I have implemented OAuth using GitHub on my web app, so when I log in using GitHub I get logged in successfully. I wanted to know how to implement logout so that I get logged out of the web app.
when the user visits www.localhost:3000/login and clicks login/signup with GitHub, the user gets redirected to the GitHub login page, user logs in with his/her GitHub account and gets redirected to localhost:3000/homepage,
I sent a cookie from the server side for session purposes and get a cookie from GitHub (don't know why).
when I clear cookies from localhost:3000 and visit localhost:3000/login and hit login with the GitHub button I get logged in with the previously signed-in user account automatically. However, when I clear all cookies from www.github.com and do the same, this time it prompts the user to log in with the git account again.
I have not used any external library like passport.js for OAuth and also I don't want to use any.
so how to implement this logout that logs out of the GitHub OAuth session?
What you want is "single log-out" whereby logging out from your application also logs out from GitHub. But the relevant specification has been finalized only in September 2022 and I could not find any mention of it at docs.github.com. Perhaps this is also not desired, since GitHub sessions are long-lasting: Revisiting github.com with the same browser after a few days does not require a re-logon.
But as an alternative to logging out from GitHub upon logout from your application, you could require a renewed consent upon re-login to your application. If you have already been logged in once to your application via GitHub and then visit
https://github.com/login/oauth/authorize?scope=user:email&client_id=...
you are re-logged in silently. But if you visit
https://github.com/login/oauth/authorize?scope=user:email&client_id=...&prompt=consent
instead, the GitHub consent screen re-appears. (The parameter prompt=consent is not documented on docs.github.com, but is explained here.)
Perhaps that is sufficient to satisfy your requirement.
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
I am developing a website like Heroku. I confused what should I do with the Github OAuth part? when you wanna register in Heroku and login you can not use OAuth ways (login/register using Github).
but after login you can create App. now one of your options to upload your codes in the Heroku is to connect your Heroku account to your Github account.
My problem
When the user is logged in how could I redirect the user to another page and after authentication (Github OAuth) how could I detect that this user previously logged in and the user does not need re-login?
Exactly what the Heroku did.
I can not understand how can I send another data to the Github OAuth login page and retrieve it back in callback url to detect which user is logged in now and save his/her access_token & refresh_token in database.
Not that I use expressjs express-session sequelize and ejs.
GitHub, like all OAuth based APIs, requires that each request to the API made on behalf of a user is authenticated with an access_token. If you don't pass an access_token alongside your request, the request will fail with a 401 Unauthorized status code.
There's no way to ask GitHub if a random user has accepted your app. It's not something implemented in the OAuth framework - as it could lead to a security flaw. So it's your responsibility as the application's owner to record which user has authorized your app.
With this in mind, let's try to sum up the differents steps that Heroku had to achieve to display this "Connected" status under the GitHub logo.
When you've signed-up on Heroku, the status of the GitHub integration was "not_connected". If you visit the settings page, you would see a "Connect to GitHub" button.
At some point, in the Heroku dashboard, you have clicked on the "Connect to GitHub" button and have authorized Heroku's app for GitHub. This is where you've been redirected to the callback_url
At this particular time, while you were on the callback_url page, Heroku has recorded in its database the new status of the GitHub integration for your account. It was set to "connected". Heroku has probably saved alongside the access_token and refresh_token.
Every time that you visit the settings page of your app, Heroku can render that you are connected because it has the status in its database.
(optional) When Heroku performs requests to the GitHub API using your access_token it can confirm that the connection is still live. If ever the request failed with a 401 Unauthorized, Heroku can update its database and reset your GitHub integration status to "not_connected".
This work like this for the GitHub API, as well as with any other OAuth based APIs. If you plan to integrate with several APIs, I highly recommend you to use an API Integrations Manager, such as Pizzly. It will help you focus on the business logic ("is my user connected or not?") and totally handle the OAuth process for you.
I'm using the Kentor/SampleOwinApplication and I can successfully sign in and out from my Idp. Now I've made some tests with revoked users in the Asp.Net database. After successful federation signin and back into ExternalLoginCallback, SignInManager.ExternalSignInAsync returns LockedOut and I land on the revoke page.
The problem is I'm not signed in for Asp.Net but I'm still for my Idp, so if I try to log in again, I'm considered already signed I am redirected instantly back to my service without the chance to try to log with another user.
I understand I would need to log out from my IDP when in the LockedOut status but it seems hard to do with Kentor because specifically I'm not signed in on the Asp.net site!
Interesting border case!
What you should do is that when in the ExternalLoginCallback when you find out that you are locked out, you should kick of a federated logout by initiating a logout with the external identity as an argument. That will redirect the user to the Idp and invalidate the Idp session.
Note that this might have side effects if the user is already logged in to other services from the same Idp. Those other services will be logged out too.
I've scoured the api docs, as well as StackOverflow, and I've yet to find the answer to my question. And it is possible I'm misunderstanding how the system works.
Here's the scenario our client wants:
User logs into our website
At which point we authenticate the user in our system, and One Login via the api.
After the user logs into our dashboard, they can click an link and be redirected to their third party analytics app due to the fact that I've created a new session with One Login.
Here are the steps I've completed.
I've successfully received an access token via --> https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens
I've successfully used the access token to generate a session login token via --> https://developers.onelogin.com/api-docs/1/users/create-session-login-token
I've successfully used the session login token to create a new session.
I'm receiving the proper cookies from One Login after making the create new session request, and - at that point - if I enter the URL onelogin.com/login, I am taken directly to the dashboard.
At this point I know I'm properly authenticated with One Login. However, I'm not sure how to directly access a third party app from a link on our website.
Thanks.
Two ways:
If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a session) --- redirects SAML to app
Use the launch endpoint - You can create a URL to an app by using this format: https://app.onelogin.com/launch/{app-id}. For example, you can provide a link to an app like this:
Time Reporting
Details on that endpoint can be found here: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user
Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade.
I'm trying to post to my company page directly from my server, but I have a hard time understanding how the authentication works. All examples + the documentation seem to require you to have a callback where the "visitor" is promted with a form to confirm the access. But in my case, my app is supposed to only post to my company page and I didn't plan on building a gui at all.
I have setup the Client Id and Client Secret in the Linkedin developer section.
Even though you are the only one that's going to use the app, you still need to execute the OAuth flow and therefore authorize your own app to use your account. You can use Grant for that.
Another thing to note is how LinkedIn handles scopes. They changed how the permissions work earlier this year, so for certain permission you'll have to submit your app for approval.
Lastly LinkedIn doesn't give you a refresh_token so in order to refresh your access_token once it expires you'll have to use a similar hack as the one I described here for Facebook.