I have a Java application, and GAE application. Here is what I want to do:
I want GAE account users to authorize in my Java application, and I don't want to use "Sign In with..." solution. Instead I want the users to login from my Java application login page ( e.g providing username and password) and forward this login information to Google Servers.
In other words I want exactly this thing in this page. This webpage uses Google Accounts Service, but the login form, is a custom form that then (I imagine) forwards the data to Google Servers and then logs the user in.
How can I achieve that? What protocols should I use( OAuth, OpenID, GAE services... )?
You can't create a custom login page to Google Accounts. The whole purpose of Google-provided login page is that users trust the page when entering their password. Otherwise anybody could create a login page and start collecting users passwords.
If you need a managed/limited access to users account (with their consent), you should look into OAuth. But in any case this will not give you an option of making a custom login page.
Related
I've integrated my React app with Instagram Basic Display. My user's are successfully able to link their Instagram account to my app.
However for user's that have multiple Instagram accounts, I've noticed that the Authorization Window displayed when going through Instagram's Oauth flow does not contain the ability to switch accounts.
Is their some way to enable user's going through the Instagram Oauth flow to switch between accounts and select which account they would like to link with my app?
If you add force_authentication=1 to the login oAauth URL, it will force the user to enter their credentials.
https://api.instagram.com/oauth/authorize?force_authentication=1&client_id=${IG_APP_ID}&redirect_uri=${IG_REG_REDIRECT_URL}&scope=${IG_REG_SCOPE}&state=1&response_type=code
I take no credit for this answer, I found it in another questions here: https://stackoverflow.com/a/71787472
I have an application where currently all the users are in azure AD tenant of our subscription. So in application to change their password we are dealing with graph api. Now have to change this so that the uses will not be maintain in our tenant but we will be adding federation for google and facebook external identity so that users will be using ther respective account credentials.I know we cant control this from the app.Now my question is how to manage this password change/reset in our app? how to design this?
Thanks,
mbr
Just like #juunas said, you need to redirect them to their login providers' reset page. For example, if the user who is using facebook account clicks 'Forgot Password' button, just redirect the user to https://www.facebook.com/login/identify/?ctx=recover&ars=royal_blue_bar
I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.
Well, this question is regarding the authentication system of an app in GAE. I've read several posts and found out the best way to manage the user authentication stuff is using the Google Accounts service. I've read several suggestion (here is one of them) but they don't really give a solution to the problem.
Here is what I want to do: I am going to use the Google Accounts service and I want to know if there is a way to change the login and create account page, so that I don not have to redirect the user to the Google Sign-in form, but rather redirect the user to my own login form and then forward those data to Google Servers. I would like to do the same exact thing with the register form. In conclusion I need that the user feels she is using the login of my application, but is really using the Google Accounts service.
Here is an example of something I want to do: This webpage uses Google Accounts Service, but the login form, is a custom form that then (I imagine) forwards the data to Google Servers and then logs the user in.
I refer here to that page you are redirected after you login to GAE app with your google account, which asks your permission to access your google account.
Put this toghether with custom domain and https and you get my problem.
Sorry for the lengthiness. I searched everywhere. Didn't find anything. Not sure it is an OAuth issue (think not).
My configuration:
developed myapp.appspot.com
configured custom domain myapp.mydomain.com to point to myapp
myapp is making use of GAE login service
need for https posts from custom domain (!), solved as follows:
page is loaded in HTTP from http://myapp.mydomain.com
some submit HTTPS URLs are hardcoded in the page, as https://myapp.appspot.com/someservice
same domain policy resolved server side by means of http headers
GAE login service applies both to http://myapp.mydomain.com handler AND https://myapp.appspot.com/someservice handler
The workflow is:
user not yet authenticated
user browse http://myapp.mydomain.com (not ssl)
user is redirected to google account login page
user logins
user is redirected to the abovementioned page: myapp is requesting permission to access user's google account
user grants his permission
user is in - OK
Now comes the problem:
user makes a submit to https://myapp.appspot.com/someservice (so that data is ssl transmitted), which is loginrequired decorated
login is ok, user is not again redirected to the login page,
I think this is because the google login is cross application (the same should appen if the user was already logged in into gmail, to say)
but now https://myapp.appspot.com/ is again requesting permission to access user's google account - and this is the problem
The user is prompted TWICE to grant permission to myapp to access his account:
once when he browse to http://myapp.mydomain.com
and another one when he submits data to https://myapp.appspot.com/someservice
My user doesn't like it and me too !!!
I suspect this is because the user answer (Allow or No Thanks) is saved server side with respect to the URL of the app
and not with respect to some other unique id of the app.
But I have no idea how to solve it or at least work it around.
Thank you for your patience in reading up to here.
Any help would be appreciated.
The cookie that is issued for the user's session is per-domain and per-protocol. As a result, the same session won't work on the appspot app and on your custom domain. This isn't an App Engine limitation - it's simply how HTTP works.
The best solution, currently, is to put the form itself on HTTPS as well (which is in general a good idea anyway).