As per google doc:
When the google sign in button is loaded, it immediately checks to see if the user has authorized the application. This check is called "immediate mode" and if successful, the Google servers return an access token and pass a new authorization result object to the callback. If the button cannot make an immediate-mode authorization, the user must click the sign-in button to trigger the access flow.
My Google Plus signin button is part of header and on logout the home
page is loaded,It again renders google plus button resulting in
automatic login. User is never logged out due to this. How is it
possible to allow login when when G Plus button is clicked and not
when when the G Plus buttom reders itself?
The 'immediate' parameter did it for me, although it has the same affect as 'approvalprompt', prompts for consent. Facebook seems to handle these options a little better.
gapi.signin.render("splashGPlusReg", {
'callback': GPSignInCallback,
'clientid': '<yourclientId>',
'cookiepolicy': 'single_host_origin',
'immediate': false,
'requestvisibleactions': 'http://schemas.google.com/AddActivity',
'scope': '<scopes>'
});
You have two ways to Remove immediate Google Plus Login.
1- not a good approach: use data-approvalprompt="force" in your button. I wrote an example below:
<span id="signinButton" >
<span
class="g-signin g-link"
data-callback="signinCallback"
data-clientid="*****.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"
data-scope="https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.profile.emails.read"
data-approvalprompt="force"
style= "cursor:pointer;">
Login With Google
</span>
</span>
It is not a good approach because if you add this, then Google ask a user to give one extra permission for offline access. So it may let user won't signup at all because of this permission.
2- better approach: just signout from Google after receiving response in your signincallback function. just add:
gapi.auth.signOut();
You should write this line after you received the response. It is better to keep it as a last line inside the request.execute(function(resp) function.
By adding this code, Google won't render the login unless someone click on the login button.This approach is recommended by Google too.
I found a way to do this, maybe it's exactly what you want too:
disable automatic authentication for Google+ social sign-in
It's not the cleanest fix, but you can try filtering on the status.method property of the authResult passed into the callback.
Filter any callbacks that are triggered with authResult.status.method set to AUTO, but process any that are null (logged in via single authorized Google account) or PROMPT (user chose one of several Google accounts).
Related
I'm trying to get Facebook login working with Cognito User Pools in a React project using aws-amplify.
I think I've set up the Facebook App and Cognito User Pool correctly by following various docs. Note that I'm using User Pools rather than Federated Identities.
I'm a bit stuck and confused on the React side of things. I've tried a few different guides, but all have the same outcome...
The Login button triggers this code:
Auth.configure({
oauth: {
domain: 'xxxxxxxxx.auth.eu-west-2.amazoncognito.com',
redirectSignIn: process.env.REACT_APP_FACEBOOK_REDIRECT_SIGN_IN,
redirectSignOut: process.env.REACT_APP_FACEBOOK_REDIRECT_SIGN_OUT,
responseType: 'token'
},
region: process.env.REACT_APP_AWS_REGION,
userPoolId: process.env.REACT_APP_USER_POOL_ID,
userPoolWebClientId: process.env.REACT_APP_USER_POOL_WEB_CLIENT_ID
})
Auth.federatedSignIn({provider: 'Facebook'})
After clicking the Login button, the page is redirected and ends up with this hash in the url:
https://localhost:3000/sign-in#access_token=xxx&state=xxx&token_type=Bearer&expires_in=3600
If I then call Auth.currentAuthenticatedUser(), I get no user ("The user is not authenticated"), and if I try Hub.listen("auth"), the only events that get fired are parsingCallbackUrl and configured - the page is then redirected and the signIn event is never fired.
If I then click on the Login button again (when the url has the hash with access_token etc), I will be successfully signed in. If I remove the hash, and try to sign in, it will fail as above.
Any ideas what's going on? Do I need to handle the access token from the hash myself? Why does Auth.federatedSignIn only seem to work if the access token is already in the hash?
I've just worked it out... the Auth.configure call needed to be moved out of the component and into App.js. Everything now seems to be working properly.
I was hoping to direct a user to the Password Reset Page of the Auth0 Universal Login Page, I assumed Auth0 would handle the required functionality, in a similar way we use
const { loginWithRedirect } = useAuth0()
I know I can call loginWithRedirect() and then click on forgot password, however that takes 2 clicks and I want my Change Password button to immediately redirect me. Is there no trick like loginWithRedirect({ action: 'signup' })} which redirects me instantly to the signup form?
I know about sending a POST call to the Authentication API, I want to do this via the Universal Login Page.
I have come to the conclusion that this still wasn't possible.
There's a property screen_hint that we can pass to
auth0.loginWithRedirect({ screen_hint: "signup" })
So it would have been great to be able to do this:
auth0.loginWithRedirect({ screen_hint: "password-reset" })
This question has already been asked here
And the answer was
Unfortunately this is not currently possible. The only options are to open with the login page or the sign-up page. This is a limitation with the Universal Login Page rather than this SDK, it simply doesn't allow for opening other screens as the default for the moment.
In the end, what we did was to provide a link, which when clicked on, would make a call to the API.
Not sure if it's useful, but I'll explain how we deal with password reset (using Auth0) at the company I work for, which might push you in a slightly different direction.
First thing to understand is; there's 2 places where a user might need/want to reset their password.
When they're signing in with their email/username and password, but have forgotten their password.
They want to proactively change their password after they've already signed in.
In both scenarios we simply call an Auth0 authentication API to Change Password, which sends a change password email to the user. Note: for the #1 we might need to capture the email/username (that is, if we don't yet have this information), as this is required for the Change Password request. For #2 we should already have this information either in ID token or via the /userinfo endpoint (see here).
The change password email (which can be templated in Auth0) has a link to the Universal Login "Password Reset" widget. You can use the default widget, which offers some basic styling/branding. Alternatively you can fully customize this with your own SPA e.g. see below:
The default (non branded/styled) password reset widget looks like this:
I've been learning Auth0 for a React / React Native project. With two different apps now, including one from their site, I see the following behavior:
clear browser cache
login
enter password, now logged in
select logout
--> now logged out
select login
am NOT prompted for password again, just logged in without interaction.
It seems the session has been kept alive even though I logged out. I would expect that if I manually log out of an application, I must re-authorize with my password on the next login attempt.
As I said I've seen this twice now, once with my own project and once with the tutorial they provide at https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/ . Doesn't make any sense to me. Am I missing something?
Thanks ~~
This is the Seamless SSO behaviour explained here. This is now enabled by default on all tenants and it "seamlessly" logs the user in without showing any prompts if a session exists for the user in the Authorization server (Auth0 in this case). Previously you would get a prompt that said "Last time you logged in with ..." Clicking it would login you in without requiring a password.
If you are "Logging out" and yet you can log back in again without needing to enter credentials, the most likely explanation is that you are actually not calling the https://YOUR_AUTH0_DOMAIN/v2/logout endpoint which logs out the user by clearing their SSO cookie in Auth0. You can confirm this endpoint is called from Network tab in your browser when you click to logout.
The Auth0 React quickstart by default does not call the logout endpoint, it only removes the tokens from browser storage. To clear the SSO cookie and logout from IdP using Auth0.js you need to call the logout function as well. Refer to the Auth0.js logout function here.
Hope that helps.
We have a B2C custom policy for authentication but I am having trouble getting a consistent complete logout. The only way I have been able to get a complete logout of single sign on is to use the common endpoint:
https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={our homepage}
Then when I login I see this
Then I click sign in and see this
but even this does not always work. Sometimes it does not redirect but just sits on the "you have been logged out" screen.
Using the logout endpoint given in our metadata endpoint does not work as expected. I see the sign in screen (first image) but I cannot choose which account to login with I just click the button to sign in. I assume this means single sign on logout has not worked.
https://login.microsoftonline.com/te/{tennant}/{b2c-policy}/oauth2/v2.0/logout?post_logout_redirect_uri={our homepage}
How can I either get the first one to work every time or the second one to logout completely?
EDIT: Sorry I should have mentioned I am using node.js/javascript but any url type solution will work also. Also we are using B2C so the application is registered on that tenant. There is no option for a lotout url on this page.
In order to logout the user from B2C, you need to redirect your user to the B2C logout endpoint, not to the common endpoint. This should look like:
https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_sign_in&post_logout_redirect_uri={your homepage}
Be sure you redirect the browser to that endpoint and don't try to do a GET through a back-channel, otherwise it will not do anything as the Single Sign-in mechanism is based on browser cookies.
Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc#send-a-sign-out-request
If I understand you correctly, you are trying to configure single sign out? This can be done but requires configuration separate from the sign-on configuration.
In the Accounts Controller you need to add a SingleSignOut action.
public ActionResult SingleSignOut(string redirectUri)
{
if (redirectUri == null)
ViewBag.RedirectUri = "https://localhost:44308/";
else
ViewBag.RedirectUri = redirectUri;
HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
return View();
}
See this tutorial and the accompanying repository.
This reference is also helpful.
I'm working on a project that has both a website and an app that use the same IdentityServer4 to authenticate users. On the website, when a user logs out, he gets a confirmation screen to ask whether he's sure he wants to log out.
The problem is that on the app, we can't show the logout prompt because, well, it's an app written in Xamarin and we can't redirect to the logout prompt page.
Is there a way to disable the logout prompt when the request comes from the app?
I had the same problem and I solved it. This was first google response so I decided to put my answer here for others to see.
Solution: Inside IdentityServer4 Quick start project logic is already there and ready to configure it for user needs.
Open SolutionName/Quickstart/Account/AccountOptions.cs
Set ShowLogoutPrompt to false
Set AutomaticRedirectAfterSignOut to true
I hope this will help, good luck.
The end session endpoint supports skipping confirmation if you pass a valid id_token_hint in the request.
The relevant spec is here: http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
If a valid id_token is passed (i.e. the one you got when you signed in) then the OP should skip confirmation, do the sign out and then allow the user to be redirected to the post logout redirect URL (if supplied).