Let me explain my issue.
I have a PHP application using an LDAP connection to an Active Directory server to authenticate. If i make it so that a user needs to change their password at the next login it won't allow me to authenticate them before i allow the password change. I can detect that the password change is required but if i allowed the user to change it then i have no way to work out that the user is valid or not, which means that the system could be hacked by just knowing the username of a user that's password as expired.
This to me seems daft... is there something im missing..
Currently I am
binding to the server
checking if the password as expired or not
checking the authentication users details
This is what I get returned if the users account is set to change password on next login, auth as failed but there is a password change request.
Is there a specific order the requests need to be sent so i can auth the user before the password change it sent?
Thanks in advance
By marking the account as Must change password at next login there is effectively no password to authenticate so this doesn't translate to the web.
A better option is to compare the users' pwdLastSet attribute against the domain policy and enforce the change in the application not in AD.
Related
I have an existing signup/login system: a user enters an email and password. The password is hashed. I store it in a database.
When a user logs in, they entire their email and password. The password is hashed, and I look up the email in the database and check that the email matches. If it does, they are logged in.
I want to add a system to let users login with a 3rd party OAuth, such as GitHub. I have that setup, but I am unsure what data to store in my database.
I was thinking I take their GitHub email as the email and then use the access token for their GitHub as the password (so I would hash it and store it.)
I think this would work, but I am worried that the access tokens could change meaning they would be locked out of their account.
If I shouldn't be using the access token as a password, what should I be using? I need to store the user's email on my database but that requires a password currently, which I can't get if they use GitHub login.
(Note that when the user logs in, I call my backend to generate an access token (JWT) which I can use to require their user details and then store it in local storage. I'd like to then be able to do the same thing with with GitHub or whatever.)
oAuth is usually for authorization. Meaning, you get an access token from the authorization server, the resource server validates it and let the user access to the data.
In your case, you "do not really need" the access token - you want to use oAuth just for the authentication. Web-applications (like StackOverflow) do this to "save the trouble" of handling the authentication flows. Meaning, if I write a secured application, I need to implement somehow the create account flow, login flow, forgot password, etc. When you use a 3rd-party authentication, you save this trouble.
However, your application does need some user-id to perform actions; so you must create a user-id in you app when a user appears for the first time. Since then, you do not need to worry about password-expiry, forgotten-password and even not for the login. When the user logs-in, you get the access token and all you need to do is to get yours app' user-id from it.
Thus, I do not see a reason why you need to store a 'password', or the access token.
Hope that makes sense.
What you are looking for is actually OpenID Connect - it's an authentication framework built on top of OAuth, which lets you log in users using external Identity Providers, like Github.
When a user logs in using GitHub then you will receive an id_token in a form of a signed JWT. You can easily verify the authenticity of the JWT - so you can easily make sure that the id token really comes from Github and presents real data. Usually one of the information in the id token will be the user's email. You can use that to look up the user in your database. You don't need any password in this case.
So, you will have two ways of finding a user in your DB - either through comparing the email and password, or by looking up the user's email from a validated id token from Github.
Because in Salesforce, I cannot directly use password to verify a user. So how to do with this?
Maybe this is an external user or an internal one.
Not sure I understand your question. You could use password for sign-in, or use single sign-on or lightning login for password-less sign-in.
We're working on a SAAS application that has recently been configured to use Azure ADAL for authentication. If it matters, we're going the oauth2 route, with response_type: code.
However, when we're testing the application, if the browser has been signed into an Azure account that does not belong to the tenant acting as identity provider, the prompt for password is bypassed, and the login fails on the Azure screen, saying AADSTS50020 - user not found in tenant.
On the one hand, congratulations to Azure for finding an already signed in user! On the other hand, there is no recourse to elect to not use this signed in user; it does not give the user the chance to interject with credentials that work.
How can we prevent this?
The core issue is we don't want users, visiting our site and ready to sign in, to have to have already signed out of Azure before trying to log in with our site.
Thanks in advance.
Please refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
You could find when requesting an authorization code during code flow , there is a Parameter :prompt indicates the type of user interaction that is required .
Valid values are:
login: The user should be prompted to reauthenticate.
select_account: The user is prompted to select an account, interrupting single sign on. The user may select an existing signed-in account, enter their credentials for a remembered account, or choose to use a different account altogether.
consent: User consent has been granted, but needs to be updated. The user should be prompted to consent.
admin_consent: An administrator should be prompted to consent on behalf of all users in their organization
You could use prompt=login forces the user to enter their credentials on that request, negating single-sign on
I’m working in a scenario where the user password is already expired in Active Directory. I’m trying to check if the user has entered the valid username and corresponding valid but expired password or not. If the user enters the valid user name and correct expired password, I’ll be redirecting them to a page where they can reset the password. However, if the user enters wrong expired password, then the user should be notified with standard message UserName and or password is not correct. I checked online and they are talking about using validatecredentials method after setting pwdLastSet to -1 to disable user must change password at next logon.
How to check AD user credentials when the user password is expired or "user must change password at next logon"
Will this approach allows me to check the validity of the expired password? I tried this approach and it does not seem to be working for me.
Yup - the ValidateCredentials API gives too many false positives.
This is something of a black art but you can check User-Account-Control attribute and ms-DS-User-Account-Control-Computed attribute both of which have "Password Expired" bits.
I normally use the above but some people suggest using the Windows API directly - refer Active Directory (LDAP) - Check account locked out / Password expired.
I am looking to implement Google Authenticator into a CakePHP application. The trick is that a user can determine whether or not they want to use it. This means that if a user is using the multi-part login, they will log in normally with their username and password. Once they have successfully submitted their correct username / password combination, they need to be redirected to the page that asks for their passcode from Google Authenticator.
How do you limit the Authentication success until AFTER they enter the passcode? I can do the redirect and everything just fine, but if they exit the passcode form and go to the site, they have already authenticated using their username / password and they can navigate through the site just fine.
I need some direction on how to shut down authentication until AFTER the passcode confirmation is successful. Any ideas?
I noticed this question is pretty old and unanswered, I also work on something similar so I'll share my two cents. Hope you've already solved this problem by now.
Your user management system should provide a session key only after the entire login process was fulfilled, this means that you should let users in only after they provide all auth data through all steps.
receive user and password
check credentials and authentication options
if credentials are ok and no Google Auth enabled, give him session key, else retry
if credetials are ok and Google Auth enabled, pass $_POST['user'] to challenge form
if TOTP password matches server-side check, return session key, else retry
$_POST[] ----> loginCheck() ----> if(GAuth) ----> checkTotp() ----> sessionKey
| |
*---------------------------------*
loginCheck() should check if user and passwords are ok, otherwise deny access
if(GAuth) should return true or false, depeding if your user uses GAuth
checkTotp should be a method to check TOTP password on client and server
sessionKey should be the token used to access protected content, stored server-side and client-side for a period of time
Or adapt this idea to your needs ... in my opinion you should accept the user in the system when he passes all authentication trials.
You could make an user form that hols user/password and passcode and process all data at once and avoid two pages.
Read more about https://www.rfc-editor.org/rfc/rfc6238