I have an Azure Web App where I allow users to choose authentication method (provider) to create and later sign in to the solution: UserName (EMail) + Password, FB, Google or Microsoft (MS).
I have now opened up for users that have initially chosen Username + Password (to create user and sign in) to select FB, Google or MS instead when they signing in to the solution - provided that the EMail is a registered user from that provider. Example a user with email mrsmith#gmail.com originally created user on the app with email and password, but he is now using Google as authentication mechanism to sign in to the app (works since the email is an authenticated email/user on Google).
Is this a bad practice? Does it open up for any security issues? Thanks in advance for any thoughts?
Related
We have below requirement:
We are creating B2C users (with random password) using Graph API from our Asp.Net Core Web API.
We want to send welcome email to the user along with some link so that user can directly launch the "Password Reset" page and then can login to his application after setting the password.
As per my research, Different Solutions and their cons:
User login and follow the forgot password journey from login but that's bit annoying for new users. How would they know that they have to follow forgot password journey on 1st login.
Implement "Forced to reset password on 1st Login" policy - but for this policy, user should know his initial password.
Using REST API - we can't use REST api in custom policy as we are creating user using Graph API.
Is there any better way to send email to user on creation(using graph API)?
Any help is much appreciated.
Thanks in advance,
Anu
You can send out an "invite" link via email after creating the account via Graph API, which, when the user opens from their inbox, they can use it to set a new password at AAD B2C, and are immediately logged in to the app once completed (or you can do other things in the journey if you like).
This uses the id_token_hint concept demonstrated here.
I am struggling to get my head around how to implement a custom policy for the following flow:
User lands on the login page and that login page only contains an email input.
User enters email address and clicks continue
if user has already registered
Redirected to their selected login provider (Google, Microsoft Account or Local Account)
if user has not registered before
Check google provider if a user account exists for that email address
if Google account exists
Redirect to Google login
Check Microsoft provider if a user account exists for that email address
if Microsoft account exists
Redirect to Microsoft login
else
Redirect to registration screen
User completes registration screen
User is automatically logged in
The user
I've investigated whether this can in fact be done and I've found a "digital workspace for visual collaboration" (a.k.a Mural.co) that does in fact implement a similar flow, so this has to be possible. See the pictures below.
I'm, however, unable to find information on
how to query the social providers for account existence
how to go about creating this complex type of flow in Azure AD B2C custom policies.
Any pointers in the right direction would be greatly appreciated
Not possible. Nobody would allow you to probe a social IdP for an email. Data protection etc.
Reference our samples and wiki
Your sign up would be from our default sign up journey.
Your sign in flow could work like this:
Request for email
Read the directory to see if an email exists
If email exists, send the user to the IdP they used to sign up. You can do that by looking at the “issuers” registered on the userIdentity object,
If email doesn’t exist, send the user to the combined sign in and sign up page (technical profile) where they can sign in with social or sign up with a local account. Hide the sign in elements with CSS.
I have created an Azure app. After granted by user(once in lifetime
), it fetches the users outlook mailbox data with help of accessToken. The Microsoft account is part of my org which uses SSO. So, if i am pre logged in via SSO in browser, how can I get rid of the un-neccesary login screen, which comes pre-populated with my email id, and I only have to click to choose the user account.
How could i remove that login screen from this flow?
You can specify login_hint=user#domain.com with the username in the authorization URL to tell AAD which account the user could use. If they are already signed-in, it won't prompt the user to select the account.
I saw on Azure Portal that we can enable authentication using Facebook, Google, Twitter and Microsoft Authentication Providers, but there is no option to allow users to use their email and chosen passwords.
How can I allow these 3 options (remembering that the user can link the chosen email and password to a Facebook account for instance)?
The question is specific to gmail business/ educational accounts. In order to read emails from a gmail account i have written a dll in c++ which executes IMAP commands and then parses their responses. With the current IMAP implementation i need to login to each users mailbox with his username and password information. So i was wondering if there is any option in gmail business with which i can login to multiple users in a domain with single admin users credentials and without to need to get password from each indivdual user in the domain?
You could create a Service Account in the Google Developers Console and give it access to the Email scope for the domain. Whenever you want to access a mailbox, you'd obtain an access token (which can be cached for up to an hour) and then use it with the XOAUTH2 SASL for authentication.
https://developers.google.com/gmail/xoauth2_protocol