies of your apps, and then individually link those files in Google Play and in the app.
i use the following website for my apps privacy policies
https://www.freeprivacypolicy.com/
very simple you don't need to write the entire thing you just fill in some questions and they offer to host the policy on their site and provide you with a url to set in your store listing
Update after the announcement of Launching of Data safety in Play Console
Link to October 2021's announcement
The Google Play's support page now mentions that:
All developers that have an app published on Google Play must complete
the Data safety form, including apps on internal, closed, open, or
production testing tracks.
Even developers with apps that do not
collect any user data are required to complete this form and provide a
link to their privacy policy. In this case, the completed form and
privacy policy can indicate that no user data is collected or shared.
I did not find any official Google standard/template for the privacy policy either.
Even if my application was not collecting/sharing any information, I decided to follow the steps below in order not to be penalized at a later stage.
To write my application's Privacy Notice
I reviewed some policies of reputed applications (as suggested by
Wrichik Basu);
I used and customized the template provided by docracy for Mobile Privacy Policy (free, no registration needed). The website mentioned by Bilal Rammal is interesting if your app requests specific permissions (which was not my case).
I consulted the GDPR-compliant privacy notice.
To host my application's Privacy Notice
I uploaded this privacy policy on my personnal website and I checked that it was publicly accessible.
You may want to double check the file permissions and .htaccess rules if you self-host/manage your website.
To update my app information in the Google Play Console
I opened Play Console and went to the App content page (Policy > App content).
Under "Privacy Policy," I selected Start.
I entered the URL hosting the privacy policy online.
I saved my changes.
Note: If you’ve previously added a privacy policy and want to make changes, you’ll see and select Manage instead of start.
In my application
I reviewed the permissions that I was requesting;
I included a link (in the "Settings" section) to my Privacy Policy so that users of my application can easily review it.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
When a user that usually authenticates with his facebook account and tries to run the "Reset Password" operation, he gets an email and can reset his password (which is clearly doesn't make sense because he does not have a password).
I guess it is just a bug in the "Reset Password" operation, but just to make sure, did it happen to anyone else?
Technically there is a password... and an app can allow a user authenticated via FB to set the username and password properties for their User object, giving them multiple avenues for logging in.
Fair point that we can likely identify this scenario and prompt the user to log in via Facebook.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm in the middle of creating a user registration for a website and was wondering if it is better to require the username to be an email address or any value for a username?
Example:> Username: me#mail.com or Username: me
In my case it can't be one or the other it has to either be an email address or any other value.
Thanks.
In your comment, you indicated it was a registration for a job application. In this case, I recommend you use email for a few reasons:
The data will be more easily read by the person who's hiring (they don't care to know your super-awesome SN ninjawarrior1337)
You can guarantee that you'll collect a valid email (you'll probably want to send emails at some point)
Since there's no "social" component, people don't need any kind of nick name, their email will do fine
Easy to remember
Whatever method you chose, give the user the option to change it. The reason being is that email addresses are NOT permanent. Services can go out of business, people can change email providers, etc.
OpenID is great if you allow more than one authentication service per account.
From personal experience, I find it more convenient when websites use my email address for login, because then I don't have to recall with username I used for this site (I have multiple usernames, depending whether spaces are allowed and depending what kind of website this is).
Another option is to use OpenID, then users can leverage an existing OpenID to create an account on your site. Here's directions on how to get started: http://openid.net/add-openid/
At someone's suggestion, I am elevating this from a comment to an answer:
If you use email address, you can share that with other website owners and aggregate personal information about your users. A lot of big websites do this. The tiny percentage of us who know about this won't register on a site that demands our email address, unless we're real comfortable with their privacy policy.
If you're just talking about convention then it doesn't really matter - pick one and go with it. I personally prefer a username as oppose to an email address since it's quicker to type in and I usually use the same username on multiple sites (but I often have different email addresses.)
However, others will prefer email addresses instead which is just as valid a response!
Background:
The application I am working on happens to be web-based, but the question applies to any GUI. I need to request three distinct pieces of information from the user four times -- each set is for one of four servers. There is no commonality between the sign-on for each server, or in other words, the four sets of credentials are unique.
Single-sign-on after the initial logins are done is available. Once the user logs into a server, the status is persisted on the main view of the application.
This is currently implemented via four separate links, that upon clicking, display a pop-up dialog for the user to enter in their information for the corresponding server they selected.
Question:
I was considering this design and trying to think of a way to make the multiple login process easier on the user. I have a few ideas, but wanted to first see if they compared to what ideas the Stack Overflow community might have.
present the user with one form with four sections
explain why you have to do this
reassure them that they only have to do this once
validate each section independently
do not make them click on pop-up links, that's annoying
"i have to ask you four questions. Please poke me in the eye to prompt me to ask each one"
lol