This question is related to the post in the below link
automate creating communities user
If the community user can be created with the automated process, how is the password for the user is set?
Generally, If community user is created, an email will be sent to the email id with a set password link and user has to click the link and set the password manually, even after creating the user automatically.
My question, is there a way to automate the password setting also? or can we set the default password while community user creation and then override the password using the System class method named 'SetPassword' for the community user?
Thanks
If you want control over user passwords you will need to set up some sort of delegated authentication.
This article on the dev forum has many details about provisioning community users. This blog post has details on required fields. Info from SFDC on SSO.
Related
Currently, Firebase offers the option to send an email to a users email who wishes to change their password. Unfortunately, Firebase does not allow you to edit their password requirements which I believe is locked at requiring only 6 characters.
For many people this is inadequate and insecure.
I recently made an application that allows users to create quizzes either for themselves or for others. In this application, I stores personal information of my users and I wanted to make sure that their accounts were secure so I required more from my passwords. Unfortunately, when a user wishes to change their email, the default Firebase function does not keep my security which leads to confusion as a user can change their passwords according to Firebase's lax constraints but then they still couldn't log in because they used an invalid password. (I blocked invalid passwords from the text box before even checking with Firebase).
After I encountered this error, I came to StackOverflow for help to see if anyone else had this issue and came up with a solution. Unfortunately, I was met with harsh criticism and harassment by users who claim to be Firebase officials and Administrators who did not care about my question.
Then, I after a week of research and testing, I found the solution using React and 3rd party libraries to handle this.
Please, see my answer below and if you have a more creative solution, I would be interested in seeing that as well.
To solve this problem, the only answer is to create your own mailer service with your own basic mailer service, host website, and API.
What you need:
An application which uses Firebase.
A hosted API which uses Firebase and a 3rd party Mailer such as Node with NodeMailer - hosted on Heroku
A React app which can communicate with the API
What I did:
First, I created my API which accepts calls from my specified IP addresses. This API can receive requests to reset a password when the password is known or unknown. When the password is known, I send an email to the user using NodeMailer and I send a special HTML file so the email looks official. It is quite easy to copy the layout of Firebase's emails if you wish.
More Info can be found here: https://nodemailer.com/message/
Then, I created a React App that is hosted on Heroku. When the user clicks a link in the email, it will send them to this website with the required information in the query. This app, much like when the Firebase link is clicked is just a simple text box and submit button. However, now you can customize it to require password confirmation with a second text box. You can also add a company logo and custom colors so it isn't so HTML 1 looking like the link you see from Firebase. Most importantly, you can now control the password that the user enters to add your unique requirements.
On submit, the app will send the new password, username and old password if available to the API.
If you do not know how to create a React App or a Node API, you can see a detailed tutorial here: https://www.techandstartup.com/tutorials/build-api-with-node-express-and-mongodb
Finally, the API can log into the users account if a password is present and then change the password. Detailed steps can be seen from: https://www.codegrepper.com/code-examples/javascript/firebase+user+change+password
If a current password is not present, then the API can delete the user and recreate it with the desired password. Deleting a user can be seen: https://www.codegrepper.com/code-examples/javascript/firebase+delete+user Then you simply recreate a user. Example code: https://www.codegrepper.com/search.php?q=firebase%20createUserWithEmailAndPassword
With these steps, you can now send a password reset email to a user. The email will be completely unique as you will be designing it yourself. The password will be to your exact specifications as your React App will control the data on submit. And the page itself will look much more user friendly as it's not the default Firebase page.
Hopefully this helps you or your company with working around the Firebase reset password with email function. I am still holding out hope that another user may have a more elegant or basic solution than this as creating an API and hosting a website just for 1 function is not appealing in many cases.
I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
We would like to skip the email verification step in the process of adding a guest user in an O365 tenant. There is an api that allows one to create an invitation through which we can disable 'email notification' but if the newly added user does not have an account on any of the O365 tenants then email verification seems to be mandatory.
Our application uses microsoft graph apis along with custom UI's for integrating with microsoft teams. For our application, email verification needs to be skipped since the user is already authenticated and authorized before he reaches the microsoft teams UI.
Is there anyway through which the email verification could be skipped?
Thanks.
#Andy Dufresne:
Firstly, we can't skip the email verification process, it's a mandatory.
For your requirement, could you please have a look on this document.
I have Azure AD B2C tenant set up with a signin/signup policy which includes sign up attributes of Email Address and Postal Code.
When anyone access any URL in the API secured by that tenant, then they get the nice Default Signin/Signup screen, and if they are signing up, then there is an text box where they can enter their postcode.
My question is, is there an equivalent Default Profile Edit page where user can see/edit their Profile (which would consist of email + postal code only [although I believe that based on Can we change email address of user from "Profile editing policies" in Azure AD B2C? actually email wouldn't be editable, so lets say just Postal Code].
If there is a way for a users to "log in" and see/edit their profile via a default profile edit screen and if so, what is the URL for that? https://login.microsoftonline.com/static//somthing?
Or can the user's profile editing only be done via either a Page UI Customization or via a separate web page plus Graph API calls only?
OK I think I've answered my own question here. I now see that on the Profile Editing Policy blade, there is a Run Now endpoint
https://login.microsoftonline.com/yourtenantname.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_EditProfilePolicyOrWhateverYourEditPolicyIsCalled&client_id=your-application-id-guid&nonce=defaultNonce
When I run that end point I get a very basic editing screen showing the Profile attributes.
This is the kind of thing I was driving at in my question.
Also, not sure how I didn't previously see https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-quickstarts-web-app
It has lots of information and in the "test drive an Azure AD B2C Web app" section shows what I need to know pretty much exactly.
Finally, this document https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc#send-a-sign-out-request
has a lot of information including how to log out:
GET https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_sign_in&post_logout_redirect_uri=https%3A%2F%2Faadb2cplayground.azurewebsites.net%2F
As per the sign-up or sign-in policy, you can create a profile editing policy, which enables an end user to view and edit the profile attributes for their local account.
The end user can't edit their e-mail address via this profile editing policy.
You can otherwise implement the profile editing UI and integrate through the Graph API to get and set the profile attributes for the local account.
I have in my web application a role called "Administrator". Users who have this role should be able to modify the information about the registered users.
I am thinking about displaying a table with the user details such as e-mail, username, and be able to change them but I don't know what should I do if a users comes to the office physically, goes to an admin and asks for a password change (yes they can do that). Should the admin just press a reset button over the row and tell the user to check his e-mail when he arrives home and proceed with the recovery? (reset link for example) Or should the administrator reset the user's password and give him his new password in that very moment? The second approach is preferable as I was asked to do that...
I know that the admin shouldn't be able to see the original password as it should be hashed and unknown.
What are your thoughts about this? How would you implement this functionality? Thanks for your help.
There is no one perfect answer for this question. The question of workflow will always be dependent on the specific use-cases of an application and will depend on the context it is built in.
That being said, you are right about one thing - it is horrible, and I do mean horrible, security breach to let an Admin or any other user view a clear text password for someone else. So that's definitely off the table.
In your case, it seems giving the admin the right to change someone's password is the way to go. If you're worried about how it looks, don't be. Google Apps allows domain administrators to change the password for any email account under that domain.
Finally, I would suggest a small additional safety measure. When an Admin changes another user's password, store the old encrypted password in a column, don't delete it. When the admin set's the new password, shoot out an email to the user saying "Your password was changed by the Administrator, if you did not request for this, please click here". When they click on the link in the email, simply overwrite the new password with their old one.
That way in case an Admin is changing passwords without the user requesting it, you have a recourse for the user and the logs will keep you informed of how many time an admin has had a password reset revoked by the user.